DC34 Quals — Team Status Board

✅ Solved

2 challenges

shelldiet

pwn / shellcode x86-64

Solved ✓

Shellcode with byte-sum constraint. Reads up to 4096 bytes into RWX page, all regs zeroed except rax. nanosleep trick needed because kctf writes flag after a delay.

LiveCTF Phases 2 & 3

bot-game rev

Baseline ✓

Bot-game phases 2 & 3. Deterministic rotating-turret baseline submitted as submit.bin. Phase 1 also has a candidate ready.

🤖

submit.bin uploaded: stationary rotating turret (SHA256: aa3e6baf…). Phase 2 & 3 viable. Continue improving toward sensing/targeted play.

🔥 Active

5 challenges

coalmine

pwn / kernel kCFI

⚡ In Progress

Custom kernel module coalmine.ko on Linux 6.6.140. SMEP+SMAP+KASLR+kCFI+canary. QEMU 5 retries. Solve binary sent as base64.

✓

KASLR bypass — leak kbase via READ ioctl XOR

✓

Canary bypass — deterministic canary zeroing

✓

RIP control — redirect dispatcher return via pos 0x20–0x22

→

Privilege escalation — non-returning gadget/chain that escalates privs; all ret-based ROP blocked by COAL_JUN/MINE_JUN

○

Flag extraction — read /root/flag with escalated privs

🔴

Blocker: COAL_JUN/MINE_JUN blocks all ret-based ROP. Need a non-returning gadget or alternative call chain for privesc despite kCFI.

nodefs

web / pwn WebSocket

⚡ In Progress

WebSocket-based NFS service. Target: buffer scatter/gather/transform race conditions and batch concurrency to achieve RCE or arbitrary file read.

→

Recon — understand full WebSocket NFS attack surface

○

Identify vuln — focus on race conditions in scatter/gather/transform

○

Exploit — achieve RCE or arbitrary file read → /readflag

myfavoriteinstructions

reversing constraint solving

⚡ In Progress

168 nonlinear trit constraints. Current in-process eval ~2ms — too slow for SA convergence. Need 100μs or less.

→

Faster eval — extract circuit to pure C function or symbolic representation (<100μs target)

○

WalkSAT/GSAT — pick unsatisfied constraint, flip best trit

○

DFS with pruning — solve lowest-dependency constraints first

○

Convert trit solution to flag bytes + verify on real binary

🔴

Blocker: Eval is ~2ms per candidate (need ≤100μs). SA won't converge at this speed. Need native C eval or symbolic approach.

rfc1149a

misc crypto / forensics

⚡ In Progress

"Pigeon" (Columba livia) — weird strips of paper in a park. RFC 1149 = IP over avian carriers. 14 strip images with hex bytes to decode.

→

OCR/extract hex — extract all hex bytes from 14 strip images

○

Reconstruct packets — reassemble hex into valid RFC 1149 IP packets

○

Decode payload — extract data from reconstructed packets

○

Flag extraction — find bbb{...} in decoded payload

waybird-machine

web SSRF

⚡ In Progress

"Magpie" (Pica pica) — image collection app. Full source reviewed. SSRF filter bypass in progress. Image verification layer blocks HTML responses.

✓

Recon — full source code review done

→

SSRF exploitation — bypass filter to reach internal services. 0.0.0.0 passes filter but "image verification failed"

○

Data exfiltration — extract flag from DB or filesystem

🔴

Blocker: 0.0.0.0 bypasses IP filter but "image verification failed" because HTML responses rejected. Need SSRF to a port serving a valid image, or bypass the image verifier.

⏸ Paused

6 challenges

birdhouse

rev N64 ROM

Paused

N64 ROM (libdragon). Minecraft-like 3D block game with chicken judge. Blueprint table with 7464 entries. Decompressed binary at 0x80000400, grid at 0x800695d8.

✓

ROM decompressed, binary layout mapped, grid structure understood

○

Understand blueprint table & chicken judge win condition

○

Construct winning Controller Pak save (game.pak)

gitvfs

pwn FUSE

Paused

FUSE filesystem challenge. "You can never escape time." FUSE binary deleted after start. Flag at /mnt/gitvfs/flag1 mode -rw--w--w-. Versioning system via MD5-keyed xattrs.

✓

FUSE ops mapped, history/versioning system understood (MD5-keyed getxattr)

○

Find read primitive — link op exists in code but NOT in ops table

○

Exploit time-related race / "escape time" hint

stork

pwn Lua 5.5 VM

Paused

Custom Lua 5.5 VM (x86-64 PIE). Custom BrokerAllocator arena. pcall stubbed. kCFI-style obstructions.

✓

Architecture mapped: arena, GC roots, opcode table, BrokerAllocator

○

CLOSURE opcode — fix nupval mismatch to reach open upvalues (state+0x38)

○

String map UAF — LuaValueString freed while map node holds dangling ptr

○

Arena bounds UAF — thread arena at malloc_state+0xb70 above high

twobirdtwocan

rev / game WebSocket

Paused

"2bird2can" (Toucan). Walking to flag takes 5+ hours at 7 u/s over ~130k units. Direction unknown — map X is decorative. No teleport/speed exploit found.

🔴

Blocker: No way to extract flag position or seed from protocol. Walking 130k units in wrong direction wastes the entire session (instance-TTL limited). Need protocol analysis or speed exploit.

LiveCTF Phase 1

bot-game bytecode

Paused

Phase 1 bot-game. Candidate submit.bin (rotating turret) ready. ReadPlayers/ReadWalls syscall behavior being investigated for smarter targeting.

✓

Driver extracted, bytecode format understood, assembler built

✓

Deterministic rotating turret baseline compiled

○

Sensing bot — scan 256×256 player window, aim+fire when aligned

LiveCTF Phase 3

bot-game bytecode

Baseline Ready

Phase 3 handout validated compatible with Phase 1/2 bytecode. Baseline submit.bin uploaded. Need to build sensing/targeted bot to score higher.

✓

Phase 3 handout extracted and validated

✓

Baseline rotating turret confirmed working

○

Improve beyond baseline — sensing + targeting logic