2024 Cyber Apocalypse: Pwn Tutorial

Challenge Information

Attribute	Details
Event	2024 Cyber Apocalypse
Category	Binary Exploitation
Challenge	Pwn Tutorial
Difficulty	Very Easy

Pwn Tutorial is an introductory challenge designed to teach participants about integer overflow vulnerabilities. The challenge presents a series of questions about 32-bit integer behavior in C, testing understanding of how signed integers overflow and wrap around. Successfully answering all questions reveals the flag.

Analysis

Integer Overflow Concepts

32-bit signed integers range from -2147483648 to 2147483647:

INT_MIN = -2147483648 (0x80000000)
INT_MAX = 2147483647 (0x7FFFFFFF)

When adding positive numbers:

If the result exceeds INT_MAX, overflow occurs and wraps to negative values
This behavior is undefined in C but commonly wraps around in two’s complement

Challenge Questions

The challenge asks 7 questions progressively building understanding:

Can negative results occur from adding 2 positive numbers? → YES (overflow)
MAX 32-bit Integer value? → 2147483647
INT_MAX + 1? → -2147483648 (wraps to INT_MIN)
INT_MAX + INT_MAX? → -2 (wraps around)
What’s the name of this bug? → integer overflow
MIN 32-bit Integer value? → -2147483648
What number to add to INT_MAX to get -2147482312? → (calculated answer)

Solution

Step 1: Answer Questions 1-6

These are straightforward based on integer overflow rules:

Question 1: y (yes, overflow causes negative)
Question 2: 2147483647
Question 3: -2147483648
Question 4: -2
Question 5: integer overflow
Question 6: -2147483648

Step 2: Calculate Question 7

Question 7 asks: “What number would you add to INT_MAX to get -2147482312?”

Calculation:

INT_MAX = 2147483647
Target = -2147482312
Difference = Target - INT_MAX
Difference = -2147482312 - 2147483647
Difference = -4294965959

When we overflow, we need to find x where:
(INT_MAX + x) mod 2^32 = -2147482312

Through testing or calculation, the answer can be found by trial or by understanding the wrap-around.

Complete Solver Script

from pwn import *

def main():
    binary_path = './test'
    INT_MAX = 2147483647

    for i in range(1000, 2000):
        # Start the process
        p = process(binary_path)

        # Read initial output
        prompt = p.recvuntil(b'Enter 2 numbers: ')
        print(prompt.decode(), end='')

        # Prepare input: INT_MAX, i
        input_str = f"{INT_MAX},{i}"

        # Send
        p.sendline(input_str.encode())

        try:
            response = p.recvall(timeout=2)
            print(response.decode())

            if b"Exiting" in response:
                print(f"Attempt with adding {i} resulted in exit.")
            elif str(-2147482312).encode() in response:
                print(f"[+] Correct number found: {i}")
                break
        except EOFError:
            print(f"Binary closed after adding {i}.")
        finally:
            p.close()

    print("Finished processing.")

if __name__ == '__main__':
    main()

Step 3: Retrieve the Flag

Once all 7 questions are answered correctly, the challenge returns the flag.

Key Takeaways

Integer overflow is a critical vulnerability in systems programming
32-bit signed integers use two’s complement representation
Overflow behavior depends on language implementation (often undefined in C)
Testing boundary values (INT_MAX, INT_MIN) reveals overflow behavior
This vulnerability can lead to buffer overflows, privilege escalation, and other attacks
Understanding integer arithmetic is fundamental to binary exploitation

Flag: HTB{gg_3z_th4nk5_f0r_th3_tut0r14l}