# Tutorial Writeup - Cyber Apocalypse 2024

**Last update:**

## → 1 Introduction

This writeup covers the Tutorial Pwn challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge was a tutorial about integer overflows.

The description of the challenge is shown below.

## → 2 Artifacts Summary

The downloaded artifact had the following hash:

```
$ shasum -a256 pwn_tutorial.zip
b729e51e41bec460c3cadd1e357a40d6f74f8237297bf166938d8ac8c06ce5bf pwn_tutorial.zip
```

The zip file contained a `test.c`

C program, it’s compiled
executable, `test`

, and a README.txt file explaining what to
do with it.

```
$ unzip -d pwn_tutorial pwn_tutorial.zip
Archive: pwn_tutorial.zip
inflating: pwn_tutorial/README.txt
inflating: pwn_tutorial/test.c
inflating: pwn_tutorial/test
$ shasum -a256 pwn_tutorial/*
2cc8ed6cb07d22df69eaa1471c29ec811ae6a0874ed72683349f21809533f2c9 pwn_tutorial/README.txt
2af6be7eadae97a180e030f6f87c71c9091b2fd4c5d9adc8fb3a5c5826fd12a0 pwn_tutorial/test
d6130c3e946b43208dba5a81f7a7641b02b84b5eeb7241ea3ff9f3d0de3f181f pwn_tutorial/test.c
```

## → 3 Challenge overview

The challenge required connecting to the spawned Docker instance and answering a series of questions about how integers are handled in the C programming language. The introductory text upon initial connection provided some information useful for completing the challenge.

```
$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits. ◉
◉ ◉
◉ INT_MAX = 2147483647 (for 32-bit Integers) ◉
◉ INT_MAX = 9,223,372,036,854,775,807 (for 64-bit Integers) ◉
◉ ◉
◉ INT_MIN = –2147483648 (for 32-bit Integers) ◉
◉ INT_MIN = –9,223,372,036,854,775,808 (for 64-bit Integers) ◉
◉ ◉
◉ When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉ add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else. ◉
◉ ◉
◉ The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉ ◉
◉ This 'odd' behavior, is called Integer Overflow. ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
```

The downloaded artifact provided a simple test program for experimenting with adding integers.

```
#include <stdio.h>
#include <limits.h>
int add(int x, int y) { return x + y; }
void main(){
int n1, n2;
printf("INT_MAX value: %d\n\nEnter 2 numbers: ", INT_MAX);
scanf("%d %d", &n1, &n2);
printf(n1 < 0 || n2 < 0 ? "\n[-] Negative values detected! Exiting..\n" : "\nThe sum of %d and %d is %d\n\n", n1, n2, add(n1, n2));
}
```

## → 4 Question 1

**Question:**

`Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)`

This can be tested with the provided `test`

program by
adding 1 to the maximum integer value:

```
./test
INT_MAX value: 2147483647
Enter 2 numbers: 2147483647 1
The sum of 2147483647 and 1 is -2147483648
```

**Answer:**

`y`

## → 5 Question 2

**Question:**

`What's the MAX 32-bit Integer value in C?`

The answer to this was provided in the introductory text upon initial connection.

**Answer:**

`2147483647`

## → 6 Question 3

**Question:**

`What number would you get if you add INT_MAX and 1?`

The answer to this was observed when answering Question 1.

**Answer:**

`-2147483648`

## → 7 Question 4

**Question:**

`What number would you get if you add INT_MAX and INT_MAX?`

This can be tested with the provided `test`

program:

```
./test
INT_MAX value: 2147483647
Enter 2 numbers: 2147483647 2147483647
The sum of 2147483647 and 2147483647 is -2
```

**Answer:**

`-2`

## → 8 Question 5

**Question:**

`What's the name of this bug? (e.g. buffer overflow)`

This bug is known as Integer Overflow or sometimes Integer Wraparound. It is a known common weakness documented by CWE-190: Integer Overflow or Wraparound.

**Answer:**

`Integer Overflow`

## → 9 Question 6

**Question:**

`What's the MIN 32-bit Integer value in C?`

The answer to this was provided in the introductory text upon initial connection.

**Answer:**

```
-2147483648
```

## → 10 Question 7

**Question:**

`What's the number you can add to INT_MAX to get the number -2147482312?`

From question 3:

`INT_MAX + 1 == -2147483648`

We want an unknown `x`

where:

`INT_MAX + x == -2147482312`

Subtracting the two equations gives:

```
x - 1 == -2147482312 - (-2147483648)
== 2147483648 - 2147482312
== 1336
==> x == 1337
```

**Answer:**

`1337`

## → 11 Final transcript

The final transcript of the challenge solution is below, with the flag returned after the final question is answered.

```
$ nc -n -v 83.136.254.108 43826
(UNKNOWN) [83.136.254.108] 43826 (?) open
This is a simple questionnaire to get started with the basics.
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ C/C++ provides two macros named INT_MAX and INT_MIN that represent the integer limits. ◉
◉ ◉
◉ INT_MAX = 2147483647 (for 32-bit Integers) ◉
◉ INT_MAX = 9,223,372,036,854,775,807 (for 64-bit Integers) ◉
◉ ◉
◉ INT_MIN = –2147483648 (for 32-bit Integers) ◉
◉ INT_MIN = –9,223,372,036,854,775,808 (for 64-bit Integers) ◉
◉ ◉
◉ When this limit is passed, C will proceed with an 'unusual' behavior. For example, if we ◉
◉ add INT_MAX + 1, the result will NOT be 2147483648 as expected, but something else. ◉
◉ ◉
◉ The result will be a negative number and not just a random negative number, but INT_MIN. ◉
◉ ◉
◉ This 'odd' behavior, is called Integer Overflow. ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
[*] Question number 0x1:
Is it possible to get a negative result when adding 2 positive numbers in C? (y/n)
>> y
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x2:
What's the MAX 32-bit Integer value in C?
>> 2147483647
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x3:
What number would you get if you add INT_MAX and 1?
>> -2147483648
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x4:
What number would you get if you add INT_MAX and INT_MAX?
>> -2
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x5:
What's the name of this bug? (e.g. buffer overflow)
>> Integer Overflow
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x6:
What's the MIN 32-bit Integer value in C?
>> -2147483648
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
[*] Question number 0x7:
What's the number you can add to INT_MAX to get the number -2147482312?
>> 1337
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
♠ ♠
♠ Correct ♠
♠ ♠
♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠
HTB{gg_3z_th4nk5_f0r_th3_tut0r14l}
```

## → 12 Conclusion

The flag was submitted and the challenge was marked as pwned