root@fareed:~#

Writeup: CipherText CTF 2018 Reverse Engineering Challenges

 
  • Dec 31, 2018

Hye, Assalamualaikum. First of all, this is the first version of CipherText CTF. It’s a first Online Cyber Security competition for all Arab talents in security field. Imran (My teammate) and I playing this game only for fun and of course, to improve our knowledge and skills in this type of security challenge. From 319 teams, we (Ultraman) managed to got 24th place for this CTF.

The scoreboard:-

1

So, today I’ll be focus only on reversing challenge because these challenge are the only challenges I solved, while the others challenges were solved by Imran.

Let’s begin!

  1. Rev 101
  2. Small Pieces
  3. Handler

2

Rev 101

Reverse-101.bin is a 64 bit ELF executable.

3

First thing first, I do run the binary on my Linux to check what will their return if I’m input something for the binary.

Usually when I’m doing reverse, I’ll do both static and dynamic analysis on the binary I working for. So, in this case, I’ll use IDA pro for static analysis and GDB-debugger for dynamic analysis.

Open up IDA, and let’s start take a look on main function.

4

On the main function, we can see the strings like “Try harder!!” and “Think out of the BOX!” that program return if we put some input into it. As we can see, after print out the strings, all of them will jump into the loc_82B function.

5

In loc_82B function, there is a lot of LEA instruction onto the RAX registry and then, it will put the value into our stack. Based on the strings character, it’s look like a random strings to me. But also, it could be important too because after the LEA instructions, the program make a MOV instruction for the flag format CTCTF{ characters into the stack too.

6

Looking into the next subfunctions…

7

The loc_A3A function will compare the length of a strings at [rbp+var_12C] with 30, where I think this must be the length of the flag. If the length equal to 30, then it will go to red arrow function which is the flag format last character, “}” and then the program exit. And if it’s not, it will got to green arrow functions.

While on the left side (green arrow), we can see there will be a loop process on the program, which is this must be an algorithm to get the character by character of our flag.

Open up GDB, let’s examine the left side function.

By debugging the loc_9E1 function and observe the changes in RDX registry. I noticed, the characters in the RDX look alike a character for a strings which is maybe the flag we looking for.

8

So, the first char is “T”. Let’s continue debugging it to get the second char.

9

So, we got the second char which is “h”.

So, from here, I examine the RDX registry until I get the full flag strings by set the breakpoint on offset 0x555555554a20 which is the offset where RDX changing their value (flag char) and then continue the program with command c to get the next char.

After the last char, “g”.. the program will be exited normally.

So based on our examination in loc_9E1 function , the full strings will be “Th1S_1S_4N_e4Sy_R3v3Rs1ng“.

Put it into the flag box with flag format CTCTF{}, and the answer will be correct!

Small Pieces

For this challenge, it were quite easy than the challenge before.

Run the program, and it’s only return a “D0n3!” text.

10

Fire up GDB, then I start digging more on the main function.

11

Ok now, by using GDB, set a breakpoint on main function and then I run the program. So now, it will pause on top of the instruction in main function.

After that, based on Image above, I set a breakpoint after <part4> function which is on offset 0x00005555555553cb and we can see the flag in RDX registry by just run the program after that.

12

The red pen is our break point and the blue pen is the flag we looking for.

Easy right?

Handler

This challenge should be hard I think. But I don’t know why I got the flag for this challenge only in 5 minutes. Maybe I’m doing it using unefficient way.

Like the other challenge, let’s run the program first.

13

After that, let’s do static analysis on the binary using IDA.

14

In the function list, the most interesting function is getm3flag function. I think this function will print out the flag we looking for.

15

Let’s open up GDB, break on main.

Run the program and the program will pause on our main function.

From here, set the instruction pointer by jumping to that getm3flag function and then, we will get the flag.

16

The flag is CTCTF{N3v3r_g1V3_uP#_#}

© root@fareed:~# 2021
Search