OOO logo

OOO archive --- DEF CON CTF [ login ]

dc2020q - supersafecalc reversing pwn

by anton00b

This was a jeopardy challenge, part of dc2020q. (CTFtime)

Points: 315
Was solved by: 6 teams
PCAPs: download

You may spawn the server:

On your laptop
  • Install docker
  • docker pull archiveooo/pub:supersafecalc (docker-saved download)
  • docker run -d --name supersafecalc archiveooo/pub:supersafecalc
  • Local IP: docker inspect supersafecalc -f '{{ .NetworkSettings.Networks.bridge.IPAddress }}'
  • Connect to that IP:6789 — Remember to docker rm -f when done.
On your laptop (full source)
  • Install docker and pip install PyYAML coloredlogs
  • git clone https://github.com/o-o-overflow/dc2020q-supersafecalc-public
  • cd supersafecalc
  • ./spawner --log-level=INFO
  • Connect to the ip:port displayed
Hosted by OOO Right now we're asking players to login first.

Description

A really safe calculator. The flag is in /flag

line_weight supersafecalc.pyc line_weight stub

Hints

Hint 1Start by thinking how you can trigger SIGFPE in a permissible way.
Hint 2It still involves division, but not in the usual way.
Hint 3Can you allocate memory for what doesn't have it?
Hint 4You need to exploit a race condition. It shouldn't take too much time and it does happens with fair reliability, but you may still want to practice on your laptop to ease retrying.

If you wish, you can contribute more.

There's an author-recommended writeup.

Source

Spoilers ahead! Code for this challenge is publicly available.