Writeups – Babyc, Plastic (ASISCTF 2018 Quals)

Over the past two days, I had the pleasure of briefly playing in the ASIS 2018 CTF Quals with the folks from Monsec. During this time, I solved the “babyc” and “plastic” challenges, both of which I present here for future reference. The “babyc” writeup will be more detailed than usual, outlining methods which did not work.

Babyc

This challenge was presented as a Linux executable, which you can download here. The challenge text indicated that we only needed the first 14 characters of the input, which gives you a “good” output (that is, ASIS{sha1(input[:14])}). Running the executable lets you enter some user input, after which “Wrong” was printed. Running strings gives us one interesting string (“m0vfu3c4t0r!”) but this isn’t the flag input.

On disassembly, we immediately note that it is movfuscated:

My first attempt involved running strace and ltrace against the executable, to identify at a high level what it actually did. We note that it does a strcmp – a little trial and error shows that the strcmp is against input[3:], and the maximum input is 32 bytes long.

Still, filling this with the magic “m0vfu3c4t0r!” string doesn’t work either, so we’re still missing something.

My first attempt was brute forcing the first 3 characters. I used a simple Python script, shown below:

At this point, I decided to attempt two side channel attacks – firstly, against the return code (from a previous challenge), and then, against the instruction count. Firstly, the return code, as it’s a simpler brute force – I solved a CTF challenge once a long time ago, as it would modify it’s return code for each character of the flag you got right (so you could brute force character by character.

Unfortunately, I wasn’t able to make this produce anything meaningful. My next attempt was to instruction count: that is, using the “perf” program running on a bare-metal box, I could count the number of instructions executed for each given input. Again, a character-by-character brute force attack was attempted:

This produced quite interesting results:

Even on the same box, two different iterations of the script produce different “maximum instruction count paths” for input, indicating that the executable performs the same amount of instructions no matter how many input characters are provided, or how many are correct.

I then resorted to manual analysis, grepping for immediate arguments. Searching on a whim for ‘A’, we get a hit:

A little while later, we can see the same code pattern, repeating with ‘h’:

Scrolling further through the code, we can see a few more characters, totalling “Ah_0y1ng:(“. I wasn’t too sure what to do at this point, and didn’t want to manually spend the time reverse engineering movfuscated logic. I went with my instinct, SHA1’ing “Ah_m0vfu3c4t0r” for the flag and an easy ~100 points.

Plastic

This challenge was presented as a PNG image, presented below in it’s entirety:

Binwalk showed nothing, and quick pixel analysis showed nothing. I attempted to play around with things like alpha channels, but nothing turned up. Opening the image in a hex editor reveals our first clue:

We can immediately see base64 encoded content. Not knowing what this was, I went to Google “RDF”, which didn’t turn up anything too relevant to this specific challenge. I then went to unbase64 this, providing a blob of binary data: I couldn’t see anything, but binwalk said there was zlib data from offset 4. Zlib.decompress’ing this provides the flag:

Thankyou to the ASIS 2018 CTF Quals creators for putting together this CTF – this was a good set of challenges, and I am learning much from other people’s writeups.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

2 Responses to Writeups – Babyc, Plastic (ASISCTF 2018 Quals)

  1. oldman says:

    So how does binwalk show it’s a zlib data. Can I know the binwalk version and command line you used? Thank U!

    • Norman says:

      The binwalk was just the version from github, and binwalk plastic2 (where plastic2 is the unbase64-ed comment data from the original PNG) should work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.