$ cat writeup.md…
$ cat writeup.md…
b01lersc
Task: reverse a custom Shakespeare interpreter that exposes a single syscall through stack-based scenes. Solution: abuse its 32-bit word stacking and the 0xffffffff cstring substitution to place /bin/sh on Romeo's stack, forge Hamlet's stack for execve, then interact with the spawned shell to read /app/flag.txt.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
The Infamous Hello World Program.
Romeo, a young man with a remarkable patience. Hamlet, the flatterer of Andersen Insulting A/S.
The provided file was a Shakespeare-style program executed by a custom ELF interpreter. The goal was to understand the VM well enough to turn its single exposed syscall into code execution and then retrieve the flag from the remote service.
The key bug was not memory corruption but runtime semantics.
high32 first, then low32.2/3/4) pop only the top two Romeo words and push the result onto the Hamlet stack.That means each arithmetic operation can do two things at once:
The final syscall scene has another important quirk: if an argument is 0xffffffff, Hamlet replaces it with reference_stack_cstring(). Because Scene I does Reference Romeo., that cstring actually comes from Romeo's stack, not Hamlet's.
So the exploit strategy was:
execve(path, argv, envp);/bin/sh\x00 on Romeo's stack;path = 0xffffffff, argv = 0, envp = 0;0xffffffff into a Romeo-stack cstring pointing to /bin/sh.This spawns /bin/sh over the same socket. From there, the remaining work is operational:
...
$ grep --similar