> For the complete documentation index, see [llms.txt](https://thienguen.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thienguen.gitbook.io/ctf-writeups/ctf/2025/scriptctf/pwn.md).

# pwn

## Challenges

<figure><img src="/files/hJdQs5yNQfrIGV2FjOYu" alt=""><figcaption></figcaption></figure>

### Index

<figure><img src="/files/FqiAOQC8FULJ6zKZ3QCu" alt=""><figcaption></figcaption></figure>

> I literally hand you the flag, just exploit it already!
>
> * [index.zip](https://storage.googleapis.com/scriptctf_challenges/Pwn/Index/index.zip)

```bash
❯ unzip -l index.zip
Archive:  index.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16632  2025-08-01 09:44   index
   225600  2025-08-01 12:25   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:25   libc.so.6
---------                     -------
  2245640                     3 files
```

* Load up to [dogbolt](https://dogbolt.org/), or `objdump`
* We could see this

  <figure><img src="/files/zJ5inAXgOoGLqRlSeHom" alt=""><figcaption></figcaption></figure>
* cmp $0x539 compares the user input with 0x539 in hex it is `1337` in decimal
* `je 150e` if they're equal — confirmed with decompiler

<figure><img src="/files/i5pxOob17BORdCARGnAC" alt=""><figcaption></figcaption></figure>

* 1337 will triggers a secret fucntion that open `flag.txt`
* We go to `LABEL_401448`
* Or the menu() to be exact

  <figure><img src="/files/UmluJKi1jk2pEN7Iz374" alt=""><figcaption></figcaption></figure>
* Now, we need option 2 because `read_data` can read from any memory location without bounds checking
* The flag address is `0x40a0`

  <figure><img src="/files/p6CdcHo3U8ycu53hV8DC" alt=""><figcaption></figcaption></figure>
* we also know nums array is at `0x4060`
* ```
  12c3:	48 8d 15 96 2d 00 00 	lea    0x2d96(%rip),%rdx        # 4060 <nums>
  ```
* Finally the calculation is `nums_base + (index * 8)`

  <figure><img src="/files/HeheqiQt3ItZJ8K9CoNc" alt=""><figcaption></figcaption></figure>
* `Flag address - nums address = 0x40a0 - 0x4060 = 0x40 = 64 bytes` \ `64 bytes ÷ 8 bytes per index = 8`
* Final exploit

<figure><img src="/files/OsLhgmg6zb1nK8N0G1nb" alt=""><figcaption></figcaption></figure>

* <mark style="color:blue;">`scriptCTF{4rra4y_00B_unl0ck3d_0aed67c7e137`</mark>

### Index-2

<figure><img src="/files/J4INEfLwIHsMgXRNh8rv" alt=""><figcaption></figcaption></figure>

> This time, you get the file pointer, not the flag itself.
>
> * [index-2.zip](https://storage.googleapis.com/scriptctf_challenges/Pwn/Index2/index-2.zip)

```bash
❯ unzip -l index-2.zip
Archive:  index-2.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    16608  2025-08-01 09:47   index-2
   225600  2025-08-01 12:23   ld-linux-x86-64.so.2
  2003408  2025-08-01 12:23   libc.so.6
---------                     -------
  2245616                     3 files
```

{% hint style="warning" %}
tbd, will write later
{% endhint %}
