Daniel Foudeh

Cobra’s Den was a python jail escape challenge for IrisCTF 2025. What better way to start the new year than with a pyjail? Lets take a look at the code # flag stored at 'flag' in current dir import builtins all_builtins = dir(builtins) filtered_builtins = {name: getattr(builtins, name) for name in all_builtins if len(name) <= 4} filtered_builtins.update({'print': print}) whitelist = "<ph[(cobras.den)]+~" security_check = lambda s: any(c not in whitelist for c in s) or len(s) > 1115 or s....

White Rabbit is a shellcode challenge I created for WWCTF 2024. I will walk you through the intended solution and share an very clever approach discovered by my teammate @Nosimue. Overview We are given a binary (white_rabbit) and a remote netcat endpoint. The first step is to analyze the binary’s protections useing checksec [d@d-20tk001gus challs]$ checksec --file=white_rabbit RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX disabled PIE enabled No RPATH No RUNPATH 31 Symbols No 0 2 white_rabbit NX Disabled: Allows execution of injected shellcode....

We are given a python file that contains the following: _ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)(b'=43mlr8D+//vPzftuhgcDl3/aVk3oxpv0SZZul34uFyULTRdnYokAKkMZ/3wWYkDRRh/8qQKEBBQ9n1HCCQBRnkVjIJLEAZRGL6861F2qa+JrTdUDib5g+9H3H8K2a9jbNy62YcvIHClbGtH5J4FgnO5jpcfoT2IgGDha2/LSb6rYy6jFRTiWCaTTz58i3Rp4n3TCYYN+yhNGtn+MypKKABrwBnLT5gNw9k3cmfQX0vgTONGLeeHaPUDC7vY8+ynebM2ZuAWMkk/mZRsceApUn8mbSzfU+WgtUVSom4y5zPfDv5qTtkv9M5pMq0JBkzGiodv91ZuQ9LlgfUnUlFwrHfBqVhTqHoSLH2GG4hsFx4hG5/03Nb3yWbBZmqNGjKHQexi8lnKe01H0r4DHjyCJd7OfOXeHfACb901MHSDJZXYeSXUfevKnfUmq9/App6/THKqQBDJEyBHro4hmhm/zUsoP41PB7+1q6fF5sH8nQBN77yz3FP1qlSZ3vc/N9E9evG1QB3AepWuImEo13UMxQi/sQ0nfelcjlSg4pmcvuIb6Z3PsOaSnsLj5SXUeJghqp0OUiAZNLw4copV6ob1k4AtXgL2rh5skHak1yrX3nCjLlaHn/kxHk+ZswMCIA3vxQv7QPlvOOoItco2oGlhBBzDRXZ+dfXkkwzzIrJ4tUX5ZNqO3eEtIv2v4EVdG1Ol05ekn5LswyJ2dwLVSGQd/130MuaFMLvqDdrOuz8G8gZkAtxQkWYSY/BTlgXf6ECL/trMrJwBEqLA7F9+gQ17+09OYKmiTLR5TxnSpbmfx6dlLaYORHQ2zGI3EiCaRAzDSyq+W4wifsB7c6ioHWlSI/8DYi/Ti8kMvXml5Rt8vBUudxTjILfuU6oKT+k1rDpV9Cl5m9MVNcDmylfsef/TAQdDA8CQGU1DTps54fj5TFnWyguwPOufSzltb5t/mcACXu40cNqzAoyXAYf8gfg2zO81BefQR4tzXwFvafM4jrf7yccSKZofYmDaHZmCJ1D64vfJsc+7znX6YYyONjmXa+XpejHa7V7djClz8K60Ym2H2MnMIjFkOC+aq6f5QrntXk+XbwBHp6GQPwFbSuXBletJp/Y07vtd6FuA65HV+aZah9tSog7HE42DGIDO8aleR7mwItlQ0oU8AX3rFXC4DYofryPTBFiMeeFvJp4xbwB/4jczWI7Hj23eYKsHS3bcOltVlc3IA6oSWIKm20Fcg0vGkNJ/3DhbX+/WQlK+OgbfIbmeihCfKy7IyBb5X3HIe2W+RXsyM9AirhNpyz3qHen619PmAteTqyabGQCNDpsFHH0ebmyIWUY83ShqlyK3ouI9XtNcC8TbfeVCeAygCwX1ERx8KtRnfocp+/igOUwpuMsBiKKoK7CN4NL6+X2jhXcyhi93Wn1PyA2jiQumlWKlTBcEXNPWnidZaXaBiGCsOpVkrKKxtqfWxCklgPnUmn7/jHoMdoD5bgn/QRMKCdMmGpVD2aVJjjCBHFoSXwSlSAaHhZBcDzEF3OmL2bKWrWflF8Si96iJ/RGjwmyIsK071RETyG3h3nEtIcAX7WpLdcgKv26YLe5AwYxiQHzeV8iTQn8HBiLDRyW7xlmPTR2fQJcth6lvGooJF5VvFSH8gJbZiXd4bmmJ8R9MlaKaIeuYkTg5dLytwlV/v+19o7/c/mpEPcMejnwKAW5lqpzOqG3fY/kru3iPCrsA/NbdmeZCv5H6RZphPTKF90nnn7RBwvTp+KWTZegYKgAeALcaoSes/C8rpeXT5x278LNocQP/AyML1kAJ0kkR0RBEXQSE/uZ/IKcM3Ckfut9wORKVI+z7qV1zQUrg8332QmgaBXL/xmNJecswawhFw0dh6SMTODc+8SkgDUFoA3d+pHobJ0bFFiLM+/1N/eLDypVQuPEGf43yw7eFnzzEWn/mp8Dz+2ocEfwutlyAIaE1YFof3vcne7ycQBnzA5rfEroueKLehoIVzoDi7mtPUZj+vgSg9btTpvs2dU14HRsb/OJUZHy0KxDXCICP4gYMW9e2Y2RBqu2WkodHNkIhUsbPSlXwoVjWMRMYLNkxkpk4aa+zLqjid/K2n8cog3AR/GUyoEUi1FmA3TnPGfJJ1QXjEYhs1pfvj7QkOZLOmz1VBtS+lS9qgyGvAXuLP+dGEnzU2v1d5vhAuKRPu3zqId4fDBdq7qp4fR1qjlHcMA2ln/qc4/OAI1tlvpYwR5E7+IJEdJ6neyQPPTYEy2EJDzCeFTB46f5JvVPCMYSalhKjU6UZ2ScuckeeeK5bW9okmo5MDLAHDC/pR6QeE99wIct99xVARKDB+gtO4pc8YsfPY5+XffxuBvBkyYbtBVglBfx14bKjlJUFYMX3PYE/1cqyHK94uoqD+wBkisr4NdVdZTJGC/Uk3SqfB2aXDoIkAKm7RyxVNKsM8HE5BfI3k9Wm8ig0YWsMoR4mY1F8qyBytMdedYygRSLtwX4Rm++5w6tpF30C+jI73EvIYhp0SecdJFsTe2WtXmVJpNZ4bLDav/WUTZXCs9CdOYA9pzS/ogKz3J0XYAVWgZxHlW+eI9qjrpPFoIa0oRWUhaSOTywXcQoGaS8FwGLzFoymbCdLeLDDI5Km01/EcYRA3my09FNNUxLurqGypqslfK846JxsK29tzw5gZ05Q1z7W6DirizCyBaB4zsvbUDIz10LAHHEswcaPkiuiUUCxzjXggzaipTS8XgrTe6LP5HZ1DtxVRg0w2bJgeqRqjyHInA426Sn8cldiAAhZwJD+MxnXRqIwLKXliMIdYnz68Skm7Bw3DnO/z/6v9RTLnhtLTjQMVULsgq3U9uOlqOes+ReuPyRSKv8h7wr/+5ZBAF91xeiBGuSZMtL84Ju0tqmmKVsCEKD4q0SN5Wgcj846sNAKQyXOMgvVRMN+M557hQSI8S+LfUa50cekHalhr14u13vFcBSljSfMRTKkrThYGrpZ8YDentfypoCunb4HhCGzWMhEgrgfcrC5J+nU7r//o62XmN/TUgfDyaRzekJHIX24sI3kbQ+604sU9FKDdWGgf8I2iaLJyYoUElvYM1wzAbLwlUYp4MW0GqMyUQjvuYE7Y5lDSgRMzZe/tAAqr+EzZDz43yGUyJArDE9LfEFzfs7+RSsqeJSNA83nebCfxnmQsW1rmzomV0nFPvnfh1MhpPqDsp5b4SYmYOw9I9hTT/7dq1d/WzozF3gt6NABHNjOWEA1xaLgke4yORTk4Pjy60WBd/6hhu9nNwmMj+BU5mIXZVkPQnY5Wxo/Gm5PXPuttL1yDxgvrbimuZHwYyb51dIrY7r0GL+aL22oBdRjBUpgwiz+ek5zrzs8fvvortVjVOn5KTrNr7srz3uj+Lv995kx7xxpQkTfoKJkXMDTSY8iM4fJdgh+tcN7jsjSxg/6gLvy7q8S+sF49HAbKmloU8BHjrLax4E9gQJuT/6wBrQUy3O9CbjJ8bDpXycPKpSUK+Yw+/Dzn3NAP8i45erPgj1f1gLsfz/PBT9Dz3YPKiG9QL8BVgBsMTCJinsjV7H45aKaiFlEGzepumnoAoB9ekYwsOLJY/gUaJ8qr45pw+LsKz+x/ZejxMgHYz4ouhrT2FtF46zsdjoyZ2yozW9TrKRDze9Cy2Seg3VJ5JjSgIjqlCI54+h6sYKFjYMDhaxSUNuKyCTwImeXRsr5c14sJ1++0mlQeHVvMMaj3r0cfTCYqMQxBit7ZVqmsWuUcuQ2YOs2LUbThUTu5Cq3Ps/NLxtsTLQKdMf1/fZOTHLuAR5kr2KrfZ3dl8bZB/tNfIhps104ZFgjZBhBh5MX/MGDi+qK7r3Xh31VsOUy0RrpfzfE4v8ONNwIQumLrNaEzqFg9HLvgD0HtCdshUKw1OTLzvcyA40muY6DivRQ6HNMwJqo2NKEgtwPYES5X7gAqylhjvt/I0lcfTmGyNpNVL11T/dSDxTQeVag4gRWz4IaPEVB7lQ/eayiuUPcfeGDwoq7x+60U8umGa7wdWZJuNdwkMoCXUMJhP3U4DVfCXQ65ai/jlppFL/WURABHfOpLFZ0i4QaKhSaY5qrKQzUqPSM9Gm/EWMlSgIWBQFSyRA6vXLJyDwxrWH/n6YR8RA6kQoYVJ7PMqkKHqWt/XANKaHh1yyukWDMUd2o0GvhAzmJBaxfpN/Mx0fTsWNvoe6QMmGooOcQq3Q6E4Y1cSTdeZOIs0Q70pfyra6XCDqIjU1ekyHPaJA+TQbJ6wLVcmEkOBP587/VDYvEn/sFSIxEJpq6P5Jd0QU7OWPX8IrGBdFRf/Wo7PvhY+zTMka1qrkEp4JuQ1a8UJJzHMpE7V0N5hr09NSI938inFKmO8dSCcyDQF6yU06ek5Tee9BLUOHlPnoo4/44Ggp9fA9bKQzH4peh76lBneG2bSvRK1WFYAeP360tvZQniz3l/cNCX1iFbNLcPijfNpTE3qLmJ3/+kgL4rcyurM2JDz78oav/OLNAORwkDIVR+gGuDlUwQRXMH+cwpl98WwDlJ1mc+00hBsHtJCthbO/C6txZOBJdgVzzjQgiPH4M+KFI8dxZz6cWNiriv/22MrssPtoW9z0D3aUZ/hDpQX8ozTk0q6K3/bS/N23U2zzVpqsLBljh3nU7RI/IHfnnAbgP4ZY8ID4BC85deTD2hQPfdJv6usK+cnFgjLKQTRyn9XdL4I94hS8J6vvlpkKVo0crPTPlo8t/V+dlO+PPrZ0T7iv4oSemXrJu05RlvlW/SLQVLIOpZLrUH4UtKWVZFvGx1iobyk6Zo3YLaZzKlgie1KcWFLhJLjS+obwRvbKzilBn+H2y+iHDTkTKMdVS7K7jzWL7IBV9b+pXRhcQkdgzXsZdcaCYYbpCVFpYM814uxGB4vDV0QKcK7QL/Zc68TdNrTJv4NSbTa8DLqxc6wHpPAV6usT4ElUQCwYNq0wVpips/VORYimDKYcnzL2Tmp9YckZAxzsr3s77VfsKG3C/4e6oPE8i+vqzqdoScwJdA5Kc2Ijf0sfUk8eaaiHKsDAzWAJGoVhPamcA9bOchh0+XvUdA2R3iMtOoHWuguMqhTHYsSp1nTNnhiUcOMh6SYBP9V5+GDQ1hnZbQCJbgeu3lIuBANJomWA+aQBFlj1e36Qf0E71aAgQhpEiUoCt4WTbALMDAMEt39foJuJ7vn+cM5YMDm+I37B/p4PgYvGeMJxLJ0iLIL3YQbgCdF81EHbHr1QOaeJFXpzzmmQ6W6px9xvofUfEqw/9f8TEx/ZhJXd4l1REt9TlH0h0O/h7r87V9ZV5sxJfwPRHvYxqD+Td1kR9so/NcyvF9ASp+9h22btfRtbrth75tcX1Sd7aZDUsI7K02n4Yu4g3yvTuh+beKUa5UY30Do2LtU5vSXQuYOUzb2nt3JqUcBDDwXcE956tdGCx1oYhf4Igq5Lu9WdTpZeJsc7V5oyNQGRKPwYsxkJmIZz7gdT0dRdnXsZ3KGzGMyvKgV6O8T6onBPGD1GY07pjG+cqpyEtR4aHVXMlSyp8FiyNSHLc3SPA186n6AQd0olhM5LWrBI3dCk0C20f+Vrt5BICVcoY25l5+p72Jlc3n+sz5PauU08Q2ozPDdkIotdcKy2cQlYxUQLy+8m5XUUPNPHl8b1te4e6W7j7IGWGx66Vzb/mpK2IDJppqwl0ev5dQ1FtAnYFZ8TlCb9XCRCHL/gBjkrU2LPATaLdQHB5WFsJsgWcqswwyuXDAhfrzYcg3HdRb+TDvDjGUiErl/z1X5jX8Gu77LC3mcETeUAWulappBTbRyauWGvZ/hhd5YHPwaPD7Jl70QRJvpdO+e7nCBiC7tMCSZcoynSlZMvnp+w9JN5RYDOYXu5Fu7+sw3O0O+7gDz89osIAuSmVwh19YxzO4R/saqsjOxx1FCarBFmGX4nvF5oHJmAVT+1SU+UDLeOyQYWYthIV+6B7GBBsDSmsDAsRbGFpaYGLMhbvUy3at2w9QgaHx9zBzUFawWUeSPOfF02UPSCOidkvn9jvIBRG8MtBCw7+wCvkVg+Sgt6a2ZI0nfY49vWNJeVtiYqig1hyttkKpDHji3TVfeqpWSWnSECXInyihomJIP3wOkoyrzCZu5Ducs6+0KgXpdhOQij5tTHL6qeJ2TVtDO6kywJoxPFrHDRW0hFAL1moUINU5smtqHLq9XBhvotGG+1JdnMn5ochRZWjODTNKzZYn73XacG7O+GEM5LbM3GDcpx3dUeyIoK2v7ERDSNZRSMpE5rWfCUyAhOLnNzuP1tcoNxBPLXLpCZWQWzHsWWFIL4J9wIteW9ksqHV8/Zxi15cbOByy9TXMPEWFRyIfmgikZ/5fRHDvS7q8foeq+shgwh32N/UyQpOpWCSmtCK9VWG/soTUiJ6mIZ03mmGBIDgO0nhTtRmdbx1o0rmYWT7r150R4NTDs9PPqUorexjmQ9c1JavYUB752pPKEsGywLh2E7oiWIjkBhh1aqq5/eTizn/FfU9P5c8XfBZvEcXhhGB7DH4reA7OiG+qm9HutmBwg2brfZEeqSm4fbn2R9UyXp+r+dlW/4KtcDwtgg0K/F7HUUIItrrLJ71TCyFvtK8LIW7lxs/uhaRjn4n/5mvrg9On9yLC8jRWUont3YS777O8KufmakwgBdG4rmsyt6ObzfZBQifGo9WEp0fwYdxpZWJEMmlG/fY22iVuaXs02Mc+BV6jyGJ6tJWSoze5B/+teyB5pUN01bQaFli5epKEuLJNTaXsS9aaTFgNat56qdsSah1OlT610XAKzxQ3krBtum+4XVjPxX48mAxuIAWP91gSJxMrCjlu2uWB3mg2FpvhPGpNTD8LWpc8VLU11hhUlGcDcF/9mHMBnOLOuh5RX+lR0ldbKHzjNlKHO6aURB2Bl413hjRFzRsp9GZ3hwe/4QCfiy5A5Ywix7V7cOBiTvp1itd43INfYEF4+FMTZhcdWos2Rtt3xWWsZZDS+NC6PmfiI1TOnq+aekzOjrvXBLrlNzyuhKRioVWW7XHjBStYyK+q8aJdHmv27lLn0EMgBfBTbuQuF2kYm31phu06f0XGBvavGRYP4NPkIvzhaZIoex1zdCJJ5JSszndtVZXi+IJtLp4nbeyW3kzAq7c0tFk6Omxq2JJaD1I8esltUOhZEUvHcedCcOfJRVqNSQC0bhNA9K+c5/XBtNN40tKbod4iIfPhDV28C0ZvLqg0+TTVq5Gprvw85yuonj4j4kFkAo6NS3BTQ7G/VSXEqSDWlPZxhJDY57h3sEAIMyBcCQrF8PTabsjwUFLGAl5ru9+cbWI3+S7me6Pz93tkXFivpOLExACHoAKKtyWKj5FOsCU2AU3faHYhA5K4RK0CeCKoKK+9xTaJ3zmzpK8Y0RbWFgL0FnQe+YEwzmDkIICRI4Gyu+A+n8//9988/v5TV+WqqkkMIwzPva2ZiJ5eemxmZYmBOu7TeJRNgYx2W0lVwJe')) Decompressing and decoding from base64, we see a similar string with decompress and b64decode instructions meaning it has been ecoded multiple times. I wrote a simple script to decode it: import base64 import zlib import re out = base64.b64decode(b'=43mlr8D+//vPzftuhgcDl3/aVk3oxpv0SZZul34uFyULTRdnYokAKkMZ/3wWYkDRRh/8qQKEBBQ9n1HCCQBRnkVjIJLEAZRGL6861F2qa+JrTdUDib5g+9H3H8K2a9jbNy62YcvIHClbGtH5J4FgnO5jpcfoT2IgGDha2/LSb6rYy6jFRTiWCaTTz58i3Rp4n3TCYYN+yhNGtn+MypKKABrwBnLT5gNw9k3cmfQX0vgTONGLeeHaPUDC7vY8+ynebM2ZuAWMkk/mZRsceApUn8mbSzfU+WgtUVSom4y5zPfDv5qTtkv9M5pMq0JBkzGiodv91ZuQ9LlgfUnUlFwrHfBqVhTqHoSLH2GG4hsFx4hG5/03Nb3yWbBZmqNGjKHQexi8lnKe01H0r4DHjyCJd7OfOXeHfACb901MHSDJZXYeSXUfevKnfUmq9/App6/THKqQBDJEyBHro4hmhm/zUsoP41PB7+1q6fF5sH8nQBN77yz3FP1qlSZ3vc/N9E9evG1QB3AepWuImEo13UMxQi/sQ0nfelcjlSg4pmcvuIb6Z3PsOaSnsLj5SXUeJghqp0OUiAZNLw4copV6ob1k4AtXgL2rh5skHak1yrX3nCjLlaHn/kxHk+ZswMCIA3vxQv7QPlvOOoItco2oGlhBBzDRXZ+dfXkkwzzIrJ4tUX5ZNqO3eEtIv2v4EVdG1Ol05ekn5LswyJ2dwLVSGQd/130MuaFMLvqDdrOuz8G8gZkAtxQkWYSY/BTlgXf6ECL/trMrJwBEqLA7F9+gQ17+09OYKmiTLR5TxnSpbmfx6dlLaYORHQ2zGI3EiCaRAzDSyq+W4wifsB7c6ioHWlSI/8DYi/Ti8kMvXml5Rt8vBUudxTjILfuU6oKT+k1rDpV9Cl5m9MVNcDmylfsef/TAQdDA8CQGU1DTps54fj5TFnWyguwPOufSzltb5t/mcACXu40cNqzAoyXAYf8gfg2zO81BefQR4tzXwFvafM4jrf7yccSKZofYmDaHZmCJ1D64vfJsc+7znX6YYyONjmXa+XpejHa7V7djClz8K60Ym2H2MnMIjFkOC+aq6f5QrntXk+XbwBHp6GQPwFbSuXBletJp/Y07vtd6FuA65HV+aZah9tSog7HE42DGIDO8aleR7mwItlQ0oU8AX3rFXC4DYofryPTBFiMeeFvJp4xbwB/4jczWI7Hj23eYKsHS3bcOltVlc3IA6oSWIKm20Fcg0vGkNJ/3DhbX+/WQlK+OgbfIbmeihCfKy7IyBb5X3HIe2W+RXsyM9AirhNpyz3qHen619PmAteTqyabGQCNDpsFHH0ebmyIWUY83ShqlyK3ouI9XtNcC8TbfeVCeAygCwX1ERx8KtRnfocp+/igOUwpuMsBiKKoK7CN4NL6+X2jhXcyhi93Wn1PyA2jiQumlWKlTBcEXNPWnidZaXaBiGCsOpVkrKKxtqfWxCklgPnUmn7/jHoMdoD5bgn/QRMKCdMmGpVD2aVJjjCBHFoSXwSlSAaHhZBcDzEF3OmL2bKWrWflF8Si96iJ/RGjwmyIsK071RETyG3h3nEtIcAX7WpLdcgKv26YLe5AwYxiQHzeV8iTQn8HBiLDRyW7xlmPTR2fQJcth6lvGooJF5VvFSH8gJbZiXd4bmmJ8R9MlaKaIeuYkTg5dLytwlV/v+19o7/c/mpEPcMejnwKAW5lqpzOqG3fY/kru3iPCrsA/NbdmeZCv5H6RZphPTKF90nnn7RBwvTp+KWTZegYKgAeALcaoSes/C8rpeXT5x278LNocQP/AyML1kAJ0kkR0RBEXQSE/uZ/IKcM3Ckfut9wORKVI+z7qV1zQUrg8332QmgaBXL/xmNJecswawhFw0dh6SMTODc+8SkgDUFoA3d+pHobJ0bFFiLM+/1N/eLDypVQuPEGf43yw7eFnzzEWn/mp8Dz+2ocEfwutlyAIaE1YFof3vcne7ycQBnzA5rfEroueKLehoIVzoDi7mtPUZj+vgSg9btTpvs2dU14HRsb/OJUZHy0KxDXCICP4gYMW9e2Y2RBqu2WkodHNkIhUsbPSlXwoVjWMRMYLNkxkpk4aa+zLqjid/K2n8cog3AR/GUyoEUi1FmA3TnPGfJJ1QXjEYhs1pfvj7QkOZLOmz1VBtS+lS9qgyGvAXuLP+dGEnzU2v1d5vhAuKRPu3zqId4fDBdq7qp4fR1qjlHcMA2ln/qc4/OAI1tlvpYwR5E7+IJEdJ6neyQPPTYEy2EJDzCeFTB46f5JvVPCMYSalhKjU6UZ2ScuckeeeK5bW9okmo5MDLAHDC/pR6QeE99wIct99xVARKDB+gtO4pc8YsfPY5+XffxuBvBkyYbtBVglBfx14bKjlJUFYMX3PYE/1cqyHK94uoqD+wBkisr4NdVdZTJGC/Uk3SqfB2aXDoIkAKm7RyxVNKsM8HE5BfI3k9Wm8ig0YWsMoR4mY1F8qyBytMdedYygRSLtwX4Rm++5w6tpF30C+jI73EvIYhp0SecdJFsTe2WtXmVJpNZ4bLDav/WUTZXCs9CdOYA9pzS/ogKz3J0XYAVWgZxHlW+eI9qjrpPFoIa0oRWUhaSOTywXcQoGaS8FwGLzFoymbCdLeLDDI5Km01/EcYRA3my09FNNUxLurqGypqslfK846JxsK29tzw5gZ05Q1z7W6DirizCyBaB4zsvbUDIz10LAHHEswcaPkiuiUUCxzjXggzaipTS8XgrTe6LP5HZ1DtxVRg0w2bJgeqRqjyHInA426Sn8cldiAAhZwJD+MxnXRqIwLKXliMIdYnz68Skm7Bw3DnO/z/6v9RTLnhtLTjQMVULsgq3U9uOlqOes+ReuPyRSKv8h7wr/+5ZBAF91xeiBGuSZMtL84Ju0tqmmKVsCEKD4q0SN5Wgcj846sNAKQyXOMgvVRMN+M557hQSI8S+LfUa50cekHalhr14u13vFcBSljSfMRTKkrThYGrpZ8YDentfypoCunb4HhCGzWMhEgrgfcrC5J+nU7r//o62XmN/TUgfDyaRzekJHIX24sI3kbQ+604sU9FKDdWGgf8I2iaLJyYoUElvYM1wzAbLwlUYp4MW0GqMyUQjvuYE7Y5lDSgRMzZe/tAAqr+EzZDz43yGUyJArDE9LfEFzfs7+RSsqeJSNA83nebCfxnmQsW1rmzomV0nFPvnfh1MhpPqDsp5b4SYmYOw9I9hTT/7dq1d/WzozF3gt6NABHNjOWEA1xaLgke4yORTk4Pjy60WBd/6hhu9nNwmMj+BU5mIXZVkPQnY5Wxo/Gm5PXPuttL1yDxgvrbimuZHwYyb51dIrY7r0GL+aL22oBdRjBUpgwiz+ek5zrzs8fvvortVjVOn5KTrNr7srz3uj+Lv995kx7xxpQkTfoKJkXMDTSY8iM4fJdgh+tcN7jsjSxg/6gLvy7q8S+sF49HAbKmloU8BHjrLax4E9gQJuT/6wBrQUy3O9CbjJ8bDpXycPKpSUK+Yw+/Dzn3NAP8i45erPgj1f1gLsfz/PBT9Dz3YPKiG9QL8BVgBsMTCJinsjV7H45aKaiFlEGzepumnoAoB9ekYwsOLJY/gUaJ8qr45pw+LsKz+x/ZejxMgHYz4ouhrT2FtF46zsdjoyZ2yozW9TrKRDze9Cy2Seg3VJ5JjSgIjqlCI54+h6sYKFjYMDhaxSUNuKyCTwImeXRsr5c14sJ1++0mlQeHVvMMaj3r0cfTCYqMQxBit7ZVqmsWuUcuQ2YOs2LUbThUTu5Cq3Ps/NLxtsTLQKdMf1/fZOTHLuAR5kr2KrfZ3dl8bZB/tNfIhps104ZFgjZBhBh5MX/MGDi+qK7r3Xh31VsOUy0RrpfzfE4v8ONNwIQumLrNaEzqFg9HLvgD0HtCdshUKw1OTLzvcyA40muY6DivRQ6HNMwJqo2NKEgtwPYES5X7gAqylhjvt/I0lcfTmGyNpNVL11T/dSDxTQeVag4gRWz4IaPEVB7lQ/eayiuUPcfeGDwoq7x+60U8umGa7wdWZJuNdwkMoCXUMJhP3U4DVfCXQ65ai/jlppFL/WURABHfOpLFZ0i4QaKhSaY5qrKQzUqPSM9Gm/EWMlSgIWBQFSyRA6vXLJyDwxrWH/n6YR8RA6kQoYVJ7PMqkKHqWt/XANKaHh1yyukWDMUd2o0GvhAzmJBaxfpN/Mx0fTsWNvoe6QMmGooOcQq3Q6E4Y1cSTdeZOIs0Q70pfyra6XCDqIjU1ekyHPaJA+TQbJ6wLVcmEkOBP587/VDYvEn/sFSIxEJpq6P5Jd0QU7OWPX8IrGBdFRf/Wo7PvhY+zTMka1qrkEp4JuQ1a8UJJzHMpE7V0N5hr09NSI938inFKmO8dSCcyDQF6yU06ek5Tee9BLUOHlPnoo4/44Ggp9fA9bKQzH4peh76lBneG2bSvRK1WFYAeP360tvZQniz3l/cNCX1iFbNLcPijfNpTE3qLmJ3/+kgL4rcyurM2JDz78oav/OLNAORwkDIVR+gGuDlUwQRXMH+cwpl98WwDlJ1mc+00hBsHtJCthbO/C6txZOBJdgVzzjQgiPH4M+KFI8dxZz6cWNiriv/22MrssPtoW9z0D3aUZ/hDpQX8ozTk0q6K3/bS/N23U2zzVpqsLBljh3nU7RI/IHfnnAbgP4ZY8ID4BC85deTD2hQPfdJv6usK+cnFgjLKQTRyn9XdL4I94hS8J6vvlpkKVo0crPTPlo8t/V+dlO+PPrZ0T7iv4oSemXrJu05RlvlW/SLQVLIOpZLrUH4UtKWVZFvGx1iobyk6Zo3YLaZzKlgie1KcWFLhJLjS+obwRvbKzilBn+H2y+iHDTkTKMdVS7K7jzWL7IBV9b+pXRhcQkdgzXsZdcaCYYbpCVFpYM814uxGB4vDV0QKcK7QL/Zc68TdNrTJv4NSbTa8DLqxc6wHpPAV6usT4ElUQCwYNq0wVpips/VORYimDKYcnzL2Tmp9YckZAxzsr3s77VfsKG3C/4e6oPE8i+vqzqdoScwJdA5Kc2Ijf0sfUk8eaaiHKsDAzWAJGoVhPamcA9bOchh0+XvUdA2R3iMtOoHWuguMqhTHYsSp1nTNnhiUcOMh6SYBP9V5+GDQ1hnZbQCJbgeu3lIuBANJomWA+aQBFlj1e36Qf0E71aAgQhpEiUoCt4WTbALMDAMEt39foJuJ7vn+cM5YMDm+I37B/p4PgYvGeMJxLJ0iLIL3YQbgCdF81EHbHr1QOaeJFXpzzmmQ6W6px9xvofUfEqw/9f8TEx/ZhJXd4l1REt9TlH0h0O/h7r87V9ZV5sxJfwPRHvYxqD+Td1kR9so/NcyvF9ASp+9h22btfRtbrth75tcX1Sd7aZDUsI7K02n4Yu4g3yvTuh+beKUa5UY30Do2LtU5vSXQuYOUzb2nt3JqUcBDDwXcE956tdGCx1oYhf4Igq5Lu9WdTpZeJsc7V5oyNQGRKPwYsxkJmIZz7gdT0dRdnXsZ3KGzGMyvKgV6O8T6onBPGD1GY07pjG+cqpyEtR4aHVXMlSyp8FiyNSHLc3SPA186n6AQd0olhM5LWrBI3dCk0C20f+Vrt5BICVcoY25l5+p72Jlc3n+sz5PauU08Q2ozPDdkIotdcKy2cQlYxUQLy+8m5XUUPNPHl8b1te4e6W7j7IGWGx66Vzb/mpK2IDJppqwl0ev5dQ1FtAnYFZ8TlCb9XCRCHL/gBjkrU2LPATaLdQHB5WFsJsgWcqswwyuXDAhfrzYcg3HdRb+TDvDjGUiErl/z1X5jX8Gu77LC3mcETeUAWulappBTbRyauWGvZ/hhd5YHPwaPD7Jl70QRJvpdO+e7nCBiC7tMCSZcoynSlZMvnp+w9JN5RYDOYXu5Fu7+sw3O0O+7gDz89osIAuSmVwh19YxzO4R/saqsjOxx1FCarBFmGX4nvF5oHJmAVT+1SU+UDLeOyQYWYthIV+6B7GBBsDSmsDAsRbGFpaYGLMhbvUy3at2w9QgaHx9zBzUFawWUeSPOfF02UPSCOidkvn9jvIBRG8MtBCw7+wCvkVg+Sgt6a2ZI0nfY49vWNJeVtiYqig1hyttkKpDHji3TVfeqpWSWnSECXInyihomJIP3wOkoyrzCZu5Ducs6+0KgXpdhOQij5tTHL6qeJ2TVtDO6kywJoxPFrHDRW0hFAL1moUINU5smtqHLq9XBhvotGG+1JdnMn5ochRZWjODTNKzZYn73XacG7O+GEM5LbM3GDcpx3dUeyIoK2v7ERDSNZRSMpE5rWfCUyAhOLnNzuP1tcoNxBPLXLpCZWQWzHsWWFIL4J9wIteW9ksqHV8/Zxi15cbOByy9TXMPEWFRyIfmgikZ/5fRHDvS7q8foeq+shgwh32N/UyQpOpWCSmtCK9VWG/soTUiJ6mIZ03mmGBIDgO0nhTtRmdbx1o0rmYWT7r150R4NTDs9PPqUorexjmQ9c1JavYUB752pPKEsGywLh2E7oiWIjkBhh1aqq5/eTizn/FfU9P5c8XfBZvEcXhhGB7DH4reA7OiG+qm9HutmBwg2brfZEeqSm4fbn2R9UyXp+r+dlW/4KtcDwtgg0K/F7HUUIItrrLJ71TCyFvtK8LIW7lxs/uhaRjn4n/5mvrg9On9yLC8jRWUont3YS777O8KufmakwgBdG4rmsyt6ObzfZBQifGo9WEp0fwYdxpZWJEMmlG/fY22iVuaXs02Mc+BV6jyGJ6tJWSoze5B/+teyB5pUN01bQaFli5epKEuLJNTaXsS9aaTFgNat56qdsSah1OlT610XAKzxQ3krBtum+4XVjPxX48mAxuIAWP91gSJxMrCjlu2uWB3mg2FpvhPGpNTD8LWpc8VLU11hhUlGcDcF/9mHMBnOLOuh5RX+lR0ldbKHzjNlKHO6aURB2Bl413hjRFzRsp9GZ3hwe/4QCfiy5A5Ywix7V7cOBiTvp1itd43INfYEF4+FMTZhcdWos2Rtt3xWWsZZDS+NC6PmfiI1TOnq+aekzOjrvXBLrlNzyuhKRioVWW7XHjBStYyK+q8aJdHmv27lLn0EMgBfBTbuQuF2kYm31phu06f0XGBvavGRYP4NPkIvzhaZIoex1zdCJJ5JSszndtVZXi+IJtLp4nbeyW3kzAq7c0tFk6Omxq2JJaD1I8esltUOhZEUvHcedCcOfJRVqNSQC0bhNA9K+c5/XBtNN40tKbod4iIfPhDV28C0ZvLqg0+TTVq5Gprvw85yuonj4j4kFkAo6NS3BTQ7G/VSXEqSDWlPZxhJDY57h3sEAIMyBcCQrF8PTabsjwUFLGAl5ru9+cbWI3+S7me6Pz93tkXFivpOLExACHoAKKtyWKj5FOsCU2AU3faHYhA5K4RK0CeCKoKK+9xTaJ3zmzpK8Y0RbWFgL0FnQe+YEwzmDkIICRI4Gyu+A+n8//9988/v5TV+WqqkkMIwzPva2ZiJ5eemxmZYmBOu7TeJRNgYx2W0lVwJe'[::-1]) out = zlib.decompress(out) while True: out = out[11:-3] #print(out) out = base64.b64decode(out[::-1]) out = zlib.decompress(out) print(out) And we get some python code:...

We are given a binary with all protectoins turned on and c source code. #include <fcntl.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open("flag.txt", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()....

We are given a binary with all protections turned on, and c source code.. [d@d-20tk001gus yaw]$ pwn checksec --file=yawa [*] '/home/d/Downloads/DUCTF24/yaw/yawa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'.' #include <stdio.h> #include <stdlib.h> #include <unistd.h> void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int menu() { int choice; puts("1. Tell me your name"); puts("2. Get a personalised greeting"); printf("> "); scanf("%d", &choice); return choice; } int main() { init(); char name[88]; int choice; while(1) { choice = menu(); if(choice == 1) { read(0, name, 0x88); } else if(choice == 2) { printf("Hello, %s\n", name); } else { break; } } } First, we need to leak out the canary....

‘syscalls’ was a very neat shellcode with seccomp challenge. Initial Analysis We are given a binary ‘syscalls’ and a Dockerfile. First, we take a look at the binary with the file command, and see that it is a stripped 64 bit ELF. [d@d-20tk001gus syscall]$ file syscalls syscalls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19b78a52059d384f1b4def02d5838b625773369d, for GNU/Linux 3.2.0, stripped Next we use checksec to see what protections are on....

This challenge is very similar to the last challenge Running on Prayers, except instead of an unbounded gets into a buffer, we read in 0x40 bytes using fgets. Because space is limited, we have to inject our shellcode in stages, as the name suggets. undefined8 vuln(void) { char local_28 [32]; printf("Cramped..."); fgets(local_28,0x40,stdin); return 0; } Again we can use jmp rsp, but this time we will use somthing like sub rsp, 0x20 jmp rsp after rsp....

We are given an executable and a netcat port. The name of the challenge suggests that this is a ROP challenge. Looking at the binary, all protections are off and the stack is executable, so we can inject shellcode. checksec --file RunningOnPrayers [*] '/home/df00/Desktop/RunningOnPrayers' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments The binary itself is very minimal, There is a main function that calls a vuln function....

This was a fun challenge involving shellcode. I solved it the hard way by writing my own shellcode, but I saw two simpler ways to solve it after the CTF were over so I will briefly discuss those at the end. We are given a file and a netcat port. Taking a look at the file, all protections are off. checksec --file=shelleater [*] '/home/df00/Desktop/shelleater' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments Looking at the dissambly, the binary will exectute your shellcode, but not if it contains 0x80 or 0x050f....

Again we are given c code along with a binary and a Dockerfile. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #define DECK_SIZE 0x52 #define QUEEN 1111111111 void setup() { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); srand(time(NULL)); } void win() { char flag[256]; FILE *flagfile = fopen("flag.txt", "r"); if (flagfile == NULL) { puts("Cannot read flag.txt."); } else { fgets(flag, 256, flagfile); flag[strcspn(flag, "\n")] = '\0'; puts(flag); } } long lrand() { long higher, lower; higher = (((long)rand()) << 32); lower = (long)rand(); return higher + lower; } void game() { int index; long leak; long cards[52] = {0}; char name[20]; for (int i = 0; i < 52; ++i) { cards[i] = lrand(); } index = rand() % 52; cards[index] = QUEEN; printf("==============================\n"); printf("index of your first peek?...