Description
Solve a quiz whose answers all live in the provided binary and source. Download vuln.c, audit the program carefully, and answer every prompt correctly.
Setup
Download vuln.c and the binary.
Read vuln.c to understand the quiz structure and how it handles input.
cat vuln.cSolution
Walk me through it- Step 1Read the source code thoroughlyThe 13 prompts ask concrete facts about vuln.c: things like "what is the size of the input buffer in main", "what is the name of the third function defined", or "what value does MAX_LEN expand to". Every answer is in the file - read with the answers in mind.bash
cat vuln.cLearn more
Run a checklist while reading
vuln.c:- Function signatures: name, return type, argument count, argument types. Number them in order of definition.
- Global and stack buffer sizes: every
char buf[N],int arr[M], everymalloc(SIZE). - Constants and macros:
#defines,const ints, sentinel values. Note the literal value, not the symbol. - String literals: prompts, error messages, format strings. The wording may match a quiz question verbatim.
- Loop bounds and conditions:
for (i = 0; i < N; i++)- is the comparison<or<=?
grep -n '#define\\|^[a-z].*(\\|buf\\[' vuln.cfinds most of the question targets in one pass. Linux CLI for CTF covers the broader text-search toolkit; if the binary itself were the only source, Ghidra for reversing would replace this read.The reading habit pays compounding returns. Auditors who pull the same checklist on real code spot signed-vs-unsigned comparisons, off-by-one bounds, format-string sinks, and command-injection paths in production binaries.
- Step 2Answer all 13 questions correctlyConnect with netcat and answer each prompt from your notes on vuln.c. Watch for trailing whitespace - copy-pasting from a terminal often grabs a trailing newline or space that breaks the server-side equality check.bash
nc <HOST> <PORT_FROM_INSTANCE>bash# Type answers exactly as they appear in vuln.c, no trailing spacesbash# All answers are facts about the source code itselfLearn more
Quiz-style challenges that test code comprehension are a clever teaching tool: they ensure you actually read and understand the provided source rather than jumping straight to tools. In real security work, understanding what code does before trying to exploit it saves enormous time and prevents wasted effort on the wrong attack vector.
When answering questions about buffer sizes in C, remember that arrays are zero-indexed and
char buf[64]holds exactly 64 bytes including the null terminator. Function counts, loop bounds, and constant values are all best found with a text editor's search function rather than reading line by line.grep -n "function_name\|CONST_NAME\|buf\[" vuln.cquickly locates relevant lines.If you get a question wrong and the program exits, reconnect and try again - there is no lockout. Taking notes while reading (writing down buffer sizes, function names, and key constants) speeds up subsequent attempts and is good practice for systematic code review.
- Step 3Receive the flagAfter answering all questions correctly, the server prints the flag. If you get one wrong, restart and try again - re-read vuln.c for the exact values.
Learn more
The name "Quizploit" is a play on "exploit" - the challenge is exploiting your ability to read and understand source code rather than exploiting a software vulnerability. This is a meta-commentary on the fact that code comprehension is prerequisite to exploitation: you can't exploit what you don't understand.
This type of challenge builds the foundational skill needed for more advanced binary exploitation: understanding how the compiler lays out stack frames, how C handles strings and arrays, and how program structure (function calls, loops, conditionals) relates to assembly-level behavior. Answering "what is the buffer size in main?" is practice for answering "what is the overflow offset?" in a real pwn challenge.
A practical tip: connect the challenge binary with
ltraceorstraceto see what library calls and system calls it makes - this sometimes reveals expected answers as arguments tostrcmp()orstrncmp()calls without reading the source at all. But reading the source is the intended and more educational approach.
Flag
picoCTF{qu1zpl01t_...}
Quizploit is not an exploit challenge - it's a code reading exercise. Answer all 13 questions about vuln.c to get the flag.