YUBITSEC CTF: Learn reverse or +925 rating points in minutes

  • Tutorial

Good day to all. YubitSec’s next CTF has just come to an end , despite the difficulties that arose at the very beginning due to the abundant DDoS of all job sites, the battle was pretty tough. Assignments are still available here .

Gifted 50


The first and easiest task. There is no description, but there is a file , download it and proceed to analysis, and almost immediately we remove the flag:

gh0st3rs@leacher-pc:Gifted$ file gifted
gifted: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=90d4894c52975348b52134af2f3b33b9da7f0112, not stripped
gh0st3rs@leacher-pc:Gifted$ strings gifted | grep YUBIT
YUBITSEC{MEH_IT_IS_SOMETHING}

The Twin Towers 125


There is still no description, but this time instead of the binary, we are offered a java class .
Using jd-gui we get the source code:

Wtf.class
import java.io.PrintStream;
publicclassWtf{
  publicstaticvoidmain(String[] paramArrayOfString){
    System.out.println("Tonight, as we mark the conclusion of our celebration of Black History Month, we are remindedof our Nation's path toward civil rights and the work that still remains. Recent threats targeting Jewish Community Centers and vandalism of Jewish cemeteries, as well as last week's shooting in Kansas City, remind us that while we may be a Nation divided on policies, we are a country that stands united in condemning hate and evil in all its forms.");
    String str = "0YUBITSEC{BUSH_DID_9_11}0";
    if (str == "BUSH DID 9.11") {
      flag();
    }
  }
  publicstaticvoidflag(){
    String str1 = null;
    int i = 3;
    int j = 3;
    String str2 = null;
    j = 0 + j;
    if (j % 2 == 0)
    {
      String str3 = str2 + "error";
      String str4 = "Flag is not here actually...";
      String str5 = "59554249545345437B5730575F4D5543485F50524F4752414D4D494E475F4A4156417D";
    }
    else
    {
      int k = 59;
      int m = 554;
      int n = 249;
      int i1 = 545;
      int i2 = 345;
      int i3 = 437;
      String str6 = "B77";
      int i4 = 686;
      String str7 = "F5F757";
      str1 = Integer.toString(k) + Integer.toString(m) + Integer.toString(n) + Integer.toString(i1) + Integer.toString(i2) + Integer.toString(i3) + str6 + Integer.toString(i4) + str7 + "365735F6A6176615F696E5F323031377D";
    }
    System.out.println(str1);
  }
}


Judging by the code, we are interested in the block, which is located in the else branch , copy this into Python by making small changes, run it:

defflag():
    k = 59
    m = 554
    n = 249
    i1 = 545
    i2 = 345
    i3 = 437
    str6 = "B77"
    i4 = 686
    str7 = "F5F757"
    str1 = str(k) + str(m) + str(n) + str(i1) + str(i2) + str(i3) + str6 + str(i4) + str7 + "365735F6A6176615F696E5F323031377D"
    print(str1)
>>> flag()
59554249545345437B77686F5F757365735F6A6176615F696E5F323031377D

We decode the received HEX string and pick up the new flag:

YUBITSEC {who_uses_java_in_2017}

Reverse101 225


The description contains only 1 phrase:
Jump over it.

And the file is attached . Open it in the IDA:

It's simple...
.text:00000000004007AF                 mov     dword ptr [rax], 'Y'
.text:00000000004007B5                 add     rax, 4
.text:00000000004007B9                 sub     rdx, 1
.text:00000000004007BD                 mov     dword ptr [rax], 'U'
.text:00000000004007C3                 add     rax, 4
.text:00000000004007C7                 sub     rdx, 1
.text:00000000004007CB                 mov     dword ptr [rax], 'B'
.text:00000000004007D1                 add     rax, 4
.text:00000000004007D5                 sub     rdx, 1
.text:00000000004007D9                 mov     dword ptr [rax], 'I'
.text:00000000004007DF                 add     rax, 4
.text:00000000004007E3                 sub     rdx, 1
.text:00000000004007E7                 mov     dword ptr [rax], 'T'
.text:00000000004007ED                 add     rax, 4
.text:00000000004007F1                 sub     rdx, 1
.text:00000000004007F5                 mov     dword ptr [rax], 'S'
.text:00000000004007FB                 add     rax, 4
.text:00000000004007FF                 sub     rdx, 1
.text:0000000000400803                 mov     dword ptr [rax], 'E'
.text:0000000000400809add     rax, 4
.text:000000000040080D                 sub     rdx, 1
.text:0000000000400811                 mov     dword ptr [rax], 'C'
.text:0000000000400817add     rax, 4
.text:000000000040081B                 sub     rdx, 1
.text:000000000040081F                 mov     dword ptr [rax], '{'
.text:0000000000400825add     rax, 4
.text:0000000000400829                 sub     rdx, 1
.text:000000000040082D                 mov     dword ptr [rax], 'U'
.text:0000000000400833add     rax, 4
.text:0000000000400837                 sub     rdx, 1
.text:000000000040083B                 mov     dword ptr [rax], 'S'
.text:0000000000400841add     rax, 4
.text:0000000000400845                 sub     rdx, 1
.text:0000000000400849                 mov     dword ptr [rax], 'E'
.text:000000000040084F                 add     rax, 4
.text:0000000000400853                 sub     rdx, 1
.text:0000000000400857                 mov     dword ptr [rax], '_'
.text:000000000040085D                 add     rax, 4
.text:0000000000400861                 sub     rdx, 1
.text:0000000000400865                 mov     dword ptr [rax], 'G'
.text:000000000040086B                 add     rax, 4
.text:000000000040086F                 sub     rdx, 1
.text:0000000000400873                 mov     dword ptr [rax], 'D'
.text:0000000000400879add     rax, 4
.text:000000000040087D                 sub     rdx, 1
.text:0000000000400881                 mov     dword ptr [rax], 'B'
.text:0000000000400887add     rax, 4
.text:000000000040088B                 sub     rdx, 1
.text:000000000040088F                 mov     dword ptr [rax], '_'
.text:0000000000400895add     rax, 4
.text:0000000000400899                 sub     rdx, 1
.text:000000000040089D                 mov     dword ptr [rax], 'P'
.text:00000000004008A3                 add     rax, 4
.text:00000000004008A7                 sub     rdx, 1
.text:00000000004008AB                 mov     dword ptr [rax], 'E'
.text:00000000004008B1                 add     rax, 4
.text:00000000004008B5                 sub     rdx, 1
.text:00000000004008B9                 mov     dword ptr [rax], 'D'
.text:00000000004008BF                 add     rax, 4
.text:00000000004008C3                 sub     rdx, 1
.text:00000000004008C7                 mov     dword ptr [rax], 'A'
.text:00000000004008CD                 add     rax, 4
.text:00000000004008D1                 sub     rdx, 1
.text:00000000004008D5                 mov     dword ptr [rax], '_'
.text:00000000004008DB                 add     rax, 4
.text:00000000004008DF                 sub     rdx, 1
.text:00000000004008E3                 mov     dword ptr [rax], 'S'
.text:00000000004008E9add     rax, 4
.text:00000000004008ED                 sub     rdx, 1
.text:00000000004008F1                 mov     dword ptr [rax], 'R'
.text:00000000004008F7                 add     rax, 4
.text:00000000004008FB                 sub     rdx, 1
.text:00000000004008FF                 mov     dword ptr [rax], 'S'
.text:0000000000400905add     rax, 4
.text:0000000000400909                 sub     rdx, 1
.text:000000000040090D                 mov     dword ptr [rax], 'L'
.text:0000000000400913add     rax, 4
.text:0000000000400917                 sub     rdx, 1
.text:000000000040091B                 mov     dword ptr [rax], 'Y'
.text:0000000000400921add     rax, 4
.text:0000000000400925                 lea     rcx, [rdx-1]
.text:0000000000400929                 mov     dword ptr [rax], '}'
.text:000000000040092F                 lea     rdx, [rax+4]
.text:0000000000400933                 lea     rax, [rcx-1]


You can rewrite directly from here or as suggested in the description, put the break at the end and dump the memory. Flag itself:

YUBITSEC {USE_GDB_PEDA_SRSLY}

Password 250


From a short description it follows that the flag is a number:
The flag is the password. (Integer)

Flag format: YUBITSEC {}

Download the file and run the IDA and look through the main function a bit and find the call to the check_password function : The



password is found, it is also part of the flag:
YUBITSEC {1453}

Reverse The Snake! 275


There is no description again, but there is a * .pyc file . After decompilation we get the following:

gh0st3rs@leacher-pc:ReverseTheSnake!$ uncompyle6 WTF.pyc 
# uncompyle6 version 2.9.10# Python bytecode 2.7 (62211)# Decompiled from: Python 3.4.3 (default, Nov 17 2016, 01:08:31) # [GCC 4.8.4]# Embedded file name: ./decompile.py# Compiled at: 2017-04-20 04:11:32
def flag():
    a = 5955
    b = 4249
    c = 5453
    d = 4543
    f = 7
    e = 'b4641524557454C4C5F42414C4C41447D'
    flg = str(a) + str(b) + str(c) + str(d) + str(f) + e
print'You must decompile me.'# okay decompiling WTF.pyc

After starting the function in the interpreter, we get the next flag, or rather its HEX representation:
59554249545345437b4641524557454c4c5f42414c4c41447d -> YUBITSEC {FAREWELL_BALLAD}

Thus, in total, without significant effort, we get +925 to the overall team rating. Learn reverse - it's interesting!

Also popular now: