H4ck_th3_Wh47
  • About Us
  • CTF 2025
    • Swamp CTF 2025
    • Texas Instruments Security Week 2025
Powered by GitBook
On this page
  • PWN
  • ez printf
  1. CTF 2025

Texas Instruments Security Week 2025

⚓️ Ahoy, landlubbers and logic-lords! This be sh3lldon3 of the notorious crew H4ck_th3_Wh47, chartin’ a course straight into the stormy seas of Texas Instruments Security Week 2025! 🏴‍☠️ Each system’s a cryptic siren song, each puzzle a treasure chest locked with layers of encryption. We don’t just hack—we unravel, we decode, we conquer. 🔐⚡

PWN

ez printf

First I look for file type and protections.

>>>file vuln
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, ..., for GNU/Linux 4.4.0, not stripped
>>>checksec --file=vuln
RELRO:      Partial RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        PIE enabled
Stripped:   No

Analysing and decompiling the binary:

read(0, buf, 120uLL);
printf(buf);
read(0, buf, 120uLL);
printf(buf);
puts("nice try");
return 0;

So, we can see that there is a clear format string vulnerability twice, since no format specifiers are passed to printf.

Further there is also a win function that prints the flag.

Exploit

  1. Use the first input to leak an address that points into the binary itself, which we'll use further to get runtime win function address (thereby Bypassing PIE protection).

  2. Overwriting the GOT entry for puts with the dynamically resolved addr of the win function (GOT overwrite).

Execution

PreviousSwamp CTF 2025

Last updated 8 days ago