➜ ~

Playing Hacks and Stuffs!

---

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

NullCon HackIM CTF Goa 2025!

Hi there, this is my writeup to the challenges I solved

I participated with team QnQSec

Pwn

Hateful

We’re given the libc and linker file as well as the binary, first thing i did was to patch it using pwninit

When we run it we either get to choose yay or nay

Checking the protections enabled on the binary shows this

Ok not much of a protection enabled here, loading it up in IDA here’s the main function

So if we choose yay the send_message function gets called

We see there are two bugs here which are a format string bug & a buffer overflow

The goal is simple, we first use the fsb to leak a libc address then we leverege the overflow to perform a ret2libc

In order to leak libc we can just leak pointers on the stack, but because pie is disabled i just decided to leak it by reading the value of the got of printf

Here’s my exploit

Running it on the remote instance works

Flag: ENO{W3_4R3_50RRY_TH4T_TH3_M3554G3_W45_N0T_53NT_T0_TH3_R1GHT_3M41L}$

Fun fact, during the competition the libc didn’t work for me, so i had to leak the got of printf then used a libc database to retrieve the right libc being used remotely

Hateful 2

Starting off i patched the binary

We can see that all protections are enabled

Running the binary shows this menu like option

We can assume this is probably going to be a heap exploitation

I loaded it up in IDA and here’s the main function

The binary isn’t striped so there’s no need for reversing much here

I’ll walkthrough the important details of what each function does

about_us:

• This function essentially leaks a stack address, so let’s keep that in mind

add_message:

• We can only make up to 16 allocations
• We control the size of the memory to be allocated

edit_message:

• This is used to edit the content of the memory stored in the global allocations variable at the specified index

view_message:

• Prints the content of the memory at the specified index of the allocations variable

remove_message:

• Used for memory deallocation
• It doesn’t set the memory freed to null so a UAF is possible

Based on what we’ve gathered so far, this is just a standard heap exploitation and the vulnerability is a UAF

Which we will leverage that to get code execution

We are working with glibc 2.36

So that version has safe linking enabled and no hooks, but because we have a stack leak we can write over main return addres our ropchain

Since this uses the tcache bin we will leverage a UAF to perform tcache poisoning but for that we need to get a heap leak in order to break the safe linking mechanism

Our step is as follow:

• Leak libc & heap
• Corrupt tcache->next to get overlapping chunk to the stack address
• Write ropchain on stack
• Leave program to trigger ropchain

For getting a libc leak we can easily take advantage of the fact that we control the size of the memory to be allocated

Just simply allocate a chunk that’s greater than the size the tcache bin can hold 1032 bytes then on freeing it, the chunk will be placed in the unsorted bin

And since the unsorted bin fd/bk will be pointing to the main_arena struct (during it’s first use) we can read that and essentially get a libc leak

To get a heap leak, we just free a chunk that will be placed in the tcache bin, that way it’s fd will point to a heap address

One other thing we need to handle is tcache misaligned chunk check, the stack return address of the main function isn’t alligned so we just subtract it by 8 to make it alligned

And with that we’re set to go

Here’s my exploit

Running it works remotely

Flag: ENO{W3_4R3_50RRY_4G41N_TH4T_TH3_M3554G3_W45_N0T_53NT_T0_TH3_R1GHT_3M41L}

Web

Paginator v2

This was just a very simple sqli challenge

Accessing the web page shows this

We can look at the source code

First we note that it creates a table pages with the column as id, title, content

$db->exec("CREATE TABLE pages (id INTEGER PRIMARY KEY, title TEXT UNIQUE, content TEXT)");

Then on the very first row it inserts the flag

$db->exec("INSERT INTO pages (title, content) VALUES ('Flag', '" . base64_encode($FLAG) . "')");

This is how it handles our input

if(isset($_GET['p']) && str_contains($_GET['p'], ",")) {
  [$min, $max] = explode(",",$_GET['p']);
  if(intval($min) <= 1 ) {
    die("This post is not accessible...");
  }
  try {
    $q = "SELECT * FROM pages WHERE id >= $min AND id <= $max";
    $result = $db->query($q);
    while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
      echo $row['title'] . " (ID=". $row['id'] . ") has content: \"" . $row['content'] . "\"<br>";
    }
  }catch(Exception $e) {
    echo "Try harder!";
  }
} else {
    echo "Try harder!";
}

It expects the get parameter p to be of format int, int, but it doesn’t allow us to set min as 1 basically preventing us from accessing the first post

Then it directly uses our input on the query, leading to an SQL injection vulnerabiltiy

I simply just used a UNION operator to show the content of the flag

http://52.59.124.14:5012/?p=2,1 UNION SELECT * FROM pages WHERE id=1

The flag is base64 encoded so just decode it

Flag: ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow!}