picoCTF Solutions
picoCTF 2023Binary ExploitationMedium

babygame01

Published: April 26, 2023

Description

Navigate the BabyGame binary to obtain the flag. Explore how the map wraps so you can trigger the hidden flag counter before reaching the exit.

Setup

Download game

Run the binary locally to understand the map mechanics (chmod +x game && ./game).

When ready, connect to nc saturn.picoctf.net 52987 to obtain the real flag.

chmod +x game && ./game
nc saturn.picoctf.net 52987

Solution

  1. Step 1Manipulate wrapping
    The top-left corner behaves differently: moving left there increments the flag counter. Press 'a' four times at that corner so "Player has flag: 64" appears before returning to the exit.
    Learn more

    Map boundary wrapping is a common bug in grid-based games where the developer forgets to clamp coordinates. When a player moves left from column 0, a naive implementation subtracts 1 and stores -1 - which, in an unsigned or modular context, wraps to the maximum column. The game engine then treats that cell as a special location with unintended side effects.

    In this binary the top-left corner triggers an increment of an internal flag counter each time the player steps "off" the left edge. This is a classic off-by-one / boundary condition bug. The developer likely intended a guard like if (x > 0) x--; but omitted it, or the special cell simply has a side-effect placed there during debugging that was never removed.

    Real-world equivalence: map-wrapping bugs have caused exploitable memory corruption in embedded game firmware and older console titles. Recognizing that boundary checks are missing (or wrong) is a key skill in binary exploitation and game hacking CTF categories.

  2. Step 2Finish at the portal
    Once the counter is set, reach the goal (X). Locally you'll see "flag.txt not found," so repeat the moves remotely via netcat to have the server print the flag.
    Learn more

    Netcat (nc) is a raw TCP/UDP utility that connects stdin/stdout to a network socket. When a CTF challenge runs a binary on a remote server, nc host portlets you interact with it exactly as if you were at a local terminal - every keypress you type is sent over the wire and the server's output is streamed back.

    The reason the flag only appears remotely is that flag.txtexists only on the server's filesystem. Local runs teach you the mechanics; the remote session is where the actual secret is stored. This pattern is extremely common in CTF binary challenges: download and analyze locally, exploit remotely.

    For challenges that require many precise keystrokes, players often script the interaction with pwntools in Python (e.g., p.send(b'a' * 4)), which provides reliable, repeatable input over the same TCP connection.

Flag

picoCTF{gamer_m0d3_enabl...8e6}

The netcat session is required; local runs simply teach you the map layout.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Binary Exploitation

Related reading

What to try next