pwnPromedium

read_me_not — sendfile bypass

spbctf

Task: shellcode runner opens /flag for us, places the fd in rdi, and then installs seccomp KILL rules for read/write/open. Solution: use sendfile (syscall 40) to copy the open flag fd to stdout entirely in kernel space, which never invokes the forbidden sys_read/sys_write and escapes the filter.

$ ls tags/ techniques/

seccomp amd64 shellcoding sendfile kill_rules

sendfile_syscall_bypasskernel_space_copysyscall_denylist_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]cat /flag under seccomp— spbctf
[pwn][Pro]Mic Check — getflag— spbctf
[pwn][Pro]New Age— 0xl4ugh
[pwn][Pro]shellco — null-free XOR-halved shellcode— spbctf
[pwn][Pro]Easy Overflow 3— spbctf