Add challenge 9 of the google ctf beginners quest

alternate-navbar
Maik de Kruif 3 years ago
parent e75ee517f3
commit 16f049dd09
Signed by: maik
GPG Key ID: 44A55AD1F0673FA6
  1. 2
      content/writeups/google-ctf/2021/beginners-quest/6.md
  2. 97
      content/writeups/google-ctf/2021/beginners-quest/9.md
  3. BIN
      static/files/writeups/google-ctf/2021/beginners-quest/9/bzImage.elf
  4. BIN
      static/img/writeups/google-ctf/2021/beginners-quest/9/cover.png

@ -39,7 +39,7 @@ This one is a doozie. We found this weird file on a memory stick with a post-it
The manager shouts after you to come back, but you don’t listen. You are uncompromisingly determined to hunt down the assassin. The assassin turns over trash bins and chairs through the corridor, and you manage to dodge them. The assassin climbs up using a ladder, you follow. You come to a rooftop, and the assassin has nowhere to flee. You shout: "Reveal yourself, tell me who you’re working for, and I will do you no harm."The assassin comes out from behind a ventilation exhaust. They hand you a note with coordinates to a spot in the mediterranean. When you look again, the assassin is gone.
#### Climb out through the window, and try to ambush the assassin ([9](#))
#### Climb out through the window, and try to ambush the assassin ([9]({{< ref "9.md" >}}))
After having climbed through the window, you wait for a while on the ground. The guards from earlier approach you, and tell you that the mysterious assassin disappeared in the other direction, you will never see the assassin again… The manager screams on you to come back, and says that he thinks that he can help you a bit. He tells you that he has managed to trace some components of the device to a specific shipment from South Africa. He tells you that there is a secret lair in Johannesburg that might help you to find out more information about the organisation that the assassin works for.

@ -0,0 +1,97 @@
+++
author = "Maik de Kruif"
title = "Konski-Hiakawa Law of Droids"
subtitle = "Beginners Quest 9 - Google CTF"
date = 2021-11-07T12:01:00+01:00
description = "A writeup for challenge 9 of the beginners quests of the Google CTF."
cover = "img/writeups/google-ctf/2021/beginners-quest/9/cover.png"
tags = [
"Google CTF",
"Beginners Quest",
"ctf",
"hacking",
"writeup",
"reversing",
]
categories = [
"ctf",
"writeups",
"hacking",
"reversing",
]
+++
## Story line
### Johannesburg - Hideout
Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building's entrance.
### Challenge: Konski-Hiakawa Law of Droids (reversing)
In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{...} to submit it. Note, API Level 25 is what you're looking for.
### After solving
Congratulations, you successfully sneaked past the guards, and now you are inside the main building in the secret lair. Look over there, a safe case! Wait, what, it is open, no way! It’s only a photo inside, what a disappointment... But wait, don’t get hasty now, it seems like it’s an airport in the picture, it’s Heathrow, and there is something scribbled on the back, it’s coordinates to a secret warehouse at Heathrow, it seems like London is calling!
## Attachment
attachment.zip (_file too large_)
- [bzImage.elf](/files/writeups/google-ctf/2021/beginners-quest/9/bzImage.elf)
## Recon
The attachment contains four files: `bzImage`, `bzImage.elf`, `bzImage.elf.i64` and `gCTF.apk`.
## Solving
To start off, I don't think I solved it in the intended way as this challenge took me only a few minutes.
As always, I started off by listing the strings in the binary files using the following command.
```sh
strings --print-file-name * | grep CTF
```
This listed a lot of strings, which is expected when there is an app with CTF in the name. So I did the same command, but this time only on the other files:
```sh
strings --print-file-name bzImage* | grep CTF
```
This returned three lines:
```text
bzImage: CTF!
bzImage.elf: gCTF:KEY:
bzImage.elf: C300-CTFDDAC128MAG
```
`gCTF:KEY` looks interesting, so I used grep to get the content around it and then piped it into bat (`cat` would work as well, but `bat` looks nicer) to see the non-printable characters.
```sh
grep -B 2 -A 2 -a gCTF bzImage.elf | bat -A
```
```text
␀free_calls␀alloc_calls␀validate␀store_user␀poison␀red_zone␀sanity_checks␀total_objects␀slabs␀
destroy_by_rcu␀cache_dma␀hwcache_align␀reclaim_account␀slabs_cpu_partial␀objects_partial␀objec
ts␀cpu_slabs␀partial␀aliases␀ctor␀cpu_partial␀min_partial␀objs_per_slab␀object_size␀align␀slab
_size␀nr_succeeded=%lu·nr_failed=%lu·mode=%s·reason=%s␊
␀succeeded␀failed␀enum·migrate_mode␀reason␀mm/migrate.c␀MIGRATE_ASYNC␀MIGRATE_SYNC_LIGHT␀MIGRA
TE_SYNC␀memory_failure␀memory_hotplug␀syscall_or_cpuset␀mempolicy_mbind␀cma␀mm_migrate_pages␀m
igrate␀mm/page_isolation.c␀\u{1}3VFS:·Close:·file·count·is·0␊
␀fs/open.c␀SusanSue␀/sdcard/Download/Raven.txt␀gCTF:KEY:␀SB:575756␀\u{1}6VFS:·file-max·limit·%
lu·reached␊
␀fs/file_table.c␀filp␀files_lglock␀VFS:·Busy·inodes·after·unmount·of·%s.·Self-destruct·in·5·se
conds.··Have·a·nice·day...␊
␀fs/super.c␀\u{1}3VFS:Filesystem·freeze·failed␊
```
This output shows that the value of `gCTF:KEY` is `SB:575756`. I added the CTF{} brackets and submitted it.
## Solution
The flag is correct! It's `CTF{SB:575756}`.

Binary file not shown.

After

Width:  |  Height:  |  Size: 115 KiB

Loading…
Cancel
Save