pwn - write-flag-where2

Was that too easy? Let's make it tough . It's the challenge from before, but I've removed all the fluff

November 4, 2025 October 20, 2025 Medium
Author Author Hung Nguyen Tuong

Setup 

ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where2$ kCTF[ctf=write-flag-where-s,config=local-cluster,chal=wfw2] > kctf chal start && kctf chal debug docker
[*] building image in "/home/ubuntu/write-flag-where-s/pwn-write-flag-where2/challenge"
[+] Building 2.7s (20/20) FINISHED
...
CONTAINER ID   IMAGE          COMMAND                  CREATED        STATUS                  PORTS                                           NAMES
b21f9e816e91   6e2f8e5ad9fd   "/bin/sh -c 'kctf_se…"   1 second ago   Up Less than a second   0.0.0.0:32781->1337/tcp, [::]:32781->1337/tcp   kctf-write-flag-where-s-wfw2-challenge
[*] Container running, ctrl+c to exit
ubuntu@hungnt-PC:~/write-flag-where-s$ nc 0 32781
Was that too easy? Let's make it tough
It's the challenge from before, but I've removed all the fluff
5b99f7822000-5b99f7823000 r--p 00000000 08:30 33656895                   /home/user/chal
5b99f7823000-5b99f7824000 r-xp 00001000 08:30 33656895                   /home/user/chal
5b99f7824000-5b99f7825000 r--p 00002000 08:30 33656895                   /home/user/chal
5b99f7825000-5b99f7826000 r--p 00002000 08:30 33656895                   /home/user/chal
5b99f7826000-5b99f7827000 rw-p 00003000 08:30 33656895                   /home/user/chal
5b99f7827000-5b99f7828000 rw-p 00000000 00:00 0
7d5cb40de000-7d5cb40e1000 rw-p 00000000 00:00 0
7d5cb40e1000-7d5cb4109000 r--p 00000000 08:30 33657674                   /usr/lib/x86_64-linux-gnu/libc.so.6
7d5cb4109000-7d5cb429e000 r-xp 00028000 08:30 33657674                   /usr/lib/x86_64-linux-gnu/libc.so.6
7d5cb429e000-7d5cb42f6000 r--p 001bd000 08:30 33657674                   /usr/lib/x86_64-linux-gnu/libc.so.6
7d5cb42f6000-7d5cb42fa000 r--p 00214000 08:30 33657674                   /usr/lib/x86_64-linux-gnu/libc.so.6
7d5cb42fa000-7d5cb42fc000 rw-p 00218000 08:30 33657674                   /usr/lib/x86_64-linux-gnu/libc.so.6
7d5cb42fc000-7d5cb4309000 rw-p 00000000 00:00 0
7d5cb430b000-7d5cb430d000 rw-p 00000000 00:00 0
7d5cb430d000-7d5cb430f000 r--p 00000000 08:30 33657656                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7d5cb430f000-7d5cb4339000 r-xp 00002000 08:30 33657656                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7d5cb4339000-7d5cb4344000 r--p 0002c000 08:30 33657656                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7d5cb4345000-7d5cb4347000 r--p 00037000 08:30 33657656                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7d5cb4347000-7d5cb4349000 rw-p 00039000 08:30 33657656                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffcb190a000-7ffcb192b000 rw-p 00000000 00:00 0                          [stack]
7ffcb1989000-7ffcb198d000 r--p 00000000 00:00 0                          [vvar]
7ffcb198d000-7ffcb198f000 r-xp 00000000 00:00 0                          [vdso]
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where2/challenge$ docker cp b21f9e816e91:/chroot/home/user/chal .
Successfully copied 18.4kB to /home/ubuntu/write-flag-where-s/pwn-write-flag-where2/challenge/.
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where2/challenge$ pwninit --bin chal
bin: chal
libc: ./libc.so.6
ld: ./ld-linux-x86-64.so.2

setting ./ld-linux-x86-64.so.2 executable
copying chal to chal_patched
running patchelf on chal_patched
writing solve.py stub

Source Code 

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int length; // [rsp+Ch] [rbp-74h] BYREF
  int maps_fd; // [rsp+10h] [rbp-70h]
  int flag_fd; // [rsp+14h] [rbp-6Ch]
  int socket_fd; // [rsp+18h] [rbp-68h]
  int null_fd; // [rsp+1Ch] [rbp-64h]
  int nbytes; // [rsp+20h] [rbp-60h]
  int mem_fd; // [rsp+24h] [rbp-5Ch]
  __off64_t write_addr; // [rsp+28h] [rbp-58h] BYREF
  _QWORD buf[10]; // [rsp+30h] [rbp-50h] BYREF

  buf[9] = __readfsqword(0x28u);
  maps_fd = open("/proc/self/maps", 0, envp);
  read(maps_fd, maps, 4096u);
  close(maps_fd);
  flag_fd = open("./flag.txt", 0);
  if ( flag_fd == -1 )
  {
    puts("flag.txt not found");
    return 1;
  }
  else
  {
    if ( read(flag_fd, &flag, 128u) > 0 )
    {
      close(flag_fd);
      socket_fd = dup2(1, 1337);
      null_fd = open("/dev/null", 2);
      dup2(null_fd, 0);
      dup2(null_fd, 1);
      dup2(null_fd, 2);
      close(null_fd);
      alarm(60u);
      dprintf(
        socket_fd,
        "Was that too easy? Let's make it tough\nIt's the challenge from before, but I've removed all the fluff\n");
      dprintf(socket_fd, "%s\n\n", maps);
      while ( 1 )
      {
        memset(buf, 0, 64);
        nbytes = read(socket_fd, buf, 64u);
        if ( (unsigned int)__isoc99_sscanf(buf, "0x%llx %u", &write_addr, &length) != 2 || length > 127 )
          break;
        mem_fd = open("/proc/self/mem", 2);
        lseek64(mem_fd, write_addr, 0);
        write(mem_fd, &flag, length);
        close(mem_fd);
      }
      exit(0);
    }
    puts("flag.txt empty");
    return 1;
  }
}

Mitigation

Solve

Script

⚠️ Draft: The post is still being written...
pwn - write-flag-wherepwn - write-flag-where3