+++ author = "Maik de Kruif" title = "Konski-Hiakawa Law of Droids" subtitle = "Beginners Quest 9 - Google CTF" date = 2021-11-07T12:01:00+01:00 description = "A writeup for challenge 9 of the beginners quests of the Google CTF." cover = "img/writeups/google-ctf/2021/beginners-quest/9/cover.png" tags = [ "Google CTF", "Beginners Quest", "ctf", "hacking", "writeup", "reversing", ] categories = [ "ctf", "writeups", "hacking", "reversing", ] aliases = [ "9" ] +++ ## Story line ### Johannesburg - Hideout Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building's entrance. ### Challenge: Konski-Hiakawa Law of Droids (reversing) In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{...} to submit it. Note, API Level 25 is what you're looking for. ### After solving Congratulations, you successfully sneaked past the guards, and now you are inside the main building in the secret lair. Look over there, a safe case! Wait, what, it is open, no way! It’s only a photo inside, what a disappointment... But wait, don’t get hasty now, it seems like it’s an airport in the picture, it’s Heathrow, and there is something scribbled on the back, it’s coordinates to a secret warehouse at Heathrow, it seems like London is calling! ## Attachment attachment.zip (_file too large_) - [bzImage.elf](/files/writeups/google-ctf/2021/beginners-quest/9/bzImage.elf) ## Recon The attachment contains four files: `bzImage`, `bzImage.elf`, `bzImage.elf.i64` and `gCTF.apk`. ## Solving To start off, I don't think I solved it in the intended way as this challenge took me only a few minutes. As always, I started off by listing the strings in the binary files using the following command. ```sh strings --print-file-name * | grep CTF ``` This listed a lot of strings, which is expected when there is an app with CTF in the name. So I did the same command, but this time only on the other files: ```sh strings --print-file-name bzImage* | grep CTF ``` This returned three lines: ```text bzImage: CTF! bzImage.elf: gCTF:KEY: bzImage.elf: C300-CTFDDAC128MAG ``` `gCTF:KEY` looks interesting, so I used grep to get the content around it and then piped it into bat (`cat` would work as well, but `bat` looks nicer) to see the non-printable characters. ```sh grep -B 2 -A 2 -a gCTF bzImage.elf | bat -A ``` ```text ␀free_calls␀alloc_calls␀validate␀store_user␀poison␀red_zone␀sanity_checks␀total_objects␀slabs␀ destroy_by_rcu␀cache_dma␀hwcache_align␀reclaim_account␀slabs_cpu_partial␀objects_partial␀objec ts␀cpu_slabs␀partial␀aliases␀ctor␀cpu_partial␀min_partial␀objs_per_slab␀object_size␀align␀slab _size␀nr_succeeded=%lu·nr_failed=%lu·mode=%s·reason=%s␊ ␀succeeded␀failed␀enum·migrate_mode␀reason␀mm/migrate.c␀MIGRATE_ASYNC␀MIGRATE_SYNC_LIGHT␀MIGRA TE_SYNC␀memory_failure␀memory_hotplug␀syscall_or_cpuset␀mempolicy_mbind␀cma␀mm_migrate_pages␀m igrate␀mm/page_isolation.c␀\u{1}3VFS:·Close:·file·count·is·0␊ ␀fs/open.c␀SusanSue␀/sdcard/Download/Raven.txt␀gCTF:KEY:␀SB:575756␀\u{1}6VFS:·file-max·limit·% lu·reached␊ ␀fs/file_table.c␀filp␀files_lglock␀VFS:·Busy·inodes·after·unmount·of·%s.·Self-destruct·in·5·se conds.··Have·a·nice·day...␊ ␀fs/super.c␀\u{1}3VFS:Filesystem·freeze·failed␊ ``` This output shows that the value of `gCTF:KEY` is `SB:575756`. I added the CTF{} brackets and submitted it. ## Solution The flag is correct! It's `CTF{SB:575756}`.