pwnPromedium

Maze

spbctf

Task: collect 10 treasures in a maze game to get the flag. Solution: exploit a missing bounds check (no x >= 0 validation) in the movement function to move left into negative x territory, stepping on treasure characters (X) placed in the name buffer located before the maze array in memory.

$ ls tags/ techniques/

negative_index array_oob bounds_check game_exploitation

negative_array_indexout_of_bounds_memory_accessgame_logic_exploitation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[misc][Pro]Лабиринт (Labyrinth)— duckerz
[pwn][Pro]Easy Overflow 3— spbctf
[pwn][Pro]sptr— spbctf
[reverse][free]TunnelMadness— hackthebox
[pwn][Pro]ret— spbctf