pwn

Challenges

Index

I literally hand you the flag, just exploit it already!
index.zip

❯ unzip -l index.zip
Archive:  index.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16632  2025-08-01 09:44   index
   225600  2025-08-01 12:25   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:25   libc.so.6
---------                     -------
  2245640                     3 files

Load up to dogbolt, or objdump
We could see this
cmp $0x539 compares the user input with 0x539 in hex it is 1337 in decimal
je 150e if they're equal — confirmed with decompiler

1337 will triggers a secret fucntion that open flag.txt
We go to LABEL_401448
Or the menu() to be exact
Now, we need option 2 because read_data can read from any memory location without bounds checking
The flag address is 0x40a0
we also know nums array is at 0x4060

12c3:	48 8d 15 96 2d 00 00 	lea    0x2d96(%rip),%rdx        # 4060 <nums>

Finally the calculation is nums_base + (index * 8)
Flag address - nums address = 0x40a0 - 0x4060 = 0x40 = 64 bytes 64 bytes ÷ 8 bytes per index = 8
Final exploit

scriptCTF{4rra4y_00B_unl0ck3d_0aed67c7e137

Index-2 (upsolve)

This time, you get the file pointer, not the flag itself.
index-2.zip

❯ unzip -l index-2.zip
Archive:  index-2.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16608  2025-08-01 09:47   index-2
   225600  2025-08-01 12:23   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:23   libc.so.6
---------                     -------
  2245616                     3 files

tbd, will write later

Previousprogramming Nextrev

Last updated 20 days ago