Write up for intra-FAST CTF (Forensics and Reverse Engineering)
This article has writeups of challenges done by me, one of the member of the team Cyber Rizzlers, along with Wahaj Javed Alam and Agha Maarij Amir who secured runner-up spot. I will be sharing how I approached some challenges and found the flags.
Challenge # 1 (Forensics)
Steps to solve:
Download the Guidelines_for_patching.doc file
After downloading the file, I ran the strings command to find something hidden in the file
Going through the output something strange popped up. A macro named MyMacro with 2 hashes.
Hash 1: QzpcVXNlcnNcaHBcRGVza3RvcFxmaWxlLnR4dA==
Hash 2: aHR0cHM6Ly9naXRodWIuY29tL0hhZGlxYS1raGFuL2ZvbGxvdy1tZS5naXQ=
Putting hash 1 in Cyber Chef produced a bust. Let’s try the second hash.
The second hash produced the link to a GitHub account. PROGRESS!🔥
Looking around the repo there are a lot of clues to throw you around but we can see that there are 2 branches present. Let’s explore that first
WOAH! A hidden branch. Let’s see what it contains! 🔐
There might be something in the hint.txt file. Let’s see
Hmm, status… This might be the status of the GitHub user. Let’s check that!
Sure enough! WE have found the flag! 🎉🥳
Challenge # 2 (Reverse Engineering)
Download the file, chmod +x to give it executing permissions. Start ghidra and decompile the file.
Find the main function and try to understand the code.
- This is the main code part where we have local_24 which is the input taken from the user.
- Then the local_24 is XOR’ed by local_18(value = 10)
- Then moddy function is applied. ( explained below) result is stored in iVar1.
- Then 1000 is added to the iVar1 and is checked local_20 which is the check_variable(value = 1337)
This moddy function takes input and mods it with 456 then performs bitwise AND operation with the value 4294967295
Solution:
long moddy(int param_1)
{
return (long) param_1 % 456 & 4294967295 ;
}
int main(){
int i;
i = 337;
i = moddy(i);
i = i ^ 10;
printf("%d", i);
}
After understanding the code I wrote this code in c which basically reverses the local_20 (the check_variable value =1337).
- 1337–1000
- apply moddy function to 337
- and then XOR it with 10
Answer: 347
Flag: fastctf{s1mpl3_m4TH_buT_w1tH_m0D_&_X0r}
Challenge # 3 (Reverse Engineering)
Download the file, chmod +x to give it executing permissions. Start ghidra and decompile the file.
- After thoroughly examining the main code this seemed like an important code block.
- We can see an input variable which then passed to a function xorry.(Explained below) Value is stored in local_18
- Then local_18 is equated with 57005. if it is equated we have the correct solution.
This xorry function just XOR the value passed with 249044.
Solution:
long xorry(int param_1)
{
return (long)(int)(param_1 ^ 249044);
}
int main(){
int i = 57005;
i = moddy(i);
printf("%d", i);
}
We reversed the 57005 by XOR’ing it because an important characteristic of XOR is if you XOR the encrypted value it gets decrypted.
Answer: 201337
Flag: fastctf{201337}
Thank you for reading thus far, feel free to share your thoughts.