This weekend, I participated in the Xiomara CTF, which has just concluded at the time of writing. I will present some (relatively short) writeups for this CTF below.
Flag Checker 2
This challenge was a web challenge which can be solved locally. The challenge files can be downloaded here.
Here, there is an obfuscated alert() call. On testing in the JS console, this reveals the “You got the correct flag” message. Occam’s razor says that one of the two operands to “!==” is the flag, and a quick test proves us right, and scoring us some easy points:
This challenge was presented as an APK, which you can download here.
Initial reverse engineering didn’t reveal anything, and the clue said something about the key being server-side: so my first port of call was the classes.dex file. I put it through dex2jar and jd-gui, which revealed my first clue:
Still, I had no API key. Going through the Java code, I find that the string is loaded from a resource, and MD5’ed:
We can use apktool (apktool d Xiomara_2k18.apk) to extract all the resources from the APK. Browsing through res/values, we find a key:
From here, it is simple enough to MD5 the key, call the API endpoint and grab our flag:
This challenge was presented as a Linux binary, which you can download here.
Upon initial reverse engineering, we don’t see a whole lot – the psuedocode seems to indicate that we’re strcmp’ing two uninitialized variables, some string alluding to a buffer overflow and something indicating fancy binary exploitation (“Try again, you got 0x%08x”).
In the end, all of these turned out to be cunning trolls – the flag was in an unreferenced variable, above the “src” and “s2” strings referenced by the main function:
Thanks to the organisers for putting together this CTF – it was a pleasure to play in, the challenges remained online for the duration of the challenge and there was some good variety without it turning into blind guessing games. See you all in Pragyan CTF (the best part of all of this for me is seeing the same CTF’s come back around, one year on) next weekend.