Hso-groupie - A pwnable challenge in Real World CTF 4th

hso groupie

What

hso groupie is a pwnable challenge in Real World CTF 4th. The challenge asks players to write an exploit for the pdftohtml utility in Xpdf 4.03, running on Debian unstable. The intended bug is the one documented in A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution.

The bug is also not fixed in Poppler as of Jan 23. I picked the original Xpdf for this challenge due to a few funny sanity checks, which could be trivially bypassed, might give extra lulz.

Team 'NeSE' solved it within the first 90 minutes of the game, likely due to they already have an exploit ready for this target. In hindsight due to the bug being quite popular the challenge probably just shouldn't happen.

Is there a writeup?

No. I don't have time for a full writeup.

The exploit really just does what this blog post said, except the "build a computer" part, as there is no need to search memory or do complicated exploit engineering due to the nature of the challenge (on Linux, only needs a PoC exploit instead of a weaponized one). A few full-adders is enough for computing address at fixed offset and run system("whatever").

The exploit code is also (hopefully) reasonably readable, so you may just read that.