Open in app

Sign in

Write

Sign in

Write up for intra-FAST CTF (Forensics and Reverse Engineering)

Hatifmujahid
4 min readMar 20, 2023

--

This article has writeups of challenges done by me, one of the member of the team Cyber Rizzlers, along with Wahaj Javed Alam and Agha Maarij Amir who secured runner-up spot. I will be sharing how I approached some challenges and found the flags.

Photo by GuerrillaBuzz on Unsplash

Challenge # 1 (Forensics)

The problem statement for the challenge

Steps to solve:

Download the Guidelines_for_patching.doc file

After downloading the file, I ran the strings command to find something hidden in the file

Going through the output something strange popped up. A macro named MyMacro with 2 hashes.

Hash 1: QzpcVXNlcnNcaHBcRGVza3RvcFxmaWxlLnR4dA==

Hash 2: aHR0cHM6Ly9naXRodWIuY29tL0hhZGlxYS1raGFuL2ZvbGxvdy1tZS5naXQ=

Putting hash 1 in Cyber Chef produced a bust. Let’s try the second hash.

The second hash produced the link to a GitHub account. PROGRESS!🔥

Looking around the repo there are a lot of clues to throw you around but we can see that there are 2 branches present. Let’s explore that first

WOAH! A hidden branch. Let’s see what it contains! 🔐

There might be something in the hint.txt file. Let’s see

Hmm, status… This might be the status of the GitHub user. Let’s check that!

Sure enough! WE have found the flag! 🎉🥳

Challenge # 2 (Reverse Engineering)

Download the file, chmod +x to give it executing permissions. Start ghidra and decompile the file.

Find the main function and try to understand the code.

  1. This is the main code part where we have local_24 which is the input taken from the user.
  2. Then the local_24 is XOR’ed by local_18(value = 10)
  3. Then moddy function is applied. ( explained below) result is stored in iVar1.
  4. Then 1000 is added to the iVar1 and is checked local_20 which is the check_variable(value = 1337)
moddy function

This moddy function takes input and mods it with 456 then performs bitwise AND operation with the value 4294967295

Solution:

long moddy(int param_1)
{
  return (long) param_1 % 456 & 4294967295 ;
}


int main(){
  int i;
  i = 337;
  i = moddy(i);
  i = i ^ 10;
  printf("%d", i);
}

After understanding the code I wrote this code in c which basically reverses the local_20 (the check_variable value =1337).

  1. 1337–1000
  2. apply moddy function to 337
  3. and then XOR it with 10

Answer: 347

Flag: fastctf{s1mpl3_m4TH_buT_w1tH_m0D_&_X0r}

Challenge # 3 (Reverse Engineering)

Download the file, chmod +x to give it executing permissions. Start ghidra and decompile the file.

Ghidra decompiled the .exe file
  1. After thoroughly examining the main code this seemed like an important code block.
  2. We can see an input variable which then passed to a function xorry.(Explained below) Value is stored in local_18
  3. Then local_18 is equated with 57005. if it is equated we have the correct solution.
click the xorry function to access it

This xorry function just XOR the value passed with 249044.

Solution:

long xorry(int param_1)


{
  return (long)(int)(param_1 ^ 249044);
}
int main(){
 
  int i = 57005;
  i = moddy(i);
  printf("%d", i);
}

We reversed the 57005 by XOR’ing it because an important characteristic of XOR is if you XOR the encrypted value it gets decrypted.

Answer: 201337

Flag: fastctf{201337}

Thank you for reading thus far, feel free to share your thoughts.

--

--

Hatifmujahid

Written by Hatifmujahid

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams