CTFtime.org

Sandbox Share

Points: 500

Tags: pwn xpc macos 

Poll rating:

Writeups

ActionRatingAuthor team
Read writeup
not rated
 Synacktiv
You need to authenticate and join a team to post writeups

Comments

Load.Sept. 8, 2021, 4:29 p.m.

**Category**: Pwn
**Difficulty**: Medium
**Author**: A2nkF, LinHe

We feel like macOS is underrepresented in CTFs so here you go:

Challenge:

nc sandbox-share.allesctf.net 8090

VM Information:

```
~$ sw_vers
ProductName: macOS
ProductVersion: 11.5.2
BuildVersion: 20G95
```

You can use this to get a local instance if you don't own a mac: https://github.com/sickcodes/Docker-OSX

Hints:

Woah what? You can just put mach ports into xpc messages and send them to other processes O.o

"The more you allocate, the more you can free" ~孙子

Who needs RIP control when you can have:

```C
typedef struct {
uint64_t class_ptr;
uint32_t pad[2];
uint32_t ref_count;
uint32_t pad1;
mach_port_t port_name;
uint32_t pad2;
} fake_xpc_mach_port_t;
```

Challenge Files: [sandbox_share.zip](https://static.allesctf.net/1e7b2948c2aa3ef8f6b39b9d449fee18afa2eb1cb77e2cc5c68a9c24b296b5dd/sandbox_share.zip)