Hi, last week I participated in Google CTF 2020 with my team `pwnPHOfun`

Although I didn't solve the challenge in time for the points,
still, here is a writeup for the challenge `teleport` for you.

I like to write detailed articles that are understandable and replicable to my past self. Feel free to skip any parts. Here is a table of content for you.

- [Teleport](#teleport)
- [1. Story](#1-story)
- [2. Overview](#2-overview)
- [2.1. Sandboxed or unsandboxed](#21-sandboxed-or-unsandboxed)
- [2.2. Provided primitives](#22-provided-primitives)
- [3. Leaking the browser process](#3-leaking-the-browser-process)
- [4. Googling](#4-googling)
- [5. Leaking the renderer process](#5-leaking-the-renderer-process)
- [6. Nodes and Ports](#6-nodes-and-ports)
- [7. Leaking ports' names](#7-leaking-ports-names)
- [7.1. Finding offsets](#71-finding-offsets)
- [7.1.1. Simple structures](#711-simple-structures)
- [7.1.2. F**k C++/Traversing `std::unordered_map`](#712-fk-ctraversing-stdunordered_map)
- [8. What do we do with stolen ports?](#8-what-do-we-do-with-stolen-ports)
- [8.1. Factory of network requests](#81-factory-of-network-requests)
- [8.2. Making the leaked ports ours](#82-making-the-leaked-ports-ours)
- [8.2.1. Calling functions from shellcode](#821-calling-functions-from-shellcode)
- [8.3. Sending our messages](#83-sending-our-messages)
- [8.4. Writing our messages](#84-writing-our-messages)
- [8.5. To know who our receivers are](#85-to-know-who-our-receivers-are)
- [8.6. Where are my factory ??](#86-where-are-my-factory-)
- [8.6.1. Setting the sequence_num](#861-setting-the-sequence_num)
- [8.6.2. Getting the correct function parameters](#862-getting-the-correct-function-parameters)
- [9. Closing words](#9-closing-words)
- [9.1. Shoutout](#91-shoutout)
- [9.2. Reference](#92-reference)

You may want to checkout the [exploit code](https://github.com/TrungNguyen1909/ggctf20-teleport).

No IDA/Ghidra were used during the creation of this work. I used only GDB.