Challenge Description#

A “secure” vault that checks your money amount to grant access to the flag.

Binary Analysis#

1
$ file quiz
2
quiz: ELF 64-bit LSB pie executable, x86-64, dynamically linked

Decompiled Logic (pseudocode)#

1
long money;   // signed 64-bit integer
2

3
printf("How much is your money?\n");
4
scanf("%lld", &money);  // reads SIGNED long long
5

6
// Check 1: Signed comparison
7
if (money > 100) {
8
    printf("You cannot have more than 100 Rupiaz as a student!\n");
9
    exit(1);
10
}
11

12
// Check 2: This comparison treats value as UNSIGNED
13
if (money <= 1000000) {
14
    printf("Your money is not enough for a flag :(\n");
15
    printf("You need 1 million rupiaz for a flag!\n");
16
    exit(1);
17
}
18

19
// WIN: Print flag
20
printf("It... Can't be!!!\n");
21
// ... opens and prints flag.txt

Vulnerability: Integer Signedness Bug#

The two checks have conflicting requirements:

1. money > 100 uses signed comparison (must be ≤ 100)

2. money <= 1000000 uses comparison that can be bypassed with negative numbers

Key Insight: A negative number like -1:

• Signed interpretation: -1 ≤ 100 ✓ (passes check 1)

• When compared as unsigned: -1 = 0xFFFFFFFFFFFFFFFF = 18,446,744,073,709,551,615

• This is definitely > 1,000,000 ✓ (passes check 2)

Exploit#

1
$ echo "-1" | nc 43.128.69.211 13004
2
How much is your money?
3
It... Can't be!!!
4
scsc26{Integer_Und3R_fl0W_0v3rFl0W}