The "Turtles" challenge involved a program that processed nested structures (turtles). Each "turtle" contained pointers to other turtles, creating a complex chain. The objective for Part 2 was to transition from the initial memory leak (achieved in Part 01) to a controlled "magic gadget" execution. Technical Analysis
: The first 16 bytes of the payload were used to point the RDI register toward a "slack" space in memory. LetsSplitTurtles.part02.rar
: By placing a magic_gadget address at a specific offset ( +0x60 ), the program was forced to execute the desired shellcode or function when it attempted to traverse to the "next" turtle. Execution & Debugging The "Turtles" challenge involved a program that processed
The exploit was verified using to step through the turtle traversal logic. A critical finding during this phase was that the RBP (Base Pointer) register did not land at the expected offset, requiring a slight adjustment to the slack space to ensure the magic gadget was reached successfully. Technical Analysis : The first 16 bytes of
This write-up covers the second part of the challenge from CSAW CTF, focusing on the exploitation of a recursive data structure to achieve code execution. Challenge Overview
: The payload specifically targeted RDX and RAX to set up the final call.
The core of this stage involved crafting a precision payload that aligned with the program's expectations of the turtle structure while redirecting the instruction pointer.