View on GitHub

cyber-camp-2020-writeup

Cyber Camp 2020 CTF by SANS Institute Writeup

BH02

Category Points Difficulty
Binary 500 Hard

Solution

Downloading and extracting the file gives us a program we need to crack. We don’t know the password. Trying a buffer overflow doesn’t work, so we need to up our game a little. Opening the program with radare2 and decompiling it will give us a few clues as to what to do.

  1. Let’s analyze the program with aaa
  2. Let’s look at the strings with iz, and we see that there are four strings. Translating these strings with Google Translate or something gives us that the first one doesn’t really mean anything. The second one means “what is the password?”. The third and fourth strings are “Correct” and “Incorrect” respectively. We need to find out how to get the “correct” string, so we look at the address of the correct string, which is stored at 0x00000a00.
  3. We can find out where the string is used with the axt command (analyze x-refs to) like so axt 0x00000a00. We see that it’s called in the “main” function at address 0x90e.
  4. Let’s seek to the main address with afl, finding “main” from the list, and seeking to the location with s 0x000007ca.
  5. Let’s look at the assembly code of the function with pdf (print disassembly function). We can see that at position 0x90e, we get our string reference for “correct”, so we need to find out how to get to that point. This is where you ought to know how to use assembly. We see that the input is compared against the characters e9 be 99 31 32 33 (in hex), and converting it to text gives us the password “龙123”. Putting this back into the program gives us the flag.

Flag: gHn3*jXvs&H!@jGs