DefCon 28 and GrayHat 2020 CTF Writeups

Created On 13. Sep 2020

Updated: 2021-12-29 02:22:23.335054000 +0000

Created By: acidghost

Here are some Red Team's Village CTFs writeups from DC and GH that took place in 2020. The full list from the pre-qualifiers at DefCon you can find mentioned also in /posts/39
The writeups are from DefCon and the links you can find at the bottom are from other participants, where you can also find ones for GrayHat.

RE - Debug me

https://drive.google.com/file/d/14Bd7DuJNzITFH2F6aSUIZpsF5I4w86_A/view?usp=sharing

this is quite a rather easy example for those already have some experience in reverse engineering, With such files, we need to debug, disassemble, decompile - anything what works best.
There are many great tools for this job and my personal favorite is radare2. If you just started, you can throw a look at IDA, a so called industry standard that has also a freeware without debugger, GDB that is most popular choice on Linux systems, Immunity for Windows or Hopper for Mac OS. Mind that not all tools work with all type of files, and there isn't really much in what radare2 gives in to others and one of its cool features is that it can be used cross-platform.

Make the file executable with chmod +x ./re_me
This is not required to decompile it, but now you can run with ./re_me and you should see the output There's a flag here somewhere?
You can as well type in terminal strings s and find this phrase in the list of referenced strings.

Run it in radare2 with r2 re_me
You will see we landed in some memory address. Typing afl does not display any functions. aaa and more a's will perform an experiment analysis and now afl will list some functions found.

Navigate to the main function with s main, which is short for seek to main. Type pdf to disassemble the function.

There is not a lot, but interesting is the .vuln function that is called within.
Going there s sym.vuln and display the function with V or enter visual mode with VV and cycle through the views with p. Upon closer inspection, something interesting can be seen

r2's decompiler is displaying the bit contents of memory that are being moved. We can see it flag{akCMdnek319D3DCza234-S}
Analyzing the main function, the call to vuln is executed after the string is displayed. You can set breakpoints with db 0xaddress and execute it with dc. Step with F7 and continue execution with F9. Stepping within the vuln function, the flag can be seen decrypted above.

Do you know how you can actually output that flag?

Forensics - Internet Traffic

https://drive.google.com/file/d/1Cgrqq79nlcR4y6xFLvKJ5kiNRLoj0eIU/view?usp=sharing

For this job, Wireshark is used to analyze the contents of the message within the .pcap file. Wireshark can display the sniffed internet traffic which can be used to track target's actions on corresponding networks.

On closer inspection on one of the packets

I guess you can see it as well :shipit:
Can you crack the other mysteries about the mysterious Tom Nook as well?

Pwn - Clicker

https://drive.google.com/file/d/17Z7Ki1Iu1y-06jcuxO9HDuqMYnh9b50m/view?usp=sharing

this is a very amusing game, where it is required to click 10 million times to get the flag. If it everything was that easy (and annoying).

Running r2 in debug mode r2 -d clicker
Scrolling through the main function an interesting sym.secret_function can be found. Going there s sym.secret_function and display with VV.

The flag is there, but because the values are being moved, the order is random and from this an exact guess can't be made.
On closer inspection in the main function, there is a step where secret_function is jumped over through the constant iteration.

jle in other words jump if less or equal. Above run a comparison, for what must be the user input and if the condition is met it will skip the secret_function.
From here hit the breakpoint with db 0x00401405 and go there with VV.
Jump can be written as following wa jne 0x401411.

Navigating through the function, it will step on and go past the secret function. With this not much was actually achieved, but it made our day even worse by neutralizing the multiplier and leaving it forever at 1.
So what is it? Well, seems there is not much within main that can trigger the secret function.
aah wait! happened here? :shipit:

You can find further writeups on Tiger Tunes here https://medium.com/@mnkmukhi/defcon-red-team-ctf-tiger-tunes-a447eb593c4a
I copied the website so you can enjoy playing with it offline!
https://drive.google.com/file/d/1dRKS3kmTHtz_kaVZS-qHTAqNmnoe-pBC/view?usp=sharing

Here you can find the writeup for the tunneler challenges that took place at Gray Hat and were very similar to those from DefCon https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/

Make sure to not miss the next events, so stay tuned!

Section: Events

Back