YUBITSEC CTF: Learn reverse or +925 rating points in a few minutes

Good day to all. Just came to the end of the next CTF from YubitSec, despite the difficulties that arose at the very beginning due to the abundant DDoS of all the sites with tasks, the battle was quite tough. Assignments are still available by reference .

Gifted 50

The first and easiest task. There is no description, but there is a file , download it and proceed with the analysis, and almost immediately pick up the flag:

gh0st3rs@leacher-pc:Gifted$ file gifted gifted: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=90d4894c52975348b52134af2f3b33b9da7f0112, not stripped gh0st3rs@leacher-pc:Gifted$ strings gifted | grep YUBIT YUBITSEC{MEH_IT_IS_SOMETHING}

The Twin Towers 125

There is still no description, but this time, instead of a binary, we are offered a java class .
Using jd-gui, we extract the source code:
')

Wtf.class

 import java.io.PrintStream; public class Wtf { public static void main(String[] paramArrayOfString) { System.out.println("Tonight, as we mark the conclusion of our celebration of Black History Month, we are remindedof our Nation's path toward civil rights and the work that still remains. Recent threats targeting Jewish Community Centers and vandalism of Jewish cemeteries, as well as last week's shooting in Kansas City, remind us that while we may be a Nation divided on policies, we are a country that stands united in condemning hate and evil in all its forms."); String str = "0YUBITSEC{BUSH_DID_9_11}0"; if (str == "BUSH DID 9.11") { flag(); } } public static void flag() { String str1 = null; int i = 3; int j = 3; String str2 = null; j = 0 + j; if (j % 2 == 0) { String str3 = str2 + "error"; String str4 = "Flag is not here actually..."; String str5 = "59554249545345437B5730575F4D5543485F50524F4752414D4D494E475F4A4156417D"; } else { int k = 59; int m = 554; int n = 249; int i1 = 545; int i2 = 345; int i3 = 437; String str6 = "B77"; int i4 = 686; String str7 = "F5F757"; str1 = Integer.toString(k) + Integer.toString(m) + Integer.toString(n) + Integer.toString(i1) + Integer.toString(i2) + Integer.toString(i3) + str6 + Integer.toString(i4) + str7 + "365735F6A6176615F696E5F323031377D"; } System.out.println(str1); } }

Judging by the code, we are interested in the block, which is located in the else branch, copy it into Python by making small changes, run it:

 def flag(): k = 59 m = 554 n = 249 i1 = 545 i2 = 345 i3 = 437 str6 = "B77" i4 = 686 str7 = "F5F757" str1 = str(k) + str(m) + str(n) + str(i1) + str(i2) + str(i3) + str6 + str(i4) + str7 + "365735F6A6176615F696E5F323031377D" print(str1) >>> flag() 59554249545345437B77686F5F757365735F6A6176615F696E5F323031377D

We decode the received HEX string and pick up the new flag:

YUBITSEC {who_uses_java_in_2017}

Reverse101 225

The description contains only 1 phrase:

Jump over it.

And attached file . Open it in IDA:

It's simple...

 .text:00000000004007AF mov dword ptr [rax], 'Y' .text:00000000004007B5 add rax, 4 .text:00000000004007B9 sub rdx, 1 .text:00000000004007BD mov dword ptr [rax], 'U' .text:00000000004007C3 add rax, 4 .text:00000000004007C7 sub rdx, 1 .text:00000000004007CB mov dword ptr [rax], 'B' .text:00000000004007D1 add rax, 4 .text:00000000004007D5 sub rdx, 1 .text:00000000004007D9 mov dword ptr [rax], 'I' .text:00000000004007DF add rax, 4 .text:00000000004007E3 sub rdx, 1 .text:00000000004007E7 mov dword ptr [rax], 'T' .text:00000000004007ED add rax, 4 .text:00000000004007F1 sub rdx, 1 .text:00000000004007F5 mov dword ptr [rax], 'S' .text:00000000004007FB add rax, 4 .text:00000000004007FF sub rdx, 1 .text:0000000000400803 mov dword ptr [rax], 'E' .text:0000000000400809 add rax, 4 .text:000000000040080D sub rdx, 1 .text:0000000000400811 mov dword ptr [rax], 'C' .text:0000000000400817 add rax, 4 .text:000000000040081B sub rdx, 1 .text:000000000040081F mov dword ptr [rax], '{' .text:0000000000400825 add rax, 4 .text:0000000000400829 sub rdx, 1 .text:000000000040082D mov dword ptr [rax], 'U' .text:0000000000400833 add rax, 4 .text:0000000000400837 sub rdx, 1 .text:000000000040083B mov dword ptr [rax], 'S' .text:0000000000400841 add rax, 4 .text:0000000000400845 sub rdx, 1 .text:0000000000400849 mov dword ptr [rax], 'E' .text:000000000040084F add rax, 4 .text:0000000000400853 sub rdx, 1 .text:0000000000400857 mov dword ptr [rax], '_' .text:000000000040085D add rax, 4 .text:0000000000400861 sub rdx, 1 .text:0000000000400865 mov dword ptr [rax], 'G' .text:000000000040086B add rax, 4 .text:000000000040086F sub rdx, 1 .text:0000000000400873 mov dword ptr [rax], 'D' .text:0000000000400879 add rax, 4 .text:000000000040087D sub rdx, 1 .text:0000000000400881 mov dword ptr [rax], 'B' .text:0000000000400887 add rax, 4 .text:000000000040088B sub rdx, 1 .text:000000000040088F mov dword ptr [rax], '_' .text:0000000000400895 add rax, 4 .text:0000000000400899 sub rdx, 1 .text:000000000040089D mov dword ptr [rax], 'P' .text:00000000004008A3 add rax, 4 .text:00000000004008A7 sub rdx, 1 .text:00000000004008AB mov dword ptr [rax], 'E' .text:00000000004008B1 add rax, 4 .text:00000000004008B5 sub rdx, 1 .text:00000000004008B9 mov dword ptr [rax], 'D' .text:00000000004008BF add rax, 4 .text:00000000004008C3 sub rdx, 1 .text:00000000004008C7 mov dword ptr [rax], 'A' .text:00000000004008CD add rax, 4 .text:00000000004008D1 sub rdx, 1 .text:00000000004008D5 mov dword ptr [rax], '_' .text:00000000004008DB add rax, 4 .text:00000000004008DF sub rdx, 1 .text:00000000004008E3 mov dword ptr [rax], 'S' .text:00000000004008E9 add rax, 4 .text:00000000004008ED sub rdx, 1 .text:00000000004008F1 mov dword ptr [rax], 'R' .text:00000000004008F7 add rax, 4 .text:00000000004008FB sub rdx, 1 .text:00000000004008FF mov dword ptr [rax], 'S' .text:0000000000400905 add rax, 4 .text:0000000000400909 sub rdx, 1 .text:000000000040090D mov dword ptr [rax], 'L' .text:0000000000400913 add rax, 4 .text:0000000000400917 sub rdx, 1 .text:000000000040091B mov dword ptr [rax], 'Y' .text:0000000000400921 add rax, 4 .text:0000000000400925 lea rcx, [rdx-1] .text:0000000000400929 mov dword ptr [rax], '}' .text:000000000040092F lea rdx, [rax+4] .text:0000000000400933 lea rax, [rcx-1]

You can rewrite straight from here or as suggested in the description, put a bryak at the end and dump the memory. Actually flag:

YUBITSEC {USE_GDB_PEDA_SRSLY}

Password 250

From a short description it follows that the flag is a number:

The flag is the password. (Integer)

Flag format: YUBITSEC {}

Download the file and run IDA and look through the main function a bit and find the function call check_password :

Password found, it is also part of the flag:
YUBITSEC {1453}

Reverse The Snake! 275

There is no description again, but there is a * .pyc file . After decompiling, we get the following:

 gh0st3rs@leacher-pc:ReverseTheSnake!$ uncompyle6 WTF.pyc # uncompyle6 version 2.9.10 # Python bytecode 2.7 (62211) # Decompiled from: Python 3.4.3 (default, Nov 17 2016, 01:08:31) # [GCC 4.8.4] # Embedded file name: ./decompile.py # Compiled at: 2017-04-20 04:11:32 def flag(): a = 5955 b = 4249 c = 5453 d = 4543 f = 7 e = 'b4641524557454C4C5F42414C4C41447D' flg = str(a) + str(b) + str(c) + str(d) + str(f) + e print 'You must decompile me.' # okay decompiling WTF.pyc

After starting the function in the interpreter, we get the next flag, or rather its HEX representation:
59554249545345437b4641524557454c4c5f42414c4c41447d -> YUBITSEC {FAREWELL_BALLAD}

Thus, in total, without making significant efforts, it turns out +925 to the overall rating of the team. Learn the reverse - it's interesting!

Source: https://habr.com/ru/post/327290/

All Articles