Rating:

# Internetwache 2016 : EquationSolver (exp60)

**Category:** exploit |
**Points:** 60 |
**Name:** EquationSolver |
**Solves:** 257 |
**Description:**

> I created a program for an unsolveable equation system. My friend somehow forced it to solve the equations. Can you tell me how he did it?
>
> Service: 188.166.133.53:12049

___

## Write-up

### Part Zero
We were given a service which we connect using python sockets.


import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('188.166.133.53',12049))
data = s.recv(1024)
print data


And we get the first part

Solve the following equations:
X > 1337
X * 7 + 4 = 1337


### Part One
Submitting really large integers (99999999999999999999999) gave us

2147483648 is bigger than 1337
2147483645 is not equal to 1337


So it seemed like the integers overflowed. Submitting the negative of the large integers, we get similar response

-2147483648 is bigger than 1337
-2147483645 is not equal to 1337


The first line gave away they are storing the numbers as non-signed integers.
So we tried to overflow it between the ranges -2147483648 and 2147483648, where the (7 * our input) positives happens

# -613566566 = 1338
# -1227133323 = 1335
# -1840700079 = 1339


Seemed like the overflow range we are looking for is in the positives, and 613566947 gave use the flag :)

613566947 is bigger than 1337
1337 is equal to 1337
Well done!
IW{Y4Y_0verfl0w}


[See full script here](src/exp60.py)
[See full overflow ranges here](src/exp60.xlsx)

Original writeup (https://github.com/WesternCyber/CTF-WriteUp/blob/master/2016/Internetwache/Exploit/Exp60.md).