[UCSB iCTF 2017] pokemon(type: pwn) write-ups

Categories CTF

This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.

This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.

1.File information


  1. scanf(“%s”) will end matching “%s” when it see a whitespace.
  2. does not check the number of items to buy, can be zero
  3. item number integer underflow
  4. swap items does not check item existence(not used in our exploit)


we can use pokemon ball to capture a pokemon and rename it: the name can contain white spaces. Save,quit and reload the game, the function pointer of attack method can be hijacked to function read_input(). craft input to arrange the heap layout and leak the libc address, finally we can execute(“/bin/sh;”)

No Comments

Leave a Reply