I solved 2 challenge. (bf , best_php)

bf

First, seccomp-dump

line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x09 0x00 0x40000000  if (A >= 0x40000000) goto 0013
 0004: 0x15 0x07 0x00 0x00000002  if (A == open) goto 0012
 0005: 0x15 0x06 0x00 0x00000101  if (A == openat) goto 0012
 0006: 0x15 0x05 0x00 0x00000000  if (A == read) goto 0012
 0007: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0012
 0008: 0x15 0x03 0x00 0x0000000c  if (A == brk) goto 0012
 0009: 0x15 0x02 0x00 0x0000003c  if (A == exit) goto 0012
 0010: 0x15 0x01 0x00 0x000000e7  if (A == exit_group) goto 0012
 0011: 0x06 0x00 0x00 0x00000000  return KILL
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

We found the vulnerability using hand fuzzing... XD

+[[[>+]-<]<<]

It caused bad syscall errors. We confirmed why these results are coming out.

we did overwrite code_string's address 1 byte.

code_string is a string object, and when we overwrite it by 1 byte, an error occurs in the destructor.

Then we know that we can overwrite 1 byte of code_string. What will you do?

We can change the 1 byte of code_string to point to the return address.

then we can leak libc address,

and overwrite it.

One more thing to think about is the destructor of the string object.