This weekend, I participated for a few hours in the Insomnihack Teaser CTF. Due to poor time management (specifically, my inability to correctly convert UTC time), I was only able to play for a little while, but I solved two challenges.
The writeups are presented below.
LowDeep
Lowdeep was presented as a web challenge, and was a nice warmup challenge for my renewed efforts this year:
A simple command injection reveals the presence of the print-flag binary, and strings gets the flag:
What a classic.
Kaboom
Kaboom was presented as a Windows executable. You can download the original here.
Upon initial investigation, this was a UPX packed executable, so I ran upx -d. Searching around the executable only revealed a troll flag:
Given the size of the executable, I was initially convinced that a hidden “unlock” function had been secreted somewhere in the application, perhaps hidden behind the facade of a standard library call. Unfortunately, searching for this was fruitless: it did not exist in the executable, and was not in the memory.
The other possibility I considered was that the UPX packer was not unpacking the flag correctly. Manual inspection of the packed executable revealed a clue – that there appeared to be two different packed flags. Firstly, the decoy flag:
Then, an actual flag:
Going through the UPX packer implementation (in hindsight, bindiff would have helped here), we could see the following code:
This simply overwrites the “correct” key with the troll key, so we never see the correct key unpacked.
A stronger internet wizard than me might have implemented a UPX unpacker stub and unpacked the correct key, but with my limited powers, I proceeded down the route of simply overwriting a chunk of the executable with the correct key.
Depending on how this is done, this can cause the UPX unpacker to experience a fault, but as long as this is after the key is packed into memory, it doesn’t matter:
Thankyou to the Insomnihack team for putting together yet another great CTF – this event has consistently been enlightening and fun. I look forward to solving the other challenges I downloaded.
A special mention should be made of the thoughtfully put together welcome challenge, which includes the following hilarious line:
I wonder how many people simply ran this without looking 🙂
On kaboom. How do you get flag without unpacking ? I mean what’s tool name ?
Any debugger will do – let it start unpacking, catch the exception and grab the flag from memory.