Hi everyone! In this post, I will discuss how I solved the reversing challenge Elfish Flag on the recently concluded TGHACK 2019.
The challenge is a typical crackme challenge that requires figuring out the desired input which is also the flag for the challenge. It’s quite easy compared to other reversing challenges so beginners can surely follow this one.
Let’s get to it.
Simply running the file will ask the user for some input.
orion@mint ~/Desktop/2019_TGHACK/elfish_flag $ ./elfish.elf
Hello and welcome to my flagcheck challenge!
Enter the flag to solve this task!
...How? That is your task to solve! Have fun!
test
Sorry, try harder!
Let’s load the binary to a disassembler to have a general overview of the program’s control flow.
Looking at the main function, we can see a series of immediate values being assigned to variables. Afterwards, the binary prints a welcome message and asks the user for some input via _fgets. The expected length of the input is 1Ah which is 26 in decimal. So we are probably looking for a 25 character input including a “\n”. Depending on the result of _fgets, it will either print “Woops!” or call the function labeled as flaggy.
Let’s take a look at the flaggy function.
Based on the graph overview, we can identify two loops which are probably used to perform some operations with the input and verify with the expected input.
Stepping through the program with a debugger (input=“ABCDEFGHIJKLMNOPQRSTUVWXY”), we can see that we are taken directly to the second loop.
Looking closer on the second loop using a debugger, we can see that it does the following:
where offset[x] is the byte stored in the address 0x00007ffc6456b560.
With this info, we can easily get the expected input via this simple python script:
orion@mint ~/Desktop/2019_TGHACK/elfish_flag $ python elfish_flag.py
TG19{flaggys_best_friend}
That’s it! I hope you learned something new today and as always, thanks for reading!
Hi! I’m oR10n and I’m one of the co-founders of hackstreetboys; a CTF team from the Philippines!
While you’re at it, please:
- Like our Facebook page (https://www.facebook.com/hackstreetboys/)
- Follow our Twitter account (https://twitter.com/_hackstreetboys)
- Read our write-ups on Medium (https://medium.com/hackstreetboys)
- Look at our new GitHub page (https://github.com/hackstreetboysph)
- Visit our website (https://hackstreetboys.ph)