picoCTF 2018

1. Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#define BUFSIZE 16bool win1 = false;
bool win2 = false;
void win_function1() {
win1 = true;
void win_function2(unsigned int arg_check1) {
if (win1 && arg_check1 == 0xBAAAAAAD) {
win2 = true;
else if (win1) {
printf("Wrong Argument. Try Again.\n");
else {
printf("Nope. Try a little bit harder.\n");
void flag(unsigned int arg_check2) {
char flag[48];
FILE *file;
file = fopen("flag.txt", "r");
if (file == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
fgets(flag, sizeof(flag), file);

if (win1 && win2 && arg_check2 == 0xDEADBAAD) {
printf("%s", flag);
else if (win1 && win2) {
printf("Incorrect Argument. Remember, you can call other functions in between each win function!\n");
else if (win1 || win2) {
printf("Nice Try! You're Getting There!\n");
else {
printf("You won't get the flag that easy..\n");
void vuln() {
char buf[16];
printf("Enter your input> ");
return gets(buf);
int main(int argc, char **argv){setvbuf(stdout, NULL, _IONBF, 0);

// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);

2. Way of thinking

first of all, i audit the source a little bit and i notice that there are 4func that we need to focus on: vuln,win_function1 , win_function2 , flag .

3. Hacking

first, let’s check if there are any protection on the binary (because the remote server don’t have gdb-peda, which have checksec, and of course from myself don’t have enough knowledge about testing the binary)



Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store