Writeup – Flag Checker 2, Mario Mystery, Envy (Xiomara CTF)

This weekend, I participated in the Xiomara CTF, which has just concluded at the time of writing. I will present some (relatively short) writeups for this CTF below.

Flag Checker 2

This challenge was a web challenge which can be solved locally. The challenge files can be downloaded here.

On opening the HTML file, we are prompted for a password (the flag), which is evaluated with some obfuscated JavaScript. The point value of the challenge did not seem to correspond with the effort of manually de-obfuscating the JS, so I looked for a side channel. I quickly found one, when prettifying main.js:

Here, there is an obfuscated alert() call. On testing in the JS console, this reveals the “You got the correct flag” message. Occam’s razor says that one of the two operands to “!==” is the flag, and a quick test proves us right, and scoring us some easy points:

Mario Mystery

This challenge was presented as an APK, which you can download here.

Initial reverse engineering didn’t reveal anything, and the clue said something about the key being server-side: so my first port of call was the classes.dex file. I put it through dex2jar and jd-gui, which revealed my first clue:

Still, I had no API key. Going through the Java code, I find that the string is loaded from a resource, and MD5’ed:

We can use apktool (apktool d Xiomara_2k18.apk) to extract all the resources from the APK. Browsing through res/values, we find a key:

From here, it is simple enough to MD5 the key, call the API endpoint and grab our flag:


This challenge was presented as a Linux binary, which you can download here.

Upon initial reverse engineering, we don’t see a whole lot – the psuedocode seems to indicate that we’re strcmp’ing two uninitialized variables, some string alluding to a buffer overflow and something indicating fancy binary exploitation (“Try again, you got 0x%08x”).

In the end, all of these turned out to be cunning trolls – the flag was in an unreferenced variable, above the “src” and “s2” strings referenced by the main function:

Thanks to the organisers for putting together this CTF – it was a pleasure to play in, the challenges remained online for the duration of the challenge and there was some good variety without it turning into blind guessing games. See you all in Pragyan CTF (the best part of all of this for me is seeing the same CTF’s come back around, one year on) next weekend.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s