3.9 KiB
+++ author = "Maik de Kruif" title = "Konski-Hiakawa Law of Droids" subtitle = "Beginners Quest 9 - Google CTF" date = 2021-11-07T12:01:00+01:00 description = "A writeup for challenge 9 of the beginners quests of the Google CTF." cover = "img/writeups/google-ctf/2021/beginners-quest/9/cover.png" tags = [ "Google CTF", "Beginners Quest", "ctf", "hacking", "writeup", "reversing", ] categories = [ "ctf", "writeups", "hacking", "reversing", ] +++
Story line
Johannesburg - Hideout
Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building's entrance.
Challenge: Konski-Hiakawa Law of Droids (reversing)
In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{...} to submit it. Note, API Level 25 is what you're looking for.
After solving
Congratulations, you successfully sneaked past the guards, and now you are inside the main building in the secret lair. Look over there, a safe case! Wait, what, it is open, no way! It’s only a photo inside, what a disappointment... But wait, don’t get hasty now, it seems like it’s an airport in the picture, it’s Heathrow, and there is something scribbled on the back, it’s coordinates to a secret warehouse at Heathrow, it seems like London is calling!
Attachment
attachment.zip (file too large)
Recon
The attachment contains four files: bzImage
, bzImage.elf
, bzImage.elf.i64
and gCTF.apk
.
Solving
To start off, I don't think I solved it in the intended way as this challenge took me only a few minutes.
As always, I started off by listing the strings in the binary files using the following command.
strings --print-file-name * | grep CTF
This listed a lot of strings, which is expected when there is an app with CTF in the name. So I did the same command, but this time only on the other files:
strings --print-file-name bzImage* | grep CTF
This returned three lines:
bzImage: CTF!
bzImage.elf: gCTF:KEY:
bzImage.elf: C300-CTFDDAC128MAG
gCTF:KEY
looks interesting, so I used grep to get the content around it and then piped it into bat (cat
would work as well, but bat
looks nicer) to see the non-printable characters.
grep -B 2 -A 2 -a gCTF bzImage.elf | bat -A
␀free_calls␀alloc_calls␀validate␀store_user␀poison␀red_zone␀sanity_checks␀total_objects␀slabs␀
destroy_by_rcu␀cache_dma␀hwcache_align␀reclaim_account␀slabs_cpu_partial␀objects_partial␀objec
ts␀cpu_slabs␀partial␀aliases␀ctor␀cpu_partial␀min_partial␀objs_per_slab␀object_size␀align␀slab
_size␀nr_succeeded=%lu·nr_failed=%lu·mode=%s·reason=%s␊
␀succeeded␀failed␀enum·migrate_mode␀reason␀mm/migrate.c␀MIGRATE_ASYNC␀MIGRATE_SYNC_LIGHT␀MIGRA
TE_SYNC␀memory_failure␀memory_hotplug␀syscall_or_cpuset␀mempolicy_mbind␀cma␀mm_migrate_pages␀m
igrate␀mm/page_isolation.c␀\u{1}3VFS:·Close:·file·count·is·0␊
␀fs/open.c␀SusanSue␀/sdcard/Download/Raven.txt␀gCTF:KEY:␀SB:575756␀\u{1}6VFS:·file-max·limit·%
lu·reached␊
␀fs/file_table.c␀filp␀files_lglock␀VFS:·Busy·inodes·after·unmount·of·%s.·Self-destruct·in·5·se
conds.··Have·a·nice·day...␊
␀fs/super.c␀\u{1}3VFS:Filesystem·freeze·failed␊
This output shows that the value of gCTF:KEY
is SB:575756
. I added the CTF{} brackets and submitted it.
Solution
The flag is correct! It's CTF{SB:575756}
.