PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

Time's Up

PreviousB1ll_Gat35NextTime's Up, For the Last Time!

Last updated 4 years ago

Was this helpful?

Problem

Time waits for no one. Can you solve this before time runs out? times-up, located in the directory at /problems/time-s-up_1_7d4f79c3df3e1b044801573eea5722be.

Solution

  1. Decompile the binary file using (). main() function:

     undefined8 main(void)

 {
 init_randomness();
 printf("Challenge: ");
 generate_challenge();
 putchar(10);
 fflush(stdout);
 puts("Setting alarm...");
 fflush(stdout);
 ualarm(5000,0);
 printf("Solution? ");
 __isoc99_scanf(&DAT_00100e68,&guess);
 if (guess == result) {
     puts("Congrats! Here is the flag!");
     system("/bin/cat flag.txt");
 }
 else {
     puts("Nope!");
 }
 return 0;
 }

    Using the debugger, like we did for Need For Speed will not work because we will lose the SETUID permissions required for the system call: system("/bin/cat flag.txt");.

    This code also shows us that there is an alarm which ends the program if we don't provide a valid answer within 5000 uSeconds, which is not a lot of time.

  2. Let's try running the program: chmod +x times-up && ./times-up

     Challenge: (((((2033553839) + (-1699577110)) + (((-545013997) - (67704704)) + ((-1918353553) + (-1516567616)))) + (((-210308874) + (1475601456)) + ((1775129956) + (-2055247704)))) + ((((1330215250) - (-1021292908)) + ((-1623051128) + (-1560439740))) + ((((-748207565) + (215421591)) + (1002169210)) + ((-1314247138) + (1641760225)))))
 Setting alarm...
 Solution? Alarm clock

  3. Running the will not work since it communicates over SSH, which is not fast enough to solve this challenge.

  4. Instead, run the following (which is commented at the end of ) on the shell server in /problems/time-s-up_1_7d4f79c3df3e1b044801573eea5722be:

     from pwn import *
 io = process("./times-up")
 io.recvuntil("Challenge: ")
 challenge = io.recvline()
 answer = eval(challenge)
 io.sendline(str(answer))
 io.interactive()
     Solution? Congrats! Here is the flag!
 picoCTF{Gotta go fast. Gotta go FAST. #3daa579a}

Flag

picoCTF{Gotta go fast. Gotta go FAST. #3daa579a}

Program
Ghidra
cheat sheet
script.py
script.py