In the past weekend, I participated in the DEFCON Quals CTF. I was able to solve three challenges, and I will present writeups for one challenge – I lost another through poor record-keeping, and the third, Eval Whitelisting, is not conductive to a writeup (the solution was to wrap ../flag in backticks in a printf).
The ELF Crumble challenge was presented as an archive file, containing pieces of an ELF executable, as well as the file “broken”, containing the executable’s “shell”. You can download the files here.
We begin our investigation with the “broken” file, as it seems to be a valid ELF executable. We can immediately see the problem:
We note that several “core” functions are like this, including f1, f2, f3 and recover_flag. Strings doesn’t reveal anything immediately obvious (and fair enough).
Fortunately, symbols are left intact in the application, giving us the (possible) length of each function. We can also make three assumptions:
- Firstly, each function will begin with a resonable prologue, such as setting up the stack. No function will begin with some hand-crafted prologue.
- Secondly, each function will end with a reasonable epilogue, such as a return instruction. No function will end with something odd like a jump.
- Thirdly, the function fragments will “fit tightly” with one another. There are no overlaps, there are no overwritten sections, there are no gaps where “pop eax” is the actual instruction. This correlates with the file lengths of the chunks.
Following this guidance, we know that only one chunk can possibly fit into the first chunk, f1, and have the function look somewhat reasonable:
From here, I wrote a quick capstone-powered disassembler to show me the first few bytes of each chunk, and quickly reassembled the executable by hand, giving me the flag. You can find the Python script used to disassemble the chunks here, and the final executable here.
I’d like to thank the DEFCON CTF organisers for a well put-together and challenging CTF. Getting rekt each time in this CTF is a good reminder that there are always greater heights to climb, no matter how much we have achieved so far.
At this point, I would like to take a moment to reflect – in the past few weeks, I am delighted to see more and more talented people throwing themselves into the mix and challenging themselves in various ways – not only in CTF’ing, but in tackling various self–sought projects and tasks. With this, comes more people to discuss this work and collaborate with – this brings a modicum of heartfelt joy between the hours of 9am and 5pm.
For those of you who want to get into CTF’ing, there is no better time than now. For those of you sitting on the sidelines, know that there is no progress without sacrifice – try, try again, and never give up. For those of you who have settled and stagnated, satisfied that you know enough to do your jobs and it does not require more: may you find happiness in your own way, living your own life with whatever meaning and purpose you see fit.