TGHACK 2019 — Elfish Flag (RE) Write-up

Hi everyone! In this post, I will discuss how I solved the reversing challenge Elfish Flag on the recently concluded TGHACK 2019.

The challenge is a typical crackme challenge that requires figuring out the desired input which is also the flag for the challenge. It’s quite easy compared to other reversing challenges so beginners can surely follow this one.

Let’s get to it.

Simply running the file will ask the user for some input.

orion@mint ~/Desktop/2019_TGHACK/elfish_flag $ ./elfish.elf  
Hello and welcome to my flagcheck challenge!
Enter the flag to solve this task!
...How? That is your task to solve! Have fun!
test
Sorry, try harder!

Let’s load the binary to a disassembler to have a general overview of the program’s control flow.

Main Function

Looking at the main function, we can see a series of immediate values being assigned to variables. Afterwards, the binary prints a welcome message and asks the user for some input via _fgets. The expected length of the input is 1Ah which is 26 in decimal. So we are probably looking for a 25 character input including a “\n”. Depending on the result of _fgets, it will either print “Woops!” or call the function labeled as flaggy.

Let’s take a look at the flaggy function.

flaggy function — Graph Overview

Based on the graph overview, we can identify two loops which are probably used to perform some operations with the input and verify with the expected input.

Stepping through the program with a debugger (input=“ABCDEFGHIJKLMNOPQRSTUVWXY”), we can see that we are taken directly to the second loop.

Second Loop — Debugger View

Second Loop — Disassembler View

Looking closer on the second loop using a debugger, we can see that it does the following:

Closer look on second loop

where offset[x] is the byte stored in the address 0x00007ffc6456b560.

Dump view of 0x00007ffc6456b560

With this info, we can easily get the expected input via this simple python script:

Simple Python Decoder

orion@mint ~/Desktop/2019_TGHACK/elfish_flag $ python elfish_flag.py 
TG19{flaggys_best_friend}

That’s it! I hope you learned something new today and as always, thanks for reading!

Hi! I’m oR10n and I’m one of the co-founders of hackstreetboys; a CTF team from the Philippines!

While you’re at it, please:

• Like our Facebook page (https://www.facebook.com/hackstreetboys/)
• Follow our Twitter account (https://twitter.com/_hackstreetboys)
• Read our write-ups on Medium (https://medium.com/hackstreetboys)
• Look at our new GitHub page (https://github.com/hackstreetboysph)
• Visit our website (https://hackstreetboys.ph)