https://github.com/r3kapig/r3ctf-2024

Pwn:

Feedback Portal:

Hope you've been enjoying the CTF so far. Here is an app I made for you to write down your feedback!

Download [Attachment](<https://ctf2024.r3kapig.com/assets/1776c8d2c0739df05a31bcbc80b9c2fba634f39d03777e0d0d3218e52e7c1d55/Feedback%20Portal.zip>)

Feedback Portal.zip

BabyVM:

Escape the vmware, find the impossible.

Primary download link: [<https://mega.nz/file/8iw2BSIB#qPeuREoHPp9-mZ7BVFeXtx3OaSoBm-tWnLLwGq0esXQ>](<https://mega.nz/file/8iw2BSIB#qPeuREoHPp9-mZ7BVFeXtx3OaSoBm-tWnLLwGq0esXQ>)

Alternative download link: [<https://gofile.io/d/3Q73H2>](<https://gofile.io/d/3Q73H2>)

Submit your exploit here: [<https://babyvm.r3kapig.com/>](<https://babyvm.r3kapig.com/>)

Warning: Do not ddos or using scanner to scan this site otherwise you'll get banned

Note: You can only start the VM once every 5 minutes.

Note: The outer VM's Microsoft Defender is on but the inner VM's Defender is off.

Note: The outer VM has Internet connection but inner VM doesn't(Host-only)

Note: Task status page will update automatically, you can submit another exploit if no status change after 5 minutes.

Note: You have exactly 60s to execute the exploit and get your flag (outer VM's C:\\flag.txt)

Note: You can only upload a single exe file, it will be executed inside inner VM as Administrator.

Note: Aliyun defenses are disabled.

Do NOT click the create instance button, it doesn't work

Hint:
1. Bluetooth is enabled in inner vm 
2. [<https://github.com/mcuee/libusb-win32>](<https://github.com/mcuee/libusb-win32>) is installed and replaced mouse/bluetooth driver in inner vm

pwn0win - Forbidden Content:

"We are becoming more and more open now!" They said. "Our documents, including those outside the sandbox, are available for everyone to read!"

But there are still many things that are deliberately hidden...

Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge. You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.

Note: Flag is in /var/jb/var/root/flag with -r-------- 1 root wheel. We have configured the sandbox profile so the two services in the attachment are reachable within the iOS sandbox.

We use an iPhone 8 with iOS 16.7.1 for this challenge.
We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.
Free feel to ask admin for temporary Corellium access in case you need.

Hints:
1. How does the server handle the event?
2. Mach port name use after free. But you don't need memory corruption.
3. What if you can replace the securityd port with yours?

Download [Attachment](<https://ctf2024.r3kapig.com/assets/9840a6753338ae79afd46f5851409b471d480fe173543720687feb5372e8b427/forbidden-content.zip>)

forbidden-content.zip

pwn0win - The simplest kernel pwn here:

This must be the simplest kernel pwn challenge here, I promise you.

Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge. You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.

Note: Flag is in /var/jb/var/root/flag with -r-------- 1 root wheel.

We use an iPhone 8 with iOS 16.0 for this challenge.
Several well-known 1-days have been patched.
We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.
Feel free to ask admin for debug device in case you want to test your proof-of-concept.

Hint:
The patched functions in README.md can be reachable via IOSurfaceRootUserClient::s_lookup_surface_from_port() and IOSurfaceRootUserClient::s_set_indexed_timestamp()

Download [Attachment](<https://ctf2024.r3kapig.com/assets/d91e7138abf9f1f7f3becd7b541057bc42cd3b3cdeca69dd2028d446f58311f9/README.md>)

README.md

hackcam: