Writeup – RunMe, pwn1/vuln, Skeleton Key (SharifCTF)

This weekend, I participated in the SharifCTF competition. I will present some writeups below.


This challenge was presented as a Windows executable, which you can download here. The goal of the challenge is to modify the executable such that it executes for the flag. We can start our investigation with IDA, to identify roughly what the executable looks like:

Initially, this doesn’t run: the error message it gives in WinDbg talks about “Win32 error 0n129” – a bit of Google reveals that this is the error provided when you try to execute a driver as a normal executable.

We know that the executable headers can define which type of executable it is, via the Subsystem field in the Optional Header. We can modify this field to specify a Win32 GUI executable, and then run the application:

Hashing the file (md5sum) then gives us the flag:


This challenge was presented as a Linux binary with a libc, which you can download here.

On inspection with IDA, we can identify what looks like your regular stack overflow, only complicated by the presence of ASLR and DEP / NX on the target system:

There’s not enough gadgets in the executable to build a rop chain with one file only, but our exploit is simple enough: we simply leak the address of a known something in libc, calculate libc’s base address, and then drop execl(“/bin/sh”) (or anything equivalent tbh). In diagram form:

A quick Python script later, and the flag is ours.

The Skeleton Key

This challenge was presented as an APK file, which you can download here.

We begin our analysis by extracting the file and converting classes.dex to a JAR file, to identify what’s happening. The amount of code in this executable is surprisingly small – it appears to simply load logo.svg and then do nothing:

At a glance, logo.svg appears to be an image of a stylized skull, but on inspecting the SVG closer, we note there are a large number of paths which do not appear to be rendered at all, with a blank style:

Furthermore, we can note that each of these paths is rendered on a tiny surface area: we’ll need to expand this (multiplying all the coordinates by 1000) if we want to see anything meaningful. A little bit of Python later, and we have progress:

We can see there are clearly characters in there, but they are superimposed on top of each other. We can easily fix this by changing the start position of each path, giving us the flag.

You can download the Python script used to expand the SVG’s hidden path elements here. Note that this needs a bit of wrangling of the original SVG to make it work: it expects path elements *only*, and isn’t aware of anything else.

Thanks to the Sharif organisers for putting together this event. It’s a shame that Sharif was impacted so heavily by downtime, and at a disadvantageous time of day (Saturday afternoon/night AEST) Still, it’s good to be CTF’ing again. Also, if I might leave one bit of feedback for the Sharif organisers: the point value for reversing and pwn, even the simpler challenges, shouldn’t be equal to non-blind SQLi with full error messages. These, to me, seem like a league apart in terms of difficulty and knowledge required.

See you all next week in nullcon IM and Harekaze CTF.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.