Challenge Description#

A “secure” vault that checks your money amount to grant access to the flag.

Binary Analysis#

$ file quiz
quiz: ELF 64-bit LSB pie executable, x86-64, dynamically linked

Decompiled Logic (pseudocode)#

long money;   // signed 64-bit integer

printf("How much is your money?\n");
scanf("%lld", &money);  // reads SIGNED long long

// Check 1: Signed comparison
if (money > 100) {
    printf("You cannot have more than 100 Rupiaz as a student!\n");
    exit(1);
}

// Check 2: This comparison treats value as UNSIGNED
if (money <= 1000000) {
    printf("Your money is not enough for a flag :(\n");
    printf("You need 1 million rupiaz for a flag!\n");
    exit(1);
}

// WIN: Print flag
printf("It... Can't be!!!\n");
// ... opens and prints flag.txt

Vulnerability: Integer Signedness Bug#

The two checks have conflicting requirements:

1. money > 100 uses signed comparison (must be ≤ 100)
2. money <= 1000000 uses comparison that can be bypassed with negative numbers

Key Insight: A negative number like -1:

• Signed interpretation: -1 ≤ 100 ✓ (passes check 1)
• When compared as unsigned: -1 = 0xFFFFFFFFFFFFFFFF = 18,446,744,073,709,551,615
• This is definitely > 1,000,000 ✓ (passes check 2)

Exploit#

$ echo "-1" | nc 43.128.69.211 13004
How much is your money?
It... Can't be!!!
scsc26{Integer_Und3R_fl0W_0v3rFl0W}