Home CTF Reverse Engineering Write-up | The Cyber Grabs CTF 0x02.

Reverse Engineering Write-up | The Cyber Grabs CTF 0x02.

by Nihal Umar

The Cyber Grabs CTF

Reverseenc0

Its quite a simple binary, just on the opposite of MD5 resides the key to points.
Flag format: cybergrabs{}
Author: Elemental X

Solution:

Open the binary up in IDA, check String window. Binary is packed with UPX, so we run upx -d to unpack it. Using ldd to check the shared library dependencies, the binary depends on libgo.so.13. Therefore, this is a Golang binary.

Golang binaries have an entry point at main_main, so we can trace execution from there. Before the flag is shown in main_notmain+4FA, the string “revpwn” is moved onto the stack.

nasm
mov     byte ptr [rbp-226h], 72h ; 'r'
mov     byte ptr [rbp-225h], 65h ; 'e'
mov     byte ptr [rbp-224h], 76h ; 'v'
mov     byte ptr [rbp-223h], 70h ; 'p'
mov     byte ptr [rbp-222h], 77h ; 'w'
mov     byte ptr [rbp-221h], 6Eh ; 'n'

Then, the methods _runtime_slicebytetostring, _runtime_slicestringtobyte and _encoding_hex_EncodeToString are called on the string.

After checking the documentation for those Golang functions, we can infer that the flag is “revpwn” converted to hex representation.

"revpwn" --> "72657670776e" --> cybergrabs{72657670776e}

cybergrabs{72657670776e}

GOOFYSYS

Its quite a simple binary, which has multiple hurdles in the form of characters, make sure to get that final magic hash which leads you to the flag.
Flag format: cybergrabs{}
Author: Elemental X

Solution:

Literally the same process as Reverseenc0. You don’t need to care about any of the checks. Just find where the flag is printed, get the string that is moved onto the stack and convert to hex representation.

"string" --> "737472696e67" --> cybergrabs{737472696e67}

cybergrabs{737472696e67}

Credit: CATS SG

You may also like

Leave a Comment