Sunday, May 28, 2017

WhiteHat Contest 13 - Tuy Hoa

There’s a binary file that checks for a password.

$ file re100
re100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 2.6.24, BuildID[sha1]=d06aaba2cfbcbc4f43313fa30f2b42f079472a11, not stripped

Here’s a screenshot of pseudocode of main function:


As I’m lazy as hell, I thought I could solve it with angr. Here’s my script:

import angr

p = angr.Project('./re100', load_options={'auto_load_libs':False})
st = p.factory.blank_state()
pg = p.factory.path_group(st)
pg.explore(find=0x400eb2, avoid=0x400ebf)

if len(pg.found) > 0:
    print "Flag: %s" % pg.found[0].state.posix.dumps(0)

After I ran the script, some seconds later I’ve got my flag.

$ python
Flag: 5a62af9a23b56ee49370808a0cf1e8096757257

$ ./re100 
input password: 
Good password!!!

When I’ve tried to submit, I’ve received an error message telling me that the flag was wrong! So, I contacted the admin and they gave me the correct flag. There was an error on the binary file.

Capture the Flag , Reverse Engineering , Writeup