Sheet 1
General Information
Make sure you have read and understood everything in Exercise Requirements and Grading Guidelines!
Remember to put a block comment at the beginning of the solution file for each task, describing the vulnerability (including relevant addresses or instructions) and your general plan how to exploit it.
The deadline for this sheet is 2026-05-03 22:00:00 UTC
Task 1 – Key Checker (4 Points, individual Task)
The program check_key needs a valid key as an input.
Find out how to provide the key to the program and how the key checking algorithm works
(use a reverse engineering tool such as IDA Pro, Ghidra, radare2, or Binary Ninja, or use a debugger, such as gdb).
The final task is to write a Python script which must be named solution,
is able to generate valid keys, and prints 500 of them to stdout
(unique keys, newline-separated, no other output),
i.e., your solution could must look like this when executed:
|
|
where keyX is a valid key.
Note: Do not brute-force all solutions by executing the binary check_key and checking its output.
This is a reverse engineering task.
Hint: Use ./solution | xargs -n 1 ./check_key | tee >(wc -l) | sort | uniq to verify your solution manually.
Task 2 – In-memory decryption (8 Points)
Have a look at the extractme executable. It decrypts a flag during
runtime. Please try to extract it.
The flag is in the format FLAG{some characters here}.
Edit the provided GDB Python script gdb_script.py to extract the flag.
Only use vanilla gdb features, no extensions allowed here!
Then edit the solution script that calls GDB with your GDB Python
script and prints the flag to stdout.
Hints:
- Try to find the flag with pwndbg first an then write the script.
- At no point in time, the flag is completely decrypted.
- You can capture the output of your
gdbcall and then extract the flag from that in yoursolutionscript - If you need a refresher on Python gdb scripting, check out the docs
Your solution must look like:
|
|
Task 3 – CSV to Json (4 Points)
Have a look at the C code in broken.c!
It is a utility to convert CSV (Comma-Separated Values) files into JSON (JavaScript Object Notation) files.
Sadly, there still seem to be some bugs, as when we run ./broken test.csv test.json, the first line of each entry is corrupted.
|
|
Your task is to review the code and identify 4 bugs (there may be more). What is a bug? Well, trust your gut on that.
For each bug, please report in a text file named solution:
- Bug Location: The line(s) of code where the bug is present
- Expected Behaviour: What is the code supposed to do at this point if it were functioning correctly?
- Actual Behaviour: What does the code actually do in contrast?
- Reproduction Steps: Which input would trigger the bug? (optionally, you can upload a sample input file that triggers the bug to your repository. In this case, reference this file here.)
- Consequences: How does the bug affect the further execution of the executable? (e.g. crash, information leak, …)
- Suggested Fix: What would need to be modified in the code to fix the bug?
Hints:
- It may help running under ASAN
gcc broken.c -g -fsanitize=address -o broken. - It may also help to compile with another compiler to get other warnings.
Task 4 – Say my name! (4 Points)
We have reused code from an old authentication system. It seems like security was not that important in those days…
Find a vulnerability in the binary say_my_name and edit the provided solution template so that it:
- Explains in a comment where the bug is located and how it can be fixed
- Exploits the binary and prints (only) the flag
Your solution should execute like this:
|
|