parent
e75ee517f3
commit
16f049dd09
4 changed files with 98 additions and 1 deletions
@ -0,0 +1,97 @@ |
|||||||
|
+++ |
||||||
|
author = "Maik de Kruif" |
||||||
|
title = "Konski-Hiakawa Law of Droids" |
||||||
|
subtitle = "Beginners Quest 9 - Google CTF" |
||||||
|
date = 2021-11-07T12:01:00+01:00 |
||||||
|
description = "A writeup for challenge 9 of the beginners quests of the Google CTF." |
||||||
|
cover = "img/writeups/google-ctf/2021/beginners-quest/9/cover.png" |
||||||
|
tags = [ |
||||||
|
"Google CTF", |
||||||
|
"Beginners Quest", |
||||||
|
"ctf", |
||||||
|
"hacking", |
||||||
|
"writeup", |
||||||
|
"reversing", |
||||||
|
] |
||||||
|
categories = [ |
||||||
|
"ctf", |
||||||
|
"writeups", |
||||||
|
"hacking", |
||||||
|
"reversing", |
||||||
|
] |
||||||
|
+++ |
||||||
|
|
||||||
|
## Story line |
||||||
|
|
||||||
|
### Johannesburg - Hideout |
||||||
|
|
||||||
|
Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building's entrance. |
||||||
|
|
||||||
|
### Challenge: Konski-Hiakawa Law of Droids (reversing) |
||||||
|
|
||||||
|
In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{...} to submit it. Note, API Level 25 is what you're looking for. |
||||||
|
|
||||||
|
### After solving |
||||||
|
|
||||||
|
Congratulations, you successfully sneaked past the guards, and now you are inside the main building in the secret lair. Look over there, a safe case! Wait, what, it is open, no way! It’s only a photo inside, what a disappointment... But wait, don’t get hasty now, it seems like it’s an airport in the picture, it’s Heathrow, and there is something scribbled on the back, it’s coordinates to a secret warehouse at Heathrow, it seems like London is calling! |
||||||
|
|
||||||
|
## Attachment |
||||||
|
|
||||||
|
attachment.zip (_file too large_) |
||||||
|
|
||||||
|
- [bzImage.elf](/files/writeups/google-ctf/2021/beginners-quest/9/bzImage.elf) |
||||||
|
|
||||||
|
## Recon |
||||||
|
|
||||||
|
The attachment contains four files: `bzImage`, `bzImage.elf`, `bzImage.elf.i64` and `gCTF.apk`. |
||||||
|
|
||||||
|
## Solving |
||||||
|
|
||||||
|
To start off, I don't think I solved it in the intended way as this challenge took me only a few minutes. |
||||||
|
|
||||||
|
As always, I started off by listing the strings in the binary files using the following command. |
||||||
|
|
||||||
|
```sh |
||||||
|
strings --print-file-name * | grep CTF |
||||||
|
``` |
||||||
|
|
||||||
|
This listed a lot of strings, which is expected when there is an app with CTF in the name. So I did the same command, but this time only on the other files: |
||||||
|
|
||||||
|
```sh |
||||||
|
strings --print-file-name bzImage* | grep CTF |
||||||
|
``` |
||||||
|
|
||||||
|
This returned three lines: |
||||||
|
|
||||||
|
```text |
||||||
|
bzImage: CTF! |
||||||
|
bzImage.elf: gCTF:KEY: |
||||||
|
bzImage.elf: C300-CTFDDAC128MAG |
||||||
|
``` |
||||||
|
|
||||||
|
`gCTF:KEY` looks interesting, so I used grep to get the content around it and then piped it into bat (`cat` would work as well, but `bat` looks nicer) to see the non-printable characters. |
||||||
|
|
||||||
|
```sh |
||||||
|
grep -B 2 -A 2 -a gCTF bzImage.elf | bat -A |
||||||
|
``` |
||||||
|
|
||||||
|
```text |
||||||
|
␀free_calls␀alloc_calls␀validate␀store_user␀poison␀red_zone␀sanity_checks␀total_objects␀slabs␀ |
||||||
|
destroy_by_rcu␀cache_dma␀hwcache_align␀reclaim_account␀slabs_cpu_partial␀objects_partial␀objec |
||||||
|
ts␀cpu_slabs␀partial␀aliases␀ctor␀cpu_partial␀min_partial␀objs_per_slab␀object_size␀align␀slab |
||||||
|
_size␀nr_succeeded=%lu·nr_failed=%lu·mode=%s·reason=%s␊ |
||||||
|
␀succeeded␀failed␀enum·migrate_mode␀reason␀mm/migrate.c␀MIGRATE_ASYNC␀MIGRATE_SYNC_LIGHT␀MIGRA |
||||||
|
TE_SYNC␀memory_failure␀memory_hotplug␀syscall_or_cpuset␀mempolicy_mbind␀cma␀mm_migrate_pages␀m |
||||||
|
igrate␀mm/page_isolation.c␀\u{1}3VFS:·Close:·file·count·is·0␊ |
||||||
|
␀fs/open.c␀SusanSue␀/sdcard/Download/Raven.txt␀gCTF:KEY:␀SB:575756␀\u{1}6VFS:·file-max·limit·% |
||||||
|
lu·reached␊ |
||||||
|
␀fs/file_table.c␀filp␀files_lglock␀VFS:·Busy·inodes·after·unmount·of·%s.·Self-destruct·in·5·se |
||||||
|
conds.··Have·a·nice·day...␊ |
||||||
|
␀fs/super.c␀\u{1}3VFS:Filesystem·freeze·failed␊ |
||||||
|
``` |
||||||
|
|
||||||
|
This output shows that the value of `gCTF:KEY` is `SB:575756`. I added the CTF{} brackets and submitted it. |
||||||
|
|
||||||
|
## Solution |
||||||
|
|
||||||
|
The flag is correct! It's `CTF{SB:575756}`. |
Binary file not shown.
After Width: | Height: | Size: 115 KiB |
Loading…
Reference in new issue