picoCTF Solutions
PathPart of the General Skills path · Step 2 of 4: Number Systems
picoCTF 2024General SkillsEasy

Binary Search picoCTF 2024 Solution

Published: April 3, 2024

Description

Want to play a game? As you use more of the shell, you might be interested in how they work! Binary search is a classic algorithm used to quickly find an item in a sorted list. Can you find the flag? You'll have 1000 possibilities and only 10 guesses.

Cyber security often has a huge amount of data to look through - from logs, vulnerability reports, and forensics. Practicing the fundamentals manually might help you in the future when you have to write your own tools!

Read the technique guide

  • Beginner's Guide to Netcat for CTFsA beginner-friendly guide to using netcat (nc) in CTF competitions: connecting to challenge servers, piping payloads, automating with Python pwntools, and reading challenge output.

Setup

RemoteDownload challenge.zip

Download challenge.zip and inspect the README for context.

Launch the picoCTF instance to obtain the unique SSH port and password for your session.

bash
ssh -p <PORT_FROM_INSTANCE> ctf-player@atlas.picoctf.net

Solution

Walk me through it
The service picks a number from 1 to 1000 and gives you 10 guesses. Binary search halves the candidate range with each guess, so log2(1000) which is about 9.97 means 10 guesses is exactly enough.
  1. Step 1Read the script
    The provided guessing_game.sh gives you 10 guesses and tells you whether the target is "Higher" or "Lower" than each guess.
    Learn more

    Binary search assumes a sorted range and halves it on each comparison. Starting with N candidates, after k guesses you have at most ceil(N / 2^k) candidates left. For N = 1000, log2(1000) is approximately 9.97, so you need at most 10 guesses to guarantee a hit, which is exactly the budget the service gives you.

    Round 0.5 downward (floor division) when picking the midpoint. This never overshoots because the floor of the midpoint stays inside [low, high] for any valid range, and feedback always shrinks the range by at least one element. Rounding up could land outside the active range when low and high are adjacent.

  2. Step 2Halve the range each round
    Start at the midpoint of the current range. If the service says Lower, the target is below your guess; set high = guess - 1. If Higher, set low = guess + 1.

    Formula:(low + high) / 2(always round 0.5 downward)

  3. Step 3Worked example
    If the target is 38, the search converges in seven guesses. Each row shows the midpoint, the response, and the next active range.
    1. Step 1too high

      Guess: 500

      (1 + 1000) / 2 = 500.5 -> 500 (round down)

      Next range: 1 - 499

    2. Step 2too high

      Guess: 250

      (1 + 499) / 2 = 250

      Next range: 1 - 249

    3. Step 3too high

      Guess: 125

      (1 + 249) / 2 = 125

      Next range: 1 - 124

    4. Step 4too high

      Guess: 62

      (1 + 124) / 2 = 62.5 -> 62 (round down)

      Next range: 1 - 61

    5. Step 5too low

      Guess: 31

      (1 + 61) / 2 = 31

      Next range: 32 - 61

    6. Step 6too high

      Guess: 46

      (32 + 61) / 2 = 46.5 -> 46 (round down)

      Next range: 32 - 45

    7. Step 7flag found

      Guess: 38

      (32 + 45) / 2 = 38.5 -> 38 (round down)

      The service reveals the flag once the exact value is submitted.

Related guides

Beginner's Guide to Netcat for CTFs

This challenge connects over SSH but the netcat guide covers the same shape: how to script multi-round interactions and pipe answers automatically.

Flag

picoCTF{g00d_gu355_de95...}

After the correct guess, the service prints the flag as a visible string in the same shell session.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Tools used in this challenge

Related reading

What to try next