Rating:

# Internetwache 2016 : EquationSolver (exp60)

**Category:** exploit |

**Points:** 60 |

**Name:** EquationSolver |

**Solves:** 257 |

**Description:**

> I created a program for an unsolveable equation system. My friend somehow forced it to solve the equations. Can you tell me how he did it?

>

> Service: 188.166.133.53:12049

___

## Write-up

### Part Zero

We were given a service which we connect using python sockets.

```

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(('188.166.133.53',12049))

data = s.recv(1024)

print data

```

And we get the first part

```

Solve the following equations:

X > 1337

X * 7 + 4 = 1337

```

### Part One

Submitting really large integers (99999999999999999999999) gave us

```

2147483648 is bigger than 1337

2147483645 is not equal to 1337

```

So it seemed like the integers overflowed. Submitting the negative of the large integers, we get similar response

```

-2147483648 is bigger than 1337

-2147483645 is not equal to 1337

```

The first line gave away they are storing the numbers as non-signed integers.

So we tried to overflow it between the ranges -2147483648 and 2147483648, where the (7 * our input) positives happens

```

# -613566566 = 1338

# -1227133323 = 1335

# -1840700079 = 1339

```

Seemed like the overflow range we are looking for is in the positives, and 613566947 gave use the flag :)

```

613566947 is bigger than 1337

1337 is equal to 1337

Well done!

IW{Y4Y_0verfl0w}

```

[See full script here](src/exp60.py)

[See full overflow ranges here](src/exp60.xlsx)

Original writeup (https://github.com/WesternCyber/CTF-WriteUp/blob/master/2016/Internetwache/Exploit/Exp60.md).