I solved 2 challenge. (bf , best_php)

bf

First, seccomp-dump

line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x09 0x00 0x40000000  if (A >= 0x40000000) goto 0013
 0004: 0x15 0x07 0x00 0x00000002  if (A == open) goto 0012
 0005: 0x15 0x06 0x00 0x00000101  if (A == openat) goto 0012
 0006: 0x15 0x05 0x00 0x00000000  if (A == read) goto 0012
 0007: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0012
 0008: 0x15 0x03 0x00 0x0000000c  if (A == brk) goto 0012
 0009: 0x15 0x02 0x00 0x0000003c  if (A == exit) goto 0012
 0010: 0x15 0x01 0x00 0x000000e7  if (A == exit_group) goto 0012
 0011: 0x06 0x00 0x00 0x00000000  return KILL
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

We found the vulnerability using hand fuzzing... XD

+[[[>+]-<]<<]

It caused bad syscall errors. We confirmed why these results are coming out.

we did overwrite code_string's address 1 byte.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/10f8fbb2-9308-46ef-85f9-c655bebea6b7/Untitled.png

code_string is a string object, and when we overwrite it by 1 byte, an error occurs in the destructor.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f70a380a-30ef-4e39-9ac8-87216b20e9ac/Untitled.png

Then we know that we can overwrite 1 byte of code_string. What will you do?

We can change the 1 byte of code_string to point to the return address.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/6b3c8d66-e071-40b5-bacf-ab94d927f238/Untitled.png

then we can leak libc address,

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/647490fb-f8a9-4e0e-8150-38ccf9718856/Untitled.png

and overwrite it.

One more thing to think about is the destructor of the string object.