TokyoWesterns CTF 4th 2018 Writeup — Part 1

Abdelkader Belcaid
Sep 8, 2018 · 6 min read

03/09/2018 18:39 PM UTC+2

TokyoWesterns CTF 4th 2018 Writeup — Part 1

TokyoWesterns CTF 4th 2018 is the 4th version of TokyoWesterns CTF Competition, organized by TokyoWesterns Team from Japan.

It was a good competition with high performance of organization and great fun and practical challenges in different categories (Web, Reversing, Pwnable, Crypto, Warmup, Misc).

I just started this CTF from beginning (Saturday, 01/09/2018 01:00:00 UTC) until the end (Sunday 03/09/2018 01:00:00 UTC). So almost i played 48 hours.

Let’s start with the first challenge which I solved after long time of reversing.

Reversing — dec dec dec

reversing — dec dec dec

Challenge: dec_dec_dec

This is ELF 64-bit Binary, let’s execute it:

dec_dec_dec

Seems that we have to find the correct flag, in order to do that we have to follow this proccess:

Static Analysis

dec_dec_dec in IDA Pro

As you see, according to main() function, there is strcmp comparing input with flag, if they are the same so the flag is correct else it’s incorrect.

The first thing i thought about is angr framework. I spent long time trying to solve it by using angr but it was hard to me because there are 3 operations in order to encode the flag. Let’s go back to see what happened when i used angr to solve this binary.

Here is my first script:

angrbug_1187.py

I used threads and added 0x400000 because PIE is anabled then i tried to find the correct input in (correct function address = 0x1075) and avoid the incorrect input (incorrect function address = 0x1120).

PIE enabled

Indeed, I just tried this script but was not sure about that i will solve it with this one 100% because i know that there is three functions to encode flag and this is not easy to solve it with this script. But let’s give it a try!

Result:

bug in angr framework

Looks like this is a bug !!!

I reported it:

After few minutes, one of Shellphish Team members (@rhelmot) replied me:

bug in angr framework marked as duplicated

Hmm … this is a bug, marked as Duplicate of #1032 and closed!

I used threads and actually it’s been broken for a while. this is my duplicated bug on angr Framework.

bug has been discovered (duplicated)

Let’s go back to the challenge. After long time of trying to solve it with angr Framework i was not able to solve it. So I decided to solve it with static analysis.

Here is main function:

main function

As you see, the input is in argument, passed into 3 functions (sub_860, sub_F59, sub_BE7) then compared with encoded flag:

s2 = "@25-Q44E233=,>E-M34=,,$LS5VEQ45)M2S-),7"
s2 (encoded flag)

In order to reverse it manually, we have to do static analysis for these 3 functions one by one respectivelly. Let’s start with first one (sub_860).

I reversed it manually and found that’s base64 encode function:

sub_860 function (base64) 1
sub_860 function (base64) 2

Then I reversed manually the second function (sub_F59).

I found that’s rot13 cipher function:

sub_F59 function (rot13)

Then I analyzed the third and last function (sub_BE7).

It was hard to reverse it manually, because it’s long, but i tried my best and wrote many scripts in order to build encode function in python to encode messages, then will use it to bruteforce bytes of flag which will give me the encoded flag in the result. It was my first idea and i had another idea is about to build encode function then reverse it in python into decryption function. But i failed to do these ideas successfully.

So i thought about debugging by using GDB-PEDA and i breakpointed into strcmp in order to see how this functions works and how the encryption of flag happened. Then i bruteforced manually until found all bytes of flag directlly. Here is my process which is followed in debugging method which i used until found flag:

As I mentioned before we have to bruteforce into strcmp function, and we know that the PIE is enabled. So we have to bypass PIE first, in order to do that we have to breakpoint into base_address + strcmp_address.

  1. Find base_address:

Firstlly, We have to find start point of binary address:

start point address

Then will breakpoint into it (0x730) then will run program then show mapped address spaces by using this command:

gdb-peda$ info proc mappings
gdb-peda (finding base address …)

As shown above, base_address is: 0x555555554000

2. Find strcmp_address:

call strcmp
strcmp address

As shown above, strcmp_address is: 0x710

3. Breakpoint into base_address + strcmp_address:

0x555555554000 + 0x710 = 0x555555554710

gdb-peda$ b * 0x555555554710
gdb-peda$ r TWCTF{
gdb-peda (bruteforcing flag …)

As shown above, i just put “TWCTF{” (flag format) as input which is s1 as shown in ida pro above and moved into $rdi register and compared with encoded flag which is s2 as shown in ida pro above and moved into $rsi register. So we can bruteforce other bytes of flag until get the similar encoded message which is in $rsi register above.

gdb-peda$ r TWCTF{base64_rot13_uu}
gdb-peda (flag has been bruteforced)

Ok we got the similar encoded message in both of registers and finally:

strcmp(s1, s2) = 0

Means that the program will jump into correct function and will show us:

Let’s back to our manual reverse, after long search i just discovered that the third function (sub_BE7) is uuencode function.

Generally, The program takes the input and encodes it 3 times after passed by 3 functions: base64encode > rot13 > uuencode.

main function after all encryption functions became known

To decrypt it we have to reverse the process which is mentioned above, and it will be like that: uudecode > rot13 > base64decode.

flag has been decoded

Complete the flag and submit it:

dec_dec_dec has been solved

FLAG is: TWCTF{base64_rot13_uu}

I know that it was long … But I wish that it helps as well. If you are interested to read more … Check out the second part of this writeup.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Abdelkader Belcaid

Written by

I'm Bug Bounty Hunter & CTF Player

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade