pwnProeasy

shellco — null-free XOR-halved shellcode

spbctf

Task: shellcode runner with three constraints — no NUL bytes, even length, and XOR of first half of bytes equal to XOR of second half. Solution: take a 23-byte null-free execve('/bin/sh') payload and concatenate it with itself (46 bytes, even length, halves identical, so XORs trivially match); pad the remainder of the 0x1000 read with NULs so read() returns immediately, then send shell commands on the same stdin.

$ ls tags/ techniques/

null_free execve amd64 shellcoding xor_check pie_rwx_mmap

duplicated_shellcode_trickstdin_shell_command_passthroughnull_free_execve

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]Mic Check — getflag— spbctf
[pwn][Pro]cat /flag under seccomp— spbctf
[pwn][Pro]read_me_not — sendfile bypass— spbctf
[pwn][Pro]Taste— grodno_new_year_2026
[pwn][Pro]Baby bof— uoftctf2026