Thursday 9 February 2017

ALEX CTF 2017


RE5: packed movement


It was fun playing Alex CTF. Most of the challenges were simple yet very interesting.
As usual, first I checked what kind of a binary this was using the file command:
file move
ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
I then tried opening it in IDA, but it refused to open. So I asked the admin what the matter was.
He said that the binary was somehow packed and I need to unpack it.
Now I needed to find the type of packing and then unpack it.
So, I tried binwalk on the the binary. It showed the following:

1. ELF, 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux)
2. Copyright string: "Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $"

As you can see, this file was packed using UPX packer.
So I installed UPX and ran the following command on the file:

./upx -d move

Now the file is unpacked.
When I finally opened the file in IDA, I saw that it was movfuscated (obfuscation). Now I had to demovfuscate it to understand what the input should be.
So I google for demovfuscator and found the following link to be useful:
https://github.com/kirschju/demovfuscator
I installed it and deobfuscated the binary.
Now everything's set. We just need to find the flag... :p
For that I have the following script ready. I found it somewhere online, I don't remember where.
This is the script:


Perf is a Performance counter for Linux. What this script does is count the number of instructions executed for each input (where the input is a printable character). Then append that input to the string key, which made the compiler execute the maximum number of instructions. The same process is repeated until the closing bracket is encountered ( '}' ).
The string which we finally obtain is the flag.

ALEXCTF{M0Vfusc4t0r_w0rk5_l1ke_m4g1c}

Sunday 5 February 2017

BITS CTF 2017

RE20: Mission improbable


This was a hexdump file. It was an easy challenge.

I used xxd tool to  convert the file back to binary form.

    xxd -r -p MissionImprobable.TEENSY31.hex  out


Then I tried strings command on the out file.
There were only a few strings, so I looked at those, and there I saw a string:
BITCTF{B4d_bad_U5B0

I then just replaced the 0 with a '}'.
That's it, it's the flag.

    BITCTF{B4d_bad_U5B}

RE80: Riskv and Reward


First of all I used the file command.

    riskv_and_reward: ELF 64-bit LSB executable, UCB RISC-V, version 1 (SYSV), statically linked, stripped

The file command says it is in RISC-V arch.

So we need to use an emulator.

I  googled for it and found this:
    
    https://github.com/riscv/riscv-qemu

So I installed it as per the instructions mentioned in it's git repository.

After installing I tried to debug it , and it started to gives me many errors. I tried to fix those and it took a lot of time. Then I thought that I haven't run it till now, so why not give it a try.

I must say, I was shocked, the bin printed out the flag.

I didn't expect a 80 point challenge to be this simple.

The flag was:

    BITSCTF{s0m3_r1sc5_4r3_w0rth_1t}