picoCTF Solutions
picoGym ExclusiveBinary ExploitationMedium

Local Target

Published: March 5, 2024Updated: December 9, 2025

Description

Overflow the stack buffer so that the neighboring local variable num becomes 65. Once num holds the magic value the binary prints the flag.

Setup

Buffer overflow practiceDownload local-target

Grab both the binary and its source to understand how the 24-byte buffer and num variable sit in memory.

Run it locally to test candidate payload lengths before attacking the remote instance.

wget https://artifacts.picoctf.net/c/519/local-target
wget https://artifacts.picoctf.net/c/519/local-target.c
cat local-target.c

Solution

  1. Step 1Measure the offset
    num is stored immediately after the 24-byte input buffer. Feeding exactly 24 characters leaves num at its initialized value (64).
  2. Step 2Overflow by one byte
    Adding a single extra byte overwrites the low byte of num. Writing 'A' bumps it from 64 (0x40) to 65 (0x41), which satisfies the win condition.
    python3 - <<'PY' print('12345678901234567890123AA') PY | nc saturn.picoctf.net 64108
  3. Step 3Capture the flag output
    Once num == 65, the binary congratulates you and prints the picoCTF flag directly.

Flag

picoCTF{l0c4l5_1n_5c0p...8441a}

Any payload that increases num from 0x40 to 0x41 will work; the example string above is just one convenient option.