 What's up YouTube? This is another video write-up for the challenge Tilted Troop for 40 points in the binary exploitation category of TJ CTF The challenge prompt here is can you help us defeat the monster? It gives us a binary and some source code to work with and a actual remote Netcat source or service we can connect to so I can download these with Wget and I've got them all set up already So let's check out the source code What this thing actually does if we connect to it with netcat is it gives us options as to what commands we want to run or work with and we can add supposedly a team member to do different things and Fight a monster after we've added a certain amount of team members. So This will continue to increase our strength as we add more team members But it will never let us get to 400 supposedly because we need exactly 400 We are only incrementing by a small amount each time. So let's check out the source code for real It says the maximum team size we can use is only eight actors or characters with that goal of 400 like we've seen And it stores them in a struct here a struct team with each character's names Again only limited by the amount of team members you can have the strength of the total team Interestingly enough that is a car array not an integer total but interesting team size And of course that may just be the current be the team size as you are growing them So the fight function as you saw with the f command That is what is allowing us to determine whether or not we have reached the goal if we do reach the goal of 400 We get the flag. Otherwise it gives us that error message that we saw earlier. All this does is it this takes a sum While it's going from an I iterator up to the team size. So a should be eight in this case and The main function will actually read in some input over and over again with a team that we've created Supplying the default values, okay zero for the team size creating the strength, etc And we can see the commands that we can run it will evaluate these as we enter them And if we actually want to add a team member, it'll check if our team size is greater than the max team size It will say, okay, you can't add any more. Otherwise, it will go ahead and add it So obviously f will fight q will quit etc etc an interesting thing to note here Is that this line if team size is greater than max team size? Well, our team size is zero and our max team size is eight so we kind of have an off by one error here because this will also still run if Eight is equal to eight so we could potentially add nine team members here This won't actually fault us until we have nine is greater than eight So that means that when this runs with team size acting as the number nine We could potentially get a random number again modulus 10 So that explains why we weren't able to get other more than 400 or we're iterating slowly But actually this T names with T dot team size if this is going to be nine Then we're going to override the null character or the kind of the end of the the boundary of this T names Like character array, so we could potentially in the struct here leak onto the strength variable And that will allow us to get to that goal of 400 here So let's go ahead and start to write an attack script And I'm just going to do this with the remote source I'm gonna turn the log level off So we can just kind of see the output of the service. We're connecting to Connect to the host in port Let's actually see what we have to work with once we receive here. Looks like we just get our prompt good So let's add nine character members or eight to begin with we can s dot sun line a and anything in this case because let's actually Try and fight and see what this will tell us Team had 37 strength, but you only needed 400. Okay, so now if we were to add one more What would happen? Well, we have team of 866 strength, but that depends on what we actually send it so Okay, you can see the characters here are being added because we are Leaking over into that strength variable and we're iterating through it only eight characters wise because of This team size variable right that limits this loop to add on the strength characters about eight times So we want to be somehow reaching this 400 with only eight potential characters Let's actually just open that up and idle see can we actually get? 400 cleanly with eight maybe let's try. What is the character that 52 to number two So if we send eight characters of the number two will we get 400? two times eight in this case it says oh wow your team is strong here take this flag Okay, so we did get it just like that We could choose potentially anything less than eight like I think what is it? What is 400? What is 100 D? Yeah, these 100. Okay, so if we were to send four D's we would still get the exact same result and we would get our flag so awesome That is how we can take advantage of that off by one error and get the flag in this case and Solve for however many points that was on Pico CTF 40 point or I'm sorry for TJ CTF For tilt a troop All right, let's go ahead and save that mark that challenge as complete and we are done Hey, I want to give a special shout out to the people that support me on patreon You guys are fantastic one dollar more on patreon will give you a special shout out just like this at the end of every video Five dollars or more on patreon will give you early access to everything to release on YouTube before it goes live If you did like this video and you want to see more CTF video write-ups or programming tutorials other stuff that I do Please do like comment and subscribe join our discord server link in the description It is a awesome community of other CTF players programmers and hackers and I would love to see you on patreon But I hope to see you in the next video. Thanks