YUBITSEC CTF: Learn reverse or +925 rating points in minutes
- Tutorial
Good day to all. YubitSec’s next CTF has just come to an end , despite the difficulties that arose at the very beginning due to the abundant DDoS of all job sites, the battle was pretty tough. Assignments are still available here .
Gifted 50
The first and easiest task. There is no description, but there is a file , download it and proceed to analysis, and almost immediately we remove the flag:
gh0st3rs@leacher-pc:Gifted$ file gifted
gifted: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=90d4894c52975348b52134af2f3b33b9da7f0112, not stripped
gh0st3rs@leacher-pc:Gifted$ strings gifted | grep YUBIT
YUBITSEC{MEH_IT_IS_SOMETHING}
The Twin Towers 125
There is still no description, but this time instead of the binary, we are offered a java class .
Using jd-gui we get the source code:
Wtf.class
import java.io.PrintStream;
publicclassWtf{
publicstaticvoidmain(String[] paramArrayOfString){
System.out.println("Tonight, as we mark the conclusion of our celebration of Black History Month, we are remindedof our Nation's path toward civil rights and the work that still remains. Recent threats targeting Jewish Community Centers and vandalism of Jewish cemeteries, as well as last week's shooting in Kansas City, remind us that while we may be a Nation divided on policies, we are a country that stands united in condemning hate and evil in all its forms.");
String str = "0YUBITSEC{BUSH_DID_9_11}0";
if (str == "BUSH DID 9.11") {
flag();
}
}
publicstaticvoidflag(){
String str1 = null;
int i = 3;
int j = 3;
String str2 = null;
j = 0 + j;
if (j % 2 == 0)
{
String str3 = str2 + "error";
String str4 = "Flag is not here actually...";
String str5 = "59554249545345437B5730575F4D5543485F50524F4752414D4D494E475F4A4156417D";
}
else
{
int k = 59;
int m = 554;
int n = 249;
int i1 = 545;
int i2 = 345;
int i3 = 437;
String str6 = "B77";
int i4 = 686;
String str7 = "F5F757";
str1 = Integer.toString(k) + Integer.toString(m) + Integer.toString(n) + Integer.toString(i1) + Integer.toString(i2) + Integer.toString(i3) + str6 + Integer.toString(i4) + str7 + "365735F6A6176615F696E5F323031377D";
}
System.out.println(str1);
}
}
Judging by the code, we are interested in the block, which is located in the else branch , copy this into Python by making small changes, run it:
defflag():
k = 59
m = 554
n = 249
i1 = 545
i2 = 345
i3 = 437
str6 = "B77"
i4 = 686
str7 = "F5F757"
str1 = str(k) + str(m) + str(n) + str(i1) + str(i2) + str(i3) + str6 + str(i4) + str7 + "365735F6A6176615F696E5F323031377D"
print(str1)
>>> flag()
59554249545345437B77686F5F757365735F6A6176615F696E5F323031377D
We decode the received HEX string and pick up the new flag:
YUBITSEC {who_uses_java_in_2017}
Reverse101 225
The description contains only 1 phrase:
Jump over it.
And the file is attached . Open it in the IDA:
It's simple...
.text:00000000004007AF mov dword ptr [rax], 'Y'
.text:00000000004007B5 add rax, 4
.text:00000000004007B9 sub rdx, 1
.text:00000000004007BD mov dword ptr [rax], 'U'
.text:00000000004007C3 add rax, 4
.text:00000000004007C7 sub rdx, 1
.text:00000000004007CB mov dword ptr [rax], 'B'
.text:00000000004007D1 add rax, 4
.text:00000000004007D5 sub rdx, 1
.text:00000000004007D9 mov dword ptr [rax], 'I'
.text:00000000004007DF add rax, 4
.text:00000000004007E3 sub rdx, 1
.text:00000000004007E7 mov dword ptr [rax], 'T'
.text:00000000004007ED add rax, 4
.text:00000000004007F1 sub rdx, 1
.text:00000000004007F5 mov dword ptr [rax], 'S'
.text:00000000004007FB add rax, 4
.text:00000000004007FF sub rdx, 1
.text:0000000000400803 mov dword ptr [rax], 'E'
.text:0000000000400809add rax, 4
.text:000000000040080D sub rdx, 1
.text:0000000000400811 mov dword ptr [rax], 'C'
.text:0000000000400817add rax, 4
.text:000000000040081B sub rdx, 1
.text:000000000040081F mov dword ptr [rax], '{'
.text:0000000000400825add rax, 4
.text:0000000000400829 sub rdx, 1
.text:000000000040082D mov dword ptr [rax], 'U'
.text:0000000000400833add rax, 4
.text:0000000000400837 sub rdx, 1
.text:000000000040083B mov dword ptr [rax], 'S'
.text:0000000000400841add rax, 4
.text:0000000000400845 sub rdx, 1
.text:0000000000400849 mov dword ptr [rax], 'E'
.text:000000000040084F add rax, 4
.text:0000000000400853 sub rdx, 1
.text:0000000000400857 mov dword ptr [rax], '_'
.text:000000000040085D add rax, 4
.text:0000000000400861 sub rdx, 1
.text:0000000000400865 mov dword ptr [rax], 'G'
.text:000000000040086B add rax, 4
.text:000000000040086F sub rdx, 1
.text:0000000000400873 mov dword ptr [rax], 'D'
.text:0000000000400879add rax, 4
.text:000000000040087D sub rdx, 1
.text:0000000000400881 mov dword ptr [rax], 'B'
.text:0000000000400887add rax, 4
.text:000000000040088B sub rdx, 1
.text:000000000040088F mov dword ptr [rax], '_'
.text:0000000000400895add rax, 4
.text:0000000000400899 sub rdx, 1
.text:000000000040089D mov dword ptr [rax], 'P'
.text:00000000004008A3 add rax, 4
.text:00000000004008A7 sub rdx, 1
.text:00000000004008AB mov dword ptr [rax], 'E'
.text:00000000004008B1 add rax, 4
.text:00000000004008B5 sub rdx, 1
.text:00000000004008B9 mov dword ptr [rax], 'D'
.text:00000000004008BF add rax, 4
.text:00000000004008C3 sub rdx, 1
.text:00000000004008C7 mov dword ptr [rax], 'A'
.text:00000000004008CD add rax, 4
.text:00000000004008D1 sub rdx, 1
.text:00000000004008D5 mov dword ptr [rax], '_'
.text:00000000004008DB add rax, 4
.text:00000000004008DF sub rdx, 1
.text:00000000004008E3 mov dword ptr [rax], 'S'
.text:00000000004008E9add rax, 4
.text:00000000004008ED sub rdx, 1
.text:00000000004008F1 mov dword ptr [rax], 'R'
.text:00000000004008F7 add rax, 4
.text:00000000004008FB sub rdx, 1
.text:00000000004008FF mov dword ptr [rax], 'S'
.text:0000000000400905add rax, 4
.text:0000000000400909 sub rdx, 1
.text:000000000040090D mov dword ptr [rax], 'L'
.text:0000000000400913add rax, 4
.text:0000000000400917 sub rdx, 1
.text:000000000040091B mov dword ptr [rax], 'Y'
.text:0000000000400921add rax, 4
.text:0000000000400925 lea rcx, [rdx-1]
.text:0000000000400929 mov dword ptr [rax], '}'
.text:000000000040092F lea rdx, [rax+4]
.text:0000000000400933 lea rax, [rcx-1]
You can rewrite directly from here or as suggested in the description, put the break at the end and dump the memory. Flag itself:
YUBITSEC {USE_GDB_PEDA_SRSLY}
Password 250
From a short description it follows that the flag is a number:
The flag is the password. (Integer)
Flag format: YUBITSEC {}
Download the file and run the IDA and look through the main function a bit and find the call to the check_password function : The
password is found, it is also part of the flag:
YUBITSEC {1453}
Reverse The Snake! 275
There is no description again, but there is a * .pyc file . After decompilation we get the following:
gh0st3rs@leacher-pc:ReverseTheSnake!$ uncompyle6 WTF.pyc
# uncompyle6 version 2.9.10# Python bytecode 2.7 (62211)# Decompiled from: Python 3.4.3 (default, Nov 17 2016, 01:08:31) # [GCC 4.8.4]# Embedded file name: ./decompile.py# Compiled at: 2017-04-20 04:11:32
def flag():
a = 5955
b = 4249
c = 5453
d = 4543
f = 7
e = 'b4641524557454C4C5F42414C4C41447D'
flg = str(a) + str(b) + str(c) + str(d) + str(f) + e
print'You must decompile me.'# okay decompiling WTF.pyc
After starting the function in the interpreter, we get the next flag, or rather its HEX representation:
59554249545345437b4641524557454c4c5f42414c4c41447d -> YUBITSEC {FAREWELL_BALLAD}
Thus, in total, without significant effort, we get +925 to the overall team rating. Learn reverse - it's interesting!