R3CTF/YUANHENGCTF 2024

"We are becoming more and more open now!" They said. "Our documents, including those outside the sandbox, are available for everyone to read!"

But there are still many things that are deliberately hidden...

Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge. You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.

Note: Flag is in /var/jb/var/root/flag with -r-------- 1 root wheel. We have configured the sandbox profile so the two services in the attachment are reachable within the iOS sandbox.

We use an iPhone 8 with iOS 16.7.1 for this challenge.
We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.

Note: This challenge was not solved during the CTF and we would appreciate any writeups

Author: R3CTF/YUANHENGCTF Team

Beware: This challenge cannot be solved on pwn.college majorly becuase of the space requerments for the kernelcache but it is still available.

This must be the simplest kernel pwn challenge here, I promise you.

Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge. You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.

Note: Flag is in /var/jb/var/root/flag with -r-------- 1 root wheel.

We use an iPhone 8 with iOS 16.0 for this challenge.
Several well-known 1-days have been patched.
We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.
Feel free to ask admin for debug device in case you want to test your proof-of-concept.

Download kernelcache:

pzb -g kernelcache.release.iphone10 https://updates.cdn-apple.com/2022FallFCS/fullrestores/012-65931/BD2515B7-7802-4EB4-9377-98E3238EA5A8/iPhone_4.7_P3_16.0_20A362_Restore.ipsw

Extract kernelcache:

ipsw kernel dec kernelcache.release.iphone10

Patches:

Vulnerabilities: 
    IOSurfaceRootUserClient::lookup_surface_from_port()
        0xFFFFFFF005B27844: 0xF90002B4
        0xFFFFFFF005B27848: 0xD2800013
    IOSurface::setIndexedTimestamp()
        0xFFFFFFF005B1B83C: 0xF9000022
        0xFFFFFFF005B1B840: 0x52800000

Editors Note

Since the challenge is not downloaded on pwn.college so this challenge doesn't have anything.

Although I did include the pzb source files zipped just in case you can't find them

Note: This challenge was not solved during the CTF and we would appreciate any writeups

Author: R3CTF/YUANHENGCTF Team

The secret of the cat! There is a security vulnerability in our home camera used to monitor cats. Your task is to exploit the vulnerability, find the flag inside the camera, and reveal the ultimate secret of the cat.

There is only one service in the device.

Uninitialized web pages will not affect our ability to obtain the flag.

Note: This challenge was not solved during the CTF and we would appreciate any writeups.

Author: R3CTF/YUANHENGCTF Team

ANY NON-AUTHORIZED PERSONNEL ACCESSING THIS FILE WILL BE IMMEDIATELY TERMINATED THROUGH BERRYMAN-LANGFORD MEMETIC KILL AGENT.

Note: Please use the unzipped files to get the pwn.college flag

Author: R3CTF/YUANHENGCTF Team

Let me tell you a story about Sparrow.

Author: R3CTF/YUANHENGCTF Team

rug me pls

Author: R3CTF/YUANHENGCTF Team