PicoCTF – PIE-Time

PIE Time

Challenge_Author: Darkraicg492

Category: Binary Exploitation

Description

Can you try to get the flag? Beware we have PIE! Additional details will be available after launching your challenge instance.

Theory

This challenge revolves around PIE (Position Independent Executable) and ASLR (Address Space Layout Randomization).

What is PIE?

When a binary is compiled with PIE enabled, it means:

• The executable can be loaded at any memory address
• Each time the program runs, its base address changes

Because of this:

• Function addresses (like main() or win()) change every execution
• Hardcoding function addresses will not work

What ASLR Changes (and What It Doesn’t)

ASLR:

• Randomizes where the binary is loaded in memory
• Does not change the internal layout of the binary

This is the key idea:

Even though absolute addresses change, the relative distance between functions remains constant.

Why the Exploit Works

In this challenge:

• The program leaks the runtime address of main()
• We can find the fixed offset between main() and win() using static analysis
• Using this offset, we calculate the runtime address of win() and jump to it

This technique is a classic PIE bypass using an information leak.

Process

1. In the beginning Launch the instance from the Pico website.

2. Two files will be provided, which needs to be downloaded.

   Files Provided:

   • vuln — ELF 64-bit executable
   • vuln.c — C source code

3. Then I performed dynamic analysis of the code to get any information.

   

4. Upon performing it, it revealed the Address of the main which is “0x55555555733d”, and asks us to jump any address, that is all the information that I was able to get it.

5. Next I tried to perform static analysis of the code which is provided by the website itself.

    ![Screenshot 2025-12-18 at 9.04.30 PM.png](/assets/img/PIE-Time-Photos/Screenshot_2025-12-18_at_9.04.30_PM.png)
   

6. Upon looking at the source code, I found out that there is a function called “win()” upon closer inspection it opens the file called “flag.txt”. Also there is also the main function which prints out the “Address of the main”.
7. Now since this type of challenge was new to me, I had to take help from the internet , regarding how to find the address of this.

8. After researching on the internet I found out that I can use the following command to find out the address of the function.

    #The nm command in Linux is a useful utility for examining binary files and libraries.
    nm vuln | grep -E 'main|win'
   

   

9. Now the addresses have been revealed for the “win” and “main” function, Initially inserting the address value after running the program didn’t give me the flag instead it gave me an error, this means that there is more in this challenge to discover.
10. I discovered from the challenge description is that there is “PIE(Position Independent Executable)” enabled. In simpler words is that when ever the program is being executed the address changes aswell.

11. Since the main address was leaked I needed to find “how far was the win() from the main() address

    ```
    0x133d (main) - 0x12a7 (win) = 0x96 -> This is how far it is
    ```
    

12. Now all I had to do is to subtract it from the “main address” which was provided when running the code.

    ```
    leaked main address - {main() - win() address} = Original Address 
    
    0x55555555733d(leaked main address) - 0x96(Difference) = 0x5555555572a7
    ```
    

13. After getting the original address, I ran the program once again gave the address to jump

    

14. I got the output as “You won!”, since this was just a dummy code to test it out , the actual program was running on their server, using the “nc” command and the ip address you can connect to it which they provided.

    

15. Now after using the “nc” command, I got the program running similar to our dummy code, and after all the calculations ( Because, here the address is different , but the difference address was correct you just need to subtract it from new given address), Which finally gives the flag.

    picoCTF{b4as1c_p051t1on_1nd3p3nd3nc3_6f4e7236}
    

Conclusion

This challenge demonstrates a fundamental binary exploitation technique: leveraging an information leak to bypass PIE. By understanding how relative offsets between functions remain constant, it is possible to reliably redirect program execution even when address randomization is enabled.

The challenge serves as an excellent introduction to:

• Address leaks

• Position Independent Executables (PIE)

• Control-flow redirection using calculated offsets

• These concepts form the foundation for more advanced exploitation techniques.

Thank you to the challenge author for creating a beginner-friendly and educational binary exploitation challenge. It provides a clear and practical introduction to PIE bypass techniques and control-flow manipulation in ELF binaries. I’ll see you in the next writeup.