Research August 12, 2025 By STAR Labs SG 3 min read

Summer Pwnables: When the Heat Rises, So Do the C-Shells ๐Ÿ”ฅ

Table of Contents

๐ŸŒดโ˜€๏ธ SUMMER PWNABLES 2025 โ˜€๏ธ๐ŸŒด

The hottest hacking challenge on this side of Southeast Asia!

Summer Pwnables Poster

Think you can handle the heat? Time to prove your l33t skills are more than just talk! ๐Ÿ˜Ž๐Ÿ”ฅ

The summer sun isn’t the only thing burning bright โ€“ we have cooked up some seriously spicy challenges that will test whether you are a true shell wizard! ๐Ÿง™โ€โ™‚๏ธโœจ

๐Ÿ“ ELIGIBILITY REQUIREMENTS

This challenge is exclusively open to Singapore-based students only!
You must be currently enrolled in a Singapore educational institution to participate.

๐ŸŽฏ THE FIRST MISSION (Should You Choose to Accept It)

Your objective, should you dare to accept: Transform from zero to hero by achieving the ultimate prize โ€“ Gain Code Execution Access! But here’s the catch: Imagine you’ve found a bug in the linux gzip tool… One that can potentially trigger a reverse shell if a malicious payload is passed Your job is to craft that payload… be very subtle ๐Ÿฅท One wrong move and… ๐Ÿ’€

๐Ÿ† THE ARENA RULES

(Read carefully, or face the wrath of the admins!)

๐Ÿ”ด Rule #1: Get Code Execution or go home! Exploit the challenges like a true pwn master
๐Ÿ”ด Rule #2: Submit your exploit source code + epic writeup to this form here โ€“ we want to see your thought process!
๐Ÿ”ด Rule #3: Think you’ve spotted the vuln but running out of time? Send us your theoretical exploitation writeup anyway โ€“ partial credit for big brains! ๐Ÿง 

๐ŸŽ LEGENDARY LOOT AWAITS!

For the Speed Demons: ๐Ÿฅ‡
First few hackers to achieve code execution will claim the legendary “From Day Zero to Zero Day” book by Eugene “Spaceraccoon” Lim โ€“ complete with author’s signature! + $50 $100 SGD cash prize ๐Ÿ’ต

For the Wordsmith Warriors: ๐Ÿ†
Best writeup wins the same epic tome + $50 $100 SGD cash prize ๐Ÿ’ต! Show us your technical storytelling skills โ€“ make us feel like we’re right there in the terminal with you!

Prize Collection: Winners must collect their rewards in person on 29th August 2025 ๐Ÿ“… We will contact you.

Download the challenges: CHALLENGE #001 โฌ‡๏ธ
(Warning: May cause excessive coffee consumption and late-night coding sessions)

The password to the zip file is “baby_blastpass”

Once you have a working exploit, send your payload to 159.223.33.156 9101 and get the flag!

File Integrity Check:
๐Ÿ“‹ sha256 of lz1.zip: 5b0c41b916530b16a2a7d87eff4fb426357fefba0e8c0cf41c06bd6725c2b8fc

Original lz1 code by andyherbert: https://github.com/andyherbert/lz1

“Every system has a weakness. Every wall has a crack. Every challenge… has a solution.”

Your time is NOW!

Credits:

  • Challenge Creators: Muhammad Alifa Ramdhan & Zafir Rasyidi Taufik

  • Challenge Testers: Nguyen Dang Nguyen, Chen Le Qi

  • Poster Designer: Sarah Tan