Rating:

# Internetwache 2016 : EquationSolver (exp60)

**Category:** exploit |
**Points:** 60 |
**Name:** EquationSolver |
**Solves:** 257 |
**Description:**

> I created a program for an unsolveable equation system. My friend somehow forced it to solve the equations. Can you tell me how he did it?
>
> Service: 188.166.133.53:12049

___

## Write-up

### Part Zero
We were given a service which we connect using python sockets.

```
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('188.166.133.53',12049))
data = s.recv(1024)
print data
```

And we get the first part
```
Solve the following equations:
X > 1337
X * 7 + 4 = 1337
```

### Part One
Submitting really large integers (99999999999999999999999) gave us
```
2147483648 is bigger than 1337
2147483645 is not equal to 1337
```

So it seemed like the integers overflowed. Submitting the negative of the large integers, we get similar response
```
-2147483648 is bigger than 1337
-2147483645 is not equal to 1337
```

The first line gave away they are storing the numbers as non-signed integers.
So we tried to overflow it between the ranges -2147483648 and 2147483648, where the (7 * our input) positives happens
```
# -613566566 = 1338
# -1227133323 = 1335
# -1840700079 = 1339
```

Seemed like the overflow range we are looking for is in the positives, and 613566947 gave use the flag :)
```
613566947 is bigger than 1337
1337 is equal to 1337
Well done!
IW{Y4Y_0verfl0w}
```

[See full script here](src/exp60.py)
[See full overflow ranges here](src/exp60.xlsx)

Original writeup (https://github.com/WesternCyber/CTF-WriteUp/blob/master/2016/Internetwache/Exploit/Exp60.md).