ZeroPath CTF

10 CTF challenges based on real-world CVEs. Each challenge runs a synthetic vulnerable program inside a Docker container. The vulnerabilities preserve the shape and mechanism of the original CVE but are implemented in standalone programs, so no prior knowledge of the original codebase is needed.

You have the source code. Find the bug, write an exploit, and prove it works.

Requirements

• Docker

Quick start

List the available challenges:

$ ./list.sh
CVE               Language  Objective       Impact              Description
────────────────  ────────  ──────────────  ──────────────────  ─────────────────────────────────────────────────────────────
CVE-2016-6255     C         write_flag      arbitrary_write     libupnp: remote arbitrary file write via HTTP POST
CVE-2017-1000367  C         write_flag      privesc             sudo: local privesc via tty hijack in get_process_ttyname()
CVE-2018-6789     C         crash           heap_overflow       Exim: one-byte heap overflow in b64decode()
CVE-2019-10149    C         read_flag       rce                 Exim: remote command execution (versions 4.87–4.91)
CVE-2021-3156     C         crash           heap_overflow       sudo "Baron Samedit": heap overflow for local root
CVE-2022-23125    C         crash           stack_overflow      Netatalk: stack buffer overflow in copyapplfile()
CVE-2023-0297     Python    read_flag       rce                 pyLoad: pre-auth RCE via js2py code injection
CVE-2023-22809    C         write_flag      privesc             sudo: sudoedit privilege escalation (1.8.0–1.9.12p1)
CVE-2023-34105    C         read_flag       rce                 SRS: command injection in real-time video server
CVE-2024-4577     C         read_flag       rce                 PHP-CGI: argument injection bypassing CVE-2012-1823 fix

Pick a challenge and start it:

$ ./start.sh CVE-2023-34105
Building image: ctf-cve-2023-34105 from ./images/CVE-2023-34105 ...
...
CTF container started: ctf-cve-2023-34105-live

You can join the CTF by running:
  docker exec --user ctf -it ctf-cve-2023-34105-live /bin/bash

Would you like me to run that for you now? [y/N] y

Once inside the container, run explain-challenge to understand what you're up against:

ctf@abc123:/$ /ctf/explain-challenge --hard

============================================================
  Challenge Info
============================================================
  CVE:      CVE-2023-34105
  Proof:    read_flag — read /ctf/flag.txt via the vulnerability
  Access:   The service is already running on port 9080.
  Source:   /app/source.c
============================================================

Read the source, find the vulnerability, and write your exploit.

Proof types

Each challenge requires a specific type of proof. The type is shown when you run explain-challenge.

read_flag — The vulnerability gives you code execution. Use it to read /ctf/flag.txt and submit the flag value.

write_flag — The vulnerability lets you write arbitrary files. Write the contents of /ctf/flag.txt to /ctf/proof.txt.

crash — The vulnerability causes memory corruption. Trigger it to crash the service.

Once you believe your exploit works, verify it:

ctf@abc123:/$ /ctf/submit-proof
PASS — flag matches

If you get stuck

1. More hints from explain-challenge. Run /ctf/explain-challenge --medium to see which functions contain the vulnerability sink. Run /ctf/explain-challenge --easy for a full walkthrough of the flaw mechanism.

2. Annotated source code. The hints/annotated-source/ directory contains the full source with comments explaining the vulnerability shape, data flow, and where the fix should go.

3. Working exploits. The hints/exploits/ directory contains working exploit code for challenges that have been solved.

4. The original CVE. Search for the CVE ID online. The synthetic program mirrors the original vulnerability's mechanism, so write-ups of the real CVE will point you in the right direction.