Tutorial Writeup - Cyber Apocalypse 2024
→ 1 Introduction
This writeup covers the Tutorial Pwn challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge was a tutorial about integer overflows.
The description of the challenge is shown below.
→ 2 Artifacts Summary
The downloaded artifact had the following hash:
$ shasum -a256 pwn_tutorial.zip
b729e51e41bec460c3cadd1e357a40d6f74f8237297bf166938d8ac8c06ce5bf pwn_tutorial.zip
The zip file contained a test.c
C program, it’s compiled
executable, test
, and a README.txt file explaining what to
do with it.
$ unzip -d pwn_tutorial pwn_tutorial.zip
Archive: pwn_tutorial.zip
inflating: pwn_tutorial/README.txt
inflating: pwn_tutorial/test.c
inflating: pwn_tutorial/test
$ shasum -a256 pwn_tutorial/*
2cc8ed6cb07d22df69eaa1471c29ec811ae6a0874ed72683349f21809533f2c9 pwn_tutorial/README.txt
2af6be7eadae97a180e030f6f87c71c9091b2fd4c5d9adc8fb3a5c5826fd12a0 pwn_tutorial/test
d6130c3e946b43208dba5a81f7a7641b02b84b5eeb7241ea3ff9f3d0de3f181f pwn_tutorial/test.c
→ 3 Challenge overview
The challenge required connecting to the spawned Docker instance and answering a series of questions about how integers are handled in the C programming language. The introductory text upon initial connection provided some information useful for completing the challenge.
$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits. ◉
◉ ◉
◉ INT_MAX = 2147483647 (for 32-bit Integers) ◉
◉ INT_MAX = 9,223,372,036,854,775,807 (for 64-bit Integers) ◉
◉ ◉
◉ INT_MIN = –2147483648 (for 32-bit Integers) ◉
◉ INT_MIN = –9,223,372,036,854,775,808 (for 64-bit Integers) ◉
◉ ◉
◉ When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉ add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else. ◉
◉ ◉
◉ The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉ ◉
◉ This 'odd' behavior, is called Integer Overflow. ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
The downloaded artifact provided a simple test program for experimenting with adding integers.
#include <stdio.h>
#include <limits.h>
int add(int x, int y) { return x + y; }
void main(){
int n1, n2;
printf("INT_MAX value: %d\n\nEnter 2 numbers: ", INT_MAX);
scanf("%d %d", &n1, &n2);
printf(n1 < 0 || n2 < 0 ? "\n[-] Negative values detected! Exiting..\n" : "\nThe sum of %d and %d is %d\n\n", n1, n2, add(n1, n2));
}
→ 4 Question 1
Question:
Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)
This can be tested with the provided test
program by
adding 1 to the maximum integer value:
./test
INT_MAX value: 2147483647
Enter 2 numbers: 2147483647 1
The sum of 2147483647 and 1 is -2147483648
Answer:
y
→ 5 Question 2
Question:
What's the MAX 32-bit Integer value in C?
The answer to this was provided in the introductory text upon initial connection.
Answer:
2147483647
→ 6 Question 3
Question:
What number would you get if you add INT_MAX and 1?
The answer to this was observed when answering Question 1.
Answer:
-2147483648
→ 7 Question 4
Question:
What number would you get if you add INT_MAX and INT_MAX?
This can be tested with the provided test
program:
./test
INT_MAX value: 2147483647
Enter 2 numbers: 2147483647 2147483647
The sum of 2147483647 and 2147483647 is -2
Answer:
-2
→ 8 Question 5
Question:
What's the name of this bug? (e.g. buffer overflow)
This bug is known as Integer Overflow or sometimes Integer Wraparound. It is a known common weakness documented by CWE-190: Integer Overflow or Wraparound.
Answer:
Integer Overflow
→ 9 Question 6
Question:
What's the MIN 32-bit Integer value in C?
The answer to this was provided in the introductory text upon initial connection.
Answer:
-2147483648
→ 10 Question 7
Question:
What's the number you can add to INT_MAX to get the number -2147482312?
From question 3:
INT_MAX + 1 == -2147483648
We want an unknown x
where:
INT_MAX + x == -2147482312
Subtracting the two equations gives:
x - 1 == -2147482312 - (-2147483648)
== 2147483648 - 2147482312
== 1336
==> x == 1337
Answer:
1337
→ 11 Final transcript
The final transcript of the challenge solution is below, with the flag returned after the final question is answered.
$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits. ◉
◉ ◉
◉ INT_MAX = 2147483647 (for 32-bit Integers) ◉
◉ INT_MAX = 9,223,372,036,854,775,807 (for 64-bit Integers) ◉
◉ ◉
◉ INT_MIN = –2147483648 (for 32-bit Integers) ◉
◉ INT_MIN = –9,223,372,036,854,775,808 (for 64-bit Integers) ◉
◉ ◉
◉ When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉ add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else. ◉
◉ ◉
◉ The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉ ◉
◉ This 'odd' behavior, is called Integer Overflow. ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
[*] Question number 0x1:
Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)
>> y
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x2:
What's the MAX 32-bit Integer value in C?
>> 2147483647
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x3:
What number would you get if you add INT_MAX and 1?
>> -2147483648
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x4:
What number would you get if you add INT_MAX and INT_MAX?
>> -2
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x5:
What's the name of this bug? (e.g. buffer overflow)
>> Integer Overflow
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x6:
What's the MIN 32-bit Integer value in C?
>> -2147483648
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x7:
What's the number you can add to INT_MAX to get the number -2147482312?
>> 1337
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
HTB{gg_3z_th4nk5_f0r_th3_tut0r14l}
→ 12 Conclusion
The flag was submitted and the challenge was marked as pwned