forbytten blogs

Tutorial Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Tutorial Pwn challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge was a tutorial about integer overflows.

The description of the challenge is shown below.

Tutorial challenge description

2 Artifacts Summary

The downloaded artifact had the following hash:

$ shasum -a256 pwn_tutorial.zip
b729e51e41bec460c3cadd1e357a40d6f74f8237297bf166938d8ac8c06ce5bf  pwn_tutorial.zip

The zip file contained a test.c C program, it’s compiled executable, test, and a README.txt file explaining what to do with it.

$ unzip -d pwn_tutorial pwn_tutorial.zip
Archive:  pwn_tutorial.zip
  inflating: pwn_tutorial/README.txt
  inflating: pwn_tutorial/test.c
  inflating: pwn_tutorial/test

$ shasum -a256 pwn_tutorial/*
2cc8ed6cb07d22df69eaa1471c29ec811ae6a0874ed72683349f21809533f2c9  pwn_tutorial/README.txt
2af6be7eadae97a180e030f6f87c71c9091b2fd4c5d9adc8fb3a5c5826fd12a0  pwn_tutorial/test
d6130c3e946b43208dba5a81f7a7641b02b84b5eeb7241ea3ff9f3d0de3f181f  pwn_tutorial/test.c

3 Challenge overview

The challenge required connecting to the spawned Docker instance and answering a series of questions about how integers are handled in the C programming language. The introductory text upon initial connection provided some information useful for completing the challenge.

$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.

◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉                                                                                           ◉
◉  C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits.   ◉
◉                                                                                           ◉
◉  INT_MAX = 2147483647                  (for 32-bit Integers)                              ◉
◉  INT_MAX = 9,223,372,036,854,775,807   (for 64-bit Integers)                              ◉
◉                                                                                           ◉
◉  INT_MIN = –2147483648                 (for 32-bit Integers)                              ◉
◉  INT_MIN = –9,223,372,036,854,775,808  (for 64-bit Integers)                              ◉
◉                                                                                           ◉
◉  When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉  add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else.      ◉
◉                                                                                           ◉
◉  The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉                                                                                           ◉
◉  This 'odd' behavior, is called Integer Overflow.                                         ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉

The downloaded artifact provided a simple test program for experimenting with adding integers.

#include <stdio.h>
#include <limits.h>

int add(int x, int y) { return x + y; }

void main(){
    int n1, n2;
    printf("INT_MAX value: %d\n\nEnter 2 numbers: ", INT_MAX);
    scanf("%d %d", &n1, &n2);
    printf(n1 < 0 || n2 < 0 ? "\n[-] Negative values detected! Exiting..\n" : "\nThe sum of %d and %d is %d\n\n", n1, n2, add(n1, n2));
}

4 Question 1

Question:

Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)

This can be tested with the provided test program by adding 1 to the maximum integer value:

 ./test
INT_MAX value: 2147483647

Enter 2 numbers: 2147483647 1

The sum of 2147483647 and 1 is -2147483648

Answer:

y

5 Question 2

Question:

What's the MAX 32-bit Integer value in C?

The answer to this was provided in the introductory text upon initial connection.

Answer:

2147483647

6 Question 3

Question:

What number would you get if you add INT_MAX and 1?

The answer to this was observed when answering Question 1.

Answer:

-2147483648

7 Question 4

Question:

What number would you get if you add INT_MAX and INT_MAX?

This can be tested with the provided test program:

./test
INT_MAX value: 2147483647

Enter 2 numbers: 2147483647 2147483647

The sum of 2147483647 and 2147483647 is -2

Answer:

-2

8 Question 5

Question:

What's the name of this bug? (e.g. buffer overflow)

This bug is known as Integer Overflow or sometimes Integer Wraparound. It is a known common weakness documented by CWE-190: Integer Overflow or Wraparound.

Answer:

Integer Overflow

9 Question 6

Question:

What's the MIN 32-bit Integer value in C?

The answer to this was provided in the introductory text upon initial connection.

Answer:


-2147483648

10 Question 7

Question:

What's the number you can add to INT_MAX to get the number -2147482312?

From question 3:

INT_MAX + 1 == -2147483648

We want an unknown x where:

INT_MAX + x == -2147482312

Subtracting the two equations gives:

x - 1 == -2147482312 - (-2147483648)
      == 2147483648 - 2147482312
      == 1336
==> x == 1337

Answer:

1337

11 Final transcript

The final transcript of the challenge solution is below, with the flag returned after the final question is answered.

$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.

◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉                                                                                           ◉
◉  C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits.   ◉
◉                                                                                           ◉
◉  INT_MAX = 2147483647                  (for 32-bit Integers)                              ◉
◉  INT_MAX = 9,223,372,036,854,775,807   (for 64-bit Integers)                              ◉
◉                                                                                           ◉
◉  INT_MIN = –2147483648                 (for 32-bit Integers)                              ◉
◉  INT_MIN = –9,223,372,036,854,775,808  (for 64-bit Integers)                              ◉
◉                                                                                           ◉
◉  When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉  add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else.      ◉
◉                                                                                           ◉
◉  The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉                                                                                           ◉
◉  This 'odd' behavior, is called Integer Overflow.                                         ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉

[*] Question number 0x1:

Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)

>> y

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x2:

What's the MAX 32-bit Integer value in C?

>> 2147483647

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x3:

What number would you get if you add INT_MAX and 1?

>> -2147483648

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x4:

What number would you get if you add INT_MAX and INT_MAX?

>> -2

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x5:

What's the name of this bug? (e.g. buffer overflow)

>> Integer Overflow

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x6:

What's the MIN 32-bit Integer value in C?

>> -2147483648

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠

[*] Question number 0x7:

What's the number you can add to INT_MAX to get the number -2147482312?

>> 1337

♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠                   ♠
♠      Correct      ♠
♠                   ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
HTB{gg_3z_th4nk5_f0r_th3_tut0r14l}

12 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned