4 min to read
Arab Security Cyber WarGames 2020 RE Challenges Writeup
Arab Security Cyber WarGames 2020 RE Challenges Writeup
This is the write up of the for the RE challenges in the ASC CTF qualification round. There was 2 RE chellenges.
Check
- Type: Reverse
- Points: 600
There are many different approaches to solve this challenge
The guessing one, let’s run ltrace
- So it gets the HOSTNAME environment variable and it might compare it with Machine, next it gets the USER environment variable and compare it with reenigne.
Now what you need to do is change your HOSTNAME and USER environment variables to match what you found.
- It prints a base64 string so you just need to decode it.
Flag : ASCWG{3nv_v4r5_4r3_u53ful}
The static analysis approach
Following the [×] Machine not OK. string you will get to this if statement then printing [o] Machine OK: followed by a string so this string could be our flag.
- The s variable is an array of char that is terminated with char 0 or the null terminator
Now let’s look at the sub11ED function and see what it does with our flag
It just takes the flag and xor it with 0x92, so the process can be repeated manually.
The in depth approach
I renamed some of the variables and functions to make sense. All XOR functions are followed by a number, the number is equal to the number that the data is xored with.
Which means that after the xor the HOSTNAME variable is equal to HOSTNAME and HostnameENV equals the hostname environment variable.
- And then checks HostnameENV with Machine and sets a flag to 1
The same as explained above, nothing new here.
Then if the environments variable HOSTNAME, USER are equal to Machine, reenigne respectively.
- you can also use a debugger and skip the last check as all the above code has nothing to do with the flag itself but you got my point
DOOM
We got a 64-bit ELF, and it just takes the input and does nothing with it
So checking the main you can see that it just print doom and takes an input and that’s all it does
So clearly the flag isn’t there upon checking the other function i was verifyFlag and printFlag which caught my interest, looking at the verifyFlag function as printFlag just print the variable being passed to it in the format flag format, so let’s fouce on verifyFlag.
It has some hard coded data like s and v5 which are used for RC4 decryption i think.
Then it reads data from string.txt
Then it hash the content of string.txt with md5 hash.
And then compare it with the output of the RC4 decryption and then it prints the flag.
- So let’s now use the debugger to check the s1 and s2 values but first let’s create a string.txt file.
Break main and run the program then break verifyFlag and then set the rip to verifyFlag.
Set breakpoint at the address 0x000000000800167a
To check what are the values of the variables being passed
After checking the rax and rdx values with x/16x (why 16? Because we know from the code that they are MD5 Hashes)
- Keep in mind that the string.txt file contains the number 1
- So rdx = c4ca4238a0b923820dcc509a6f75849b (the hash of number 1)
- rax = b9448dd62f8f39451767741f799c8d8b (the hash of apocolypsedoomsday)
FLAG: ASCWG{apocolypsedoomsday}
- cheers!
Comments