Sheet 4

General Information

All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck.

Please keep in mind that you should:

  • read the task description carefully

  • push all your changes to the GitLab repository (main branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

  • Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (see our blog post for details how to do that).

  • Check the CI-Pipeline status and output for any errors. If the Pipeline is green and the output looks right, your solution should be correct.

  • Make sure that the solution is an executable Python 3 script named solution (chmod +x ./solution) with a working shebang line at the top (i.e. #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … – just solution)

  • The final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task.

  • Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

    1
2
3
4
5
6
7
8

    def check_input_length(input_string):
    """
    The input string must have a length greater than 42 and must also be even.
    """
    length = len(input_string)

    # the final check happens here
    return (length > 42) and (length % 2 == 0)

    This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your solution files!

  • Make sure that your solution executes within 10 seconds (this is a hard timeout on our server).

  • Violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is 2025-06-15 22:00:00 UTC

Task 13 – Notebook App (4 Points)

We got a new app that allows you to take notes. There are two kinds of notes: simple ones and printable ones. The app is still work in progress so there might still be some bugs.

Find the bug in the notebook application and exploit it to print the flag. As always, describe what you are doing with technical details in comments so that we see that you fully understood the vulnerability and the exploit.

Once again, edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • What happens if you set the printing function to puts() and then have heap allocation with the same size before that?
  • Have a closer look at the struct printable_note

Your solution should execute like this:

1
2

./solution
FLAG{some letters}

Task 14 – Bank Robbery 2.0 (12 Points, individual Task)

You are now a member of the digital bank robber group Fang-Den-Shui which is famous for stealing money from the rich and giving it to the poor. Are you ready to prove your value?

To successfully rob the bank, exploit bank_robbery to make it print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • What happens if you give scanf something it does not expect?
  • Are you able to influence the allocation on the heap in a way that you are able to print and overwrite something nice there?
  • The pwndbg heap command can be helpful to track how the heap looks like.

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 15 – Some Poison for the cash machine (12 Points)

Money is not everything, but with money everything is more fun. Therefore we want to use this awesome cash machine to get our money printed.

Poison cash_machine in a way that it gives you a shell, and use the shell to print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • Have a look at the backdoor function
  • How can you set up RDI when invoking the backdoor function?
  • Which functions offers you the possiblity that your allocation gets into the TCACHE?
  • Can you see the diference between the cashbox_delete and the cashbox_update functions? What can you use after that?

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 16 – Fake it till you make it! (8 Points)

Our developer team published this new echo service. As you can see, they made extra sure there are no buffer overflows, so everything should be nice and secure.

Are you ready to exploit it and make it read the flag from flag.txt and print the flag? Just do it then!

Once again, edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • Is there some nice GOT entry which you could overwrite? Which entry would be most suitable?
  • Maybe you can use some bug more than once to write the value one byte at a time…
  • ASLR is intentionally not enabled for this binary to make this task easier. Make sure you use the isolation-container with the personality syscall not blocked by seccomp. For example, you can use --security-opt seccomp=unconfined for your tests when starting the container.

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}
28 May 2025