Security Engineer

Home About Resume Projects
15 October 2018

CySCA 2018 | Warmup I Writeup

by adamt

Congratulations to all teams for participating in CySCA 2018.

This challenge was heavily obfuscated and our first thought on solving this challenge was angrangrangrangr.

Looking at the disassembly graph in BinaryNinja it became more obvious that this challenge was simply a reversing challenge and was solvable using angr. We spent ~1 hours following this rabbot hole, however we noticed that if it had just been an angr challenge, there wouldn’t have been a need to connect remotely to get the flag.

BinaryNina Photo

After reversing the binary it became more and more clear what was happening.

The program basically breaks down to the following

BinaryNina Photo

It compares two bytes of memory, and ends the program if they’re not equal, continues otherwise.

From this I had an idea of what was happening. My concept of the program was as follows:

Reads in input/flag

Compares character by character if they are the same

If they aren’t the same exit

If they are the same (up to the length of our input) return “Great Work!”

We confirmed our belief by testing the program. Running it with input flag returns nothing whilst running it with input FLAG returns “GREAT Work!”

From this information we can build a brute forcing script that tries 1 character at a time untilthe flag is complete.

Here is a simple python script that connects to the server, trying each character.

from pwn import *

context.log_level = 'CRITICAL' #to disable startup msgs

def tryflag(flag):
    p = process("./chal1") #remote("IP", PORT)
        if "Great" in p.recvall(): 
            return True
        return False # if program crashes

    return False

start = 'FLAG'
letters = '0123456789FLAG{}ABCDEF_' # Only possible letters are hexidecimal digits

while True:
    for letter in letters:
        if tryflag(start + letter):
            start += letter
            print start
        print "done"