summaryrefslogblamecommitdiffstats
path: root/docs/writeups/ImaginaryCTF_2021/stings.txt
blob: 906dc21cc1f4e456fecdbdff24a92fcfe1e61bc6 (plain) (tree) 
247683e



































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35



































                                                                                                                                                                                
The Service
-----------
we're given an executable

when run, a picture of a bee is printed out and it asks us for a password

if we're wrong, it exits

if we're right, it also exits, but what we entered is the flag



Reversing
---------
looking at the disassembly...

there is a massive string which, after examining, seems to be the bee picture

there are real stack canaries and the addresses change after first run in gdb, so pwn protections

the bee picture is brought onto the stack

a bunch of processing with it is done

at some point it asks for input

there is a loop that compares each character of the input to each character of the resulting buffer after the processing earlier

it expects each character of the input to be -1 from the character in the buffer (you enter "ictf", but the buffer contains "jdug")



Getting the flag from runtime memory
------------------------------------
we can just run the program in gdb, break before inputting, check the status of the buffer, do the character shift in python, and then we have the input it wants (and the flag)
cgit-1.2.3-r5 | srcnode v0.4.0