pwn

Challenges

Index

I literally hand you the flag, just exploit it already!

• index.zip

❯ unzip -l index.zip
Archive:  index.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16632  2025-08-01 09:44   index
   225600  2025-08-01 12:25   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:25   libc.so.6
---------                     -------
  2245640                     3 files

• Load up to dogbolt, or objdump

• We could see this

  
• cmp $0x539 compares the user input with 0x539 in hex it is 1337 in decimal

• je 150e if they're equal — confirmed with decompiler

• 1337 will triggers a secret fucntion that open flag.txt

• We go to LABEL_401448

• Or the menu() to be exact

  
• Now, we need option 2 because read_data can read from any memory location without bounds checking

• The flag address is 0x40a0

  
• we also know nums array is at 0x4060

• 12c3:	48 8d 15 96 2d 00 00 	lea    0x2d96(%rip),%rdx        # 4060 <nums>

• Finally the calculation is nums_base + (index * 8)

  
• Flag address - nums address = 0x40a0 - 0x4060 = 0x40 = 64 bytes \ 64 bytes ÷ 8 bytes per index = 8

• Final exploit

• scriptCTF{4rra4y_00B_unl0ck3d_0aed67c7e137

Index-2

This time, you get the file pointer, not the flag itself.

• index-2.zip

❯ unzip -l index-2.zip
Archive:  index-2.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16608  2025-08-01 09:47   index-2
   225600  2025-08-01 12:23   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:23   libc.so.6
---------                     -------
  2245616                     3 files

tbd, will write later