Writeups – Basics, Beginner (Google CTF 2020)

Last weekend, I spent a little bit of time on Google CTF. I solved 2 challenges – just goes to show how out of practice I am, use it or lose it! – and I’ll present the writeups below, for reference.

Beginner

This challenge is presented as a Linux ELF file. You can download this here.

This file requests a flag from stdin, and verifies it using some unusual instructions:

Due to my unbelievable penchant for laziness (on the subject of which – I recently read that surely we should measure success by our ability to be idle in this age of plenty, with which I strongly agree), I decided to solve this using symbolic execution. Unfortunately, it turns out angr had changed since I last used it, so a little bit of Google later, and we’ve got a new working “easy brute force” script, which you can download here.

Of note, there are multiple solutions to this challenge, but only one viable flag – flag input constraints were used to limit the search space.

A few moments of Python later, and we have a viable flag:

Basics

This challenge was presented as a Verilator “pack” of a SystemVerilog file and a C++ test bench. You can download this here.

Upon initial inspection, the critical “check” function is as follows:

wire [55:0] magic = {
{memory[0], memory[5]},
{memory[6], memory[2]},
{memory[4], memory[3]},
{memory[7], memory[1]}
};

wire [55:0] kittens = { magic[9:0], magic[41:22], magic[21:10], magic[55:42] };
assign open_safe = kittens == 56'd3008192072309708;

The challenge seems simple enough, but the devil is in the details, and is annoying enough to warrant some thought for how to correctly reverse this.

I initially thought to simply modify the test bench to print the value of kittens on each clock cycle, but Verilator had optimised this out, and I couldn’t get this to work trivially. Instead, I ended up simply brute forcing the bit associations between input and output: once I knew which bits in the input influenced which bits in the output, it’s a trivial exercise to construct the input from the desired flag value:

You can download the brute forcer here.

Thankyou to the Google team for putting together a fantastic CTF as always – a shame I only spent the time/effort to solve 2 challenges (but it’s good to be dipping my toes back into the water again).

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.