Skip to main content

#IceCTF - Thor's a hacker now

I've spend over half an hour on solving this task, beside of that wasn't a hard one. But thanks to this exercise I had to learn using regular expressions in my text editor :) Text file connected to this task looked exactly like that (but was much larger):
00000000: 4c5a 4950 01b3 007f b61b edf0 8440 58e3  LZIP.........@X.
00000010: 91de 1027 5861 8a67 4282 46a4 92f9 4cad  ...'Xa.gB.F...L.
00000020: 2d5d 14eb 3099 2c31 01c2 d13a 74d2 c620  -]..0.,1...:t.. 
00000030: de27 3a8f fa92 0644 5468 2d02 01fa 24bb  .':....DTh-...$.
00000040: 719f a0fd a191 1678 8bff a2c4 2627 9871  q......x....&'.q
00000050: 83bf cff2 f8af 99fa c465 2b7c 6bdf ee3c  .........e+|k..<
00000060: b71b f61b 0b5e 0ce7 d14f f6a8 0466 6470  .....^...O...fdp
00000070: de67 02da 7be1 1abd e9f0 ac87 131a bcc0  .g..{...........
00000080: 0b0b 9f31 9400 48e3 616a 8f3f 4804 79ad  ...1..H.aj.?H.y.
00000090: a6bb 863a f641 01da b1ee c4fe b338 9289  ...:.A.......8..
000000a0: 2a90 8302 4170 773c 88d3 2641 d274 f533  *...Apw<..&A.t.3
000000b0: 84cf e7d9 f687 3b12 1516 970e 04c2 cfdd  ......;.........
000000c0: c1ca dc46 981d 2a7c 1b39 cb0b 4f8c 58cc  ...F..*|.9..O.X.
000000d0: 46b4 9744 4cb1 fbd3 c632 f36d ecbf 4789  F..DL....2.m..G.
000000e0: 00b8 d4fc 51a8 394e de2a 1a2d 3c43 179c  ....Q.9N.*.-<C..
000000f0: 9623 f971 2935 9564 9e15 c771 c3d5 d8b1  .#.q)5.d...q....
00000100: a7fa 3c0c f869 b829 f6d6 f145 6d57 b3a1  ..<..i.)...EmW..
00000110: bd3f 3fc2 a41f 7e35 089c de29 1d55 debf  .??...~5...).U..
00000120: 5400 c548 5c02 cd6c f853 e3e6 56b2 e395  T..H\..l.S..V...
00000130: 29d8 3985 d307 d46e 854c 4987 aab8 a5cb  ).9....n.LI.....
00000140: 2fea 6b20 6d24 34b3 a2a3 c8e4 247c 6681  /.k m$4.....$|f.
It's obviuos what we have to do to obtain the flag - we need to strip this text file from unnecessary things, and fill a new file with hex values. We can use any editor, which is capable of serving regular expressions, but I wrote some code in C to do that:
  
#include &ltstdio .h&gt
#include &ltiostream&gt
#include &ltfstream&gt

using namespace std;

int main(void)
{
 int procent = 0;

 ifstream plik;
 plik.open("ctf2.txt");

 ofstream plik2;
 plik2.open("output.txt");

 char *buf = new char[100];

 for (int i = 0; i < 21117; i++)
 {
  plik.getline(buf, 100);
  for (int j = 0; j < 68; j++)
  {
   if (j >= 10 && j <= 50 && buf[j] != ' ') 
   {
    plik2 << buf[j];
   }
  }
  if (i % 211 == 0) 
  {
   cout << "\r" << procent << "\% done!";
   procent ++;
  }
 }

 plik.close();
 plik2.close();
 
 delete [] buf;
 return 0;
}
ctf2.txt was the task's text file  ----> here,
and code to produce another C code from this raw bytes is downloadable here. Now we have raw hexadecimal which we have to put into file right now. I've used a code like that to do this:

#include &ltiostream&gt
#include &ltfstream&gt
using namespace std;
char tab[] = { /* here goes the tab with all hexes */ };

int main(void)
{
 ofstream plik;
 plik.open("binary.zip", ofstream::binary);
 for (int i = 0; i < sizeof(tab); i++) plik.put(tab[i]);
 plik.close();
 return 0;
}
Next thing to do is to unpack our new archive using lzip (just google this if u don't have one on your machine) and obtain an image with a flag. That's it!
Etykiety:

Comments

Post a Comment

Popular posts from this blog

#LabyREnth CTF - Windows track no. 1 - AntiD.exe

In this task we have to reverse file called 'AntiD.exe'. After first examination of this, it looks to be simple PE32 executable, packed with UPX. Unfortunately we can't decompress it using UPX tool, so I started to unpack it manually. First thing to notice is that in PE Optional Header - DllCharasteristics is set to 8140, which means that DLLs in this executable can move around a bit (I'm usually using programs like 'CFF Explorer' or something similar to check this things out). I've changed this header to 8100, what actually terminated this behaviour ;) To decompress this .exe I personally used x64dbg and Scylla, but the tool doesn't matter at all - it could be any runtime debugger and I mp Rec I suppose. What we need to do is stop program execution at Entry Point of AntiD.exe, and run exactly one instruction : pushal - in my case, as you can see on image below (but You can also see this as PUSHAD in OllyDbg, or any other debugger). Aft...
Post a Comment
Read more

#IceCTF - Strong Feeling

You can download ELF here: ------------------------> link To get a flag in this one, easiest way I think is to bruteforce it! After quick look of executable in decompiler we can see that program outputs different strings every time we input a proper flag character to it. The best way to check that (knowing that flags in that CTF looks like "IceCTF{xxx}") is to  input 'I' first, then "Ic", then "Ice", etc. The strings in ELF aren't obfuscated, so we can just count it to figure out number of characters in the flag. The only thing that has to be done now is bruteforcer itself. I wrote something like that: #include &ltstdio.h&gt #include &ltstdlib.h&gt #include &ltcstring&gt using namespace std; int main(void) { char *flag = new char[32]; char *path = new char[128]; char *buffer = new char[128]; char *buf2 = new char[128]; FILE *plik; for (int i = 0; i < 32; i++) for (char j = 0x21; j < 0x7f; j++) ...
Post a Comment
Read more

#LabyREnth CTF - Windows track no. 2 - BabbySay.exe

This task is really very simple one. We are provided with .NET application named: "BabbySay.exe", wchich is a simple app that spawns a piano window for us. We can play some tunes by clicking black and white keys. I've started by its decompilation with "ILSpy", which is nice tool to do that . After quick examination in ILSpy we can clearly see the function responsible for printing the flag for us, w i thout any doubt h as to be:  key_click(object, EventArgs): // BabbySay.Form1 public void key_click(object sender, EventArgs args) { KeyButton keyButton = sender as KeyButton; keyButton.player.Play(); if (keyButton.number == 16 && keyButton.is_black && this.dat_state == 0) { this.dat_state = 1; this.thangs[3] = " _|| || | |_ ___ `. | || | _ | || | \\_ `. " + this.thangs[3]; this.thangs[10] = this.thangs[10] + " '----------------' '----------------' '----------------' '...
Post a Comment
Read more