DefCon 28 and GrayHat 2020 CTF Writeups
Created On 13. Sep 2020
Updated: 2021-12-29 02:22:23.335054000 +0000
Created By: acidghost
Here are some Red Team's Village CTFs writeups from DC and GH that took place in 2020. The full list from the pre-qualifiers at DefCon you can find mentioned also in /posts/39
The writeups are from DefCon and the links you can find at the bottom are from other participants, where you can also find ones for GrayHat.
RE - Debug me
this is quite a rather easy example for those already have some experience in reverse engineering, With such files, we need to debug, disassemble, decompile - anything what works best.
There are many great tools for this job and my personal favorite is radare2. If you just started, you can throw a look at IDA, a so called industry standard that has also a freeware without debugger, GDB that is most popular choice on Linux systems, Immunity for Windows or Hopper for Mac OS. Mind that not all tools work with all type of files, and there isn't really much in what radare2 gives in to others and one of its cool features is that it can be used cross-platform.
Make the file executable with
chmod +x ./re_me
This is not required to decompile it, but now you can run with
./re_me and you should see the output There's a flag here somewhere?
You can as well type in terminal
strings s and find this phrase in the list of referenced strings.
Run it in radare2 with
You will see we landed in some memory address. Typing
afl does not display any functions.
aaa and more a's will perform an experiment analysis and now
afl will list some functions found.
Navigate to the main function with
s main, which is short for seek to main. Type
There is not a lot, but interesting is the .vuln function that is called within.
s sym.vuln and display the function with
V or enter visual mode with
VV and cycle through the views with
p. Upon closer inspection, something interesting can be seen
r2's decompiler is displaying the bit contents of memory that are being moved. We can see it
Analyzing the main function, the call to vuln is executed after the string is displayed. You can set breakpoints with
db 0xaddress and execute it with
dc. Step with F7 and continue execution with F9. Stepping within the vuln function, the flag can be seen decrypted above.
Do you know how you can actually output that flag?
Forensics - Internet Traffic
For this job, Wireshark is used to analyze the contents of the message within the .pcap file. Wireshark can display the sniffed internet traffic which can be used to track target's actions on corresponding networks.
On closer inspection on one of the packets
I guess you can see it as well
Can you crack the other mysteries about the mysterious Tom Nook as well?
Pwn - Clicker
this is a very amusing game, where it is required to click 10 million times to get the flag. If it everything was that easy (and annoying).
Running r2 in debug mode
r2 -d clicker
Scrolling through the main function an interesting
sym.secret_function can be found. Going there
s sym.secret_function and display with
The flag is there, but because the values are being moved, the order is random and from this an exact guess can't be made.
On closer inspection in the main function, there is a step where
secret_function is jumped over through the constant iteration.
jle in other words jump if less or equal. Above run a comparison, for what must be the user input and if the condition is met it will skip the
From here hit the breakpoint with
db 0x00401405 and go there with
Jump can be written as following
wa jne 0x401411.
Navigating through the function, it will step on and go past the secret function. With this not much was actually achieved, but it made our day even worse by neutralizing the multiplier and leaving it forever at 1.
So what is it? Well, seems there is not much within main that can trigger the secret function.
aah wait! happened here?
You can find further writeups on Tiger Tunes here https://medium.com/@mnkmukhi/defcon-red-team-ctf-tiger-tunes-a447eb593c4a
I copied the website so you can enjoy playing with it offline!
Here you can find the writeup for the tunneler challenges that took place at Gray Hat and were very similar to those from DefCon https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/
Make sure to not miss the next events, so stay tuned!