Tags: rop pwn seccomp 

Rating:

blakflag

Please see original writeup for a walkthrough.

The original description hinted that you have to leak the flag.

nc blakflag-01.pwn.beer 45243

stripped x64 binary

TL;DR

  • Can leak PIE and Canary -> ROP
  • Seccomp blacklist
  • Flag file descriptor never closed
    • sys_sendfile not blacklisted but need to set rax=0x28
    • sys_write gadget available and not blacklisted
      • Set rax=0x28 using return value from sys_write
Original writeup (https://github.com/happysox/CTF_Writeups/tree/master/SEC-T_CTF_2019/blakflag).