<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Shutlock 2026 on kiperZ</title>
    <link>https://kiperz.dev/tags/shutlock-2026/</link>
    <description>Recent content in Shutlock 2026 on kiperZ</description>
    <generator>Hugo -- 0.147.7</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://kiperz.dev/tags/shutlock-2026/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>3, 2, 1... 0-click (1/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-1/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-1/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;&lt;code&gt;CSMS&lt;/code&gt; is an Android messenger: a central server, and on the victim side (the
&lt;code&gt;spylock&lt;/code&gt; account) a client app (&lt;code&gt;ctf.shutlock.csms&lt;/code&gt;) that &lt;strong&gt;fetches its new messages
on its own, every 10 s&lt;/strong&gt;, which makes the attack &lt;em&gt;0-click&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;The challenge hands us plenty to work with: the app&amp;rsquo;s APK, the &lt;strong&gt;C source&lt;/strong&gt; of its
native layer (&lt;code&gt;csms.c&lt;/code&gt;, &lt;code&gt;csms_mem.c&lt;/code&gt;) and a live infra (the server and an Android
emulator running the victim). Every incoming message flows through Java, pure plumbing,
then into a &lt;strong&gt;template engine written in C&lt;/strong&gt; (&lt;code&gt;libcsms.so&lt;/code&gt;); that is where, inside a
homemade allocator, the bug that gives us code execution hides.&lt;/p&gt;</description>
    </item>
    <item>
      <title>3, 2, 1... 0-click (2/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-2/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-2/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Part 1 gave us 0-click native code execution, but under the app&amp;rsquo;s uid
(&lt;code&gt;ctf.shutlock.csms&lt;/code&gt;). That was enough for &lt;code&gt;flag1&lt;/code&gt;. Not for &lt;code&gt;flag2&lt;/code&gt;, which belongs to
&lt;code&gt;system&lt;/code&gt;: no &lt;code&gt;open()&lt;/code&gt; will read it, whatever native code we run. We need to &lt;strong&gt;borrow
someone else&amp;rsquo;s rights&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;Goal: read &lt;code&gt;/data/vendor/flag2.txt&lt;/code&gt; (&lt;code&gt;-r-------- system system&lt;/code&gt;) remotely.&lt;/p&gt;
&lt;h2 id=&#34;tldr&#34;&gt;TL;DR&lt;/h2&gt;
&lt;p&gt;RCE in the app != reading everything: &lt;code&gt;flag2&lt;/code&gt; is protected by DAC (uid &lt;code&gt;system&lt;/code&gt;). We
pivot through a broken &lt;strong&gt;vendor&lt;/strong&gt; &lt;code&gt;ContentProvider&lt;/code&gt; (&lt;code&gt;SNotesProvider&lt;/code&gt;): a path traversal
(&lt;code&gt;content://ctf.shutlock.snotes.provider/../flag2.txt&lt;/code&gt;) makes it read the file with its
&lt;code&gt;system&lt;/code&gt; rights, a &lt;em&gt;confused deputy&lt;/em&gt;. Since a provider &lt;code&gt;query()&lt;/code&gt; is a &lt;strong&gt;Java/Binder&lt;/strong&gt;
operation (not a syscall) and seccomp blocks the &lt;code&gt;execve&lt;/code&gt; shortcut, we &lt;strong&gt;rebuild a
&lt;code&gt;JNIEnv&lt;/code&gt; from raw shellcode&lt;/strong&gt; (resolving &lt;code&gt;JNI_GetCreatedJavaVMs&lt;/code&gt; via &lt;code&gt;/proc/self/maps&lt;/code&gt;,
then &lt;code&gt;GetEnv&lt;/code&gt;) and replay &lt;code&gt;ContentResolver.query()&lt;/code&gt; in JNI. Payload too big for part 1&amp;rsquo;s
groom: we deliver it in two stages. Content XORed with a key hardcoded in the APK,
decoded attacker-side.&lt;/p&gt;</description>
    </item>
    <item>
      <title>3, 2, 1... 0-click (3/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-3/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-3/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Parts 1 and 2 gave us 0-click native code execution, first under the app&amp;rsquo;s uid
(&lt;code&gt;flag1&lt;/code&gt;), then the ability to make a broken provider read a &lt;code&gt;system&lt;/code&gt; file (&lt;code&gt;flag2&lt;/code&gt;).
&lt;code&gt;flag3&lt;/code&gt; climbs one more notch: it belongs to &lt;code&gt;root&lt;/code&gt;, and, surprise, &lt;strong&gt;root isn&amp;rsquo;t even
enough&lt;/strong&gt;. The file is also SELinux-protected: under &lt;em&gt;enforcing&lt;/em&gt;, even uid 0 takes a
denial. So we need &lt;strong&gt;kernel code&lt;/strong&gt;: enough to become root &lt;em&gt;and&lt;/em&gt; neutralize the SELinux
policy.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
