dc2020q - supersafecalc reversing pwn

by anton00b

This was a jeopardy challenge, part of dc2020q. (CTFtime)

Points: 315
Was solved by: 6 teams
PCAPs: download

You may spawn the server:

On your laptop

Install docker
docker pull archiveooo/pub:supersafecalc (docker-saved download)
docker run -d --name supersafecalc archiveooo/pub:supersafecalc
Local IP: docker inspect supersafecalc -f '{{ .NetworkSettings.Networks.bridge.IPAddress }}'
Connect to that IP:6789 — Remember to docker rm -f when done.

On your laptop (full source)

Install docker and pip install PyYAML coloredlogs
git clone https://github.com/o-o-overflow/dc2020q-supersafecalc-public
cd supersafecalc
./spawner --log-level=INFO
Connect to the ip:port displayed

Hosted by OOO

Right now we're asking players to login first.

Description

A really safe calculator. The flag is in /flag

line_weight supersafecalc.pyc line_weight stub

Hints

Hint 1

Start by thinking how you can trigger SIGFPE in a permissible way.

Hint 2

It still involves division, but not in the usual way.

Hint 3

Can you allocate memory for what doesn't have it?

Hint 4

You need to exploit a race condition. It shouldn't take too much time and it does happens with fair reliability, but you may still want to practice on your laptop to ease retrying.

If you wish, you can contribute more.

There's an author-recommended writeup.

Source

Spoilers ahead! Code for this challenge is publicly available.