Binary Exploitation


Arizona CTF 2025.

Programs step in time to the beat of the CPU. Can you sow enough discord to pull them away from their set paths, toward the flag?

Don't have quite the knowledge for this yet? Want to learn to exploit binary software like a pro? Start here and progress through to learn!


Challenges

Hint

Run the challenge using the wrapper /challenge/wrapper

Our company runs a secure-ftp server to share files. It's pretty secure—or at least we thought so. One day, we discovered that our company's username and password credentials were leaked. WE WERE HACKED. After a thorough investigation, our sysadmin was able to recover some network traffic that seemingly came from the attacker. We are currently working on patching the bug in our secure-ftp server and tightening security measures. Hopefully, no one will exploit us again and cause another leak, right?

The attacker has removed the read/write permissions from the original binary, so it's probably best to focus on analyzing the capture.pcap instead. You don't need any fancy FTP clients to use our FTP server—just a simple netcat command like nc localhost 21 will work. You can run the FTP server by executing /challenge/secureftp. To analyze the capture, you can use a tool called Wireshark. Once opened, inspect the traffic and try to figure out how the attacker stole our information. Hopefully, no one can leak /flag 🤞.

💡 Hint for the secure-ftp challenge
You are not meant to look at the binary.
However, we’ve made it readable since everyone has been asking for it.

You're supposed to:

  • Run the challenge
  • Interact with it
  • Analyze the .pcap file to make progress

XSH(1)                     General Commands Manual                    XSH(1)

NAME
        xsh - A minimal, restricted shell with command history

DESCRIPTION
        xsh is a highly restrictive shell designed for controlled command execution.  
        It supports a small set of built-in commands and maintains a command history.

        Check the `help` command in the shell for more help.

HISTORY
        Commands entered in xsh are stored in a history buffer, which can be  
        accessed using `history` and replayed using `!<index>` or `!!`.

BUGS
        The `delete` command is known to be unstable. If a long command is deleted  
        twice, the shell crashes with a strange error. Please report fixes; otherwise,  
        this feature will be deprecated in version 1.2.

AUTHOR
        Developed for AZ-CTF 2025.

SEE ALSO
        sh(1), bash(1), zsh(1)

AZ-CTF 2025                     March 2025                           XSH(1)


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score