TokyoWesterns CTF 4th 2018 Writeup — Part 1
03/09/2018 18:39 PM UTC+2

TokyoWesterns CTF 4th 2018 is the 4th version of TokyoWesterns CTF Competition, organized by TokyoWesterns Team from Japan.
It was a good competition with high performance of organization and great fun and practical challenges in different categories (Web, Reversing, Pwnable, Crypto, Warmup, Misc).
I just started this CTF from beginning (Saturday, 01/09/2018 01:00:00 UTC) until the end (Sunday 03/09/2018 01:00:00 UTC). So almost i played 48 hours.
Let’s start with the first challenge which I solved after long time of reversing.
Reversing — dec dec dec

Challenge: dec_dec_dec
This is ELF 64-bit Binary, let’s execute it:

Seems that we have to find the correct flag, in order to do that we have to follow this proccess:
Static Analysis
I used IDA Pro to analyse this binary, let’s do it again:

As you see, according to main() function, there is strcmp comparing input with flag, if they are the same so the flag is correct else it’s incorrect.
The first thing i thought about is angr framework. I spent long time trying to solve it by using angr but it was hard to me because there are 3 operations in order to encode the flag. Let’s go back to see what happened when i used angr to solve this binary.
Here is my first script:
I used threads and added 0x400000 because PIE is anabled then i tried to find the correct input in (correct function address = 0x1075) and avoid the incorrect input (incorrect function address = 0x1120).

Indeed, I just tried this script but was not sure about that i will solve it with this one 100% because i know that there is three functions to encode flag and this is not easy to solve it with this script. But let’s give it a try!
Result:

Looks like this is a bug !!!
I reported it:
After few minutes, one of Shellphish Team members (@rhelmot) replied me:

Hmm … this is a bug, marked as Duplicate of #1032 and closed!
I used threads and actually it’s been broken for a while. this is my duplicated bug on angr Framework.
Let’s go back to the challenge. After long time of trying to solve it with angr Framework i was not able to solve it. So I decided to solve it with static analysis.
Here is main function:

As you see, the input is in argument, passed into 3 functions (sub_860, sub_F59, sub_BE7) then compared with encoded flag:
s2 = "@25-Q44E233=,>E-M34=,,$LS5VEQ45)M2S-),7"
In order to reverse it manually, we have to do static analysis for these 3 functions one by one respectivelly. Let’s start with first one (sub_860).
I reversed it manually and found that’s base64 encode function:


Then I reversed manually the second function (sub_F59).
I found that’s rot13 cipher function:

Then I analyzed the third and last function (sub_BE7).
It was hard to reverse it manually, because it’s long, but i tried my best and wrote many scripts in order to build encode function in python to encode messages, then will use it to bruteforce bytes of flag which will give me the encoded flag in the result. It was my first idea and i had another idea is about to build encode function then reverse it in python into decryption function. But i failed to do these ideas successfully.
So i thought about debugging by using GDB-PEDA and i breakpointed into strcmp in order to see how this functions works and how the encryption of flag happened. Then i bruteforced manually until found all bytes of flag directlly. Here is my process which is followed in debugging method which i used until found flag:
As I mentioned before we have to bruteforce into strcmp function, and we know that the PIE is enabled. So we have to bypass PIE first, in order to do that we have to breakpoint into base_address + strcmp_address.
- Find base_address:
Firstlly, We have to find start point of binary address:

Then will breakpoint into it (0x730) then will run program then show mapped address spaces by using this command:
gdb-peda$ info proc mappings
As shown above, base_address is: 0x555555554000
2. Find strcmp_address:


As shown above, strcmp_address is: 0x710
3. Breakpoint into base_address + strcmp_address:
0x555555554000 + 0x710 = 0x555555554710
gdb-peda$ b * 0x555555554710
gdb-peda$ r TWCTF{
As shown above, i just put “TWCTF{” (flag format) as input which is s1 as shown in ida pro above and moved into $rdi register and compared with encoded flag which is s2 as shown in ida pro above and moved into $rsi register. So we can bruteforce other bytes of flag until get the similar encoded message which is in $rsi register above.
gdb-peda$ r TWCTF{base64_rot13_uu}
Ok we got the similar encoded message in both of registers and finally:
strcmp(s1, s2) = 0
Means that the program will jump into correct function and will show us:

Let’s back to our manual reverse, after long search i just discovered that the third function (sub_BE7) is uuencode function.
Generally, The program takes the input and encodes it 3 times after passed by 3 functions: base64encode > rot13 > uuencode.

To decrypt it we have to reverse the process which is mentioned above, and it will be like that: uudecode > rot13 > base64decode.

Complete the flag and submit it:

FLAG is: TWCTF{base64_rot13_uu}
I know that it was long … But I wish that it helps as well. If you are interested to read more … Check out the second part of this writeup.

