Sheet 3

General Information

Make sure you have read and understood everything in Exercise Requirements and Grading Guidelines!

Remember to put a block comment at the beginning of the solution file for each task, describing the vulnerability (including relevant addresses or instructions) and your general plan how to exploit it.

The deadline for this sheet is 2026-06-07 22:00:00 UTC

Task 9 – Bytecode Interpreter (8 Points, individual Task)

Our development team released our first bytecode interpreter! Try to insert your own shellcode into the interpreter and print the flag by exploiting the vulnerability in the interpreter. Thereby your shellcode should spawn a shell which could be used to print the flag.

You must solve this task by only providing bytecode to trigger the execution of shellcode. The given solution template should help you.

Hints:

  • What do you know about off-by- bugs ?
  • Are there any callback functions and what is necessary to get them executed?

Task 10 – Minimalist (8 Points)

Looks like someone really wanted to save disk space. Are you still able to exploit the problem_srop binary and make it print the flag? Do it!

Once again, edit the provided solution template and explain your approach with meaningful comments.

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Hint: pwntools SigreturnFrame class might become handy.

Task 11 – The Path to Pivot (8 Points)

Path translation produces notoriously many bugs. Good thing we are here to finally provide a good, reliable, safe and clean solution… In other words, please exploit the binary and print the flag.

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • Why does translate_wsl_to_windows_path take a char ** instead of a char *?
    • Under which condition does this value get modified?
  • Remember your lessons from the “leak” exercise.
  • It seems like you don’t have enough space for a full payload on the stack. Where else can you place it? How can you get there?
  • Warning: This exercise might not be solvable outside of the docker container!

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 12 – Time to Pivot! (8 Points)

Our company ABE inc. is migrating to SAP. Hooray! Unfortunately, this migration requires a secret value to authorize the data transfer to the new system. And the last accountant that knew this value is already retired.

Luckily, our secretary remembers that they hid a backup of this value somewhere deep in the HR system. Can you help us out?

Exploit the HR server and print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • This time the flag is well hidden in libhr.so.
  • When pivoting, you might find gadgets of the following form helpful:
    • add rsp, 0x??; <...>; pop rbp; ret
    • leave; ret
  • Which parts of a person’s data is stored where? Both salary and name might be useful!
  • You’re concerned about the safety of the system? Don’t be so negative

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}
20 May 2026