
Cylabacademy (picoCTF) CTF challenge
RAMESH
0 followers

In this challenge Link, we are given a binary executable file and a nc server instance running. To retrieve flag from challenge we have to reverse engineer the binary executable and get flag from nc server itself.
First we start to analyze how nc server response and what kind of input it accepts, with help of that we came to know and nc server is running same binary executable which challenge provided us. When we connect with nc with given port and IP, first it's ask about account we can enter any string there. second it ask about length of password. after that it's prints success message and shows some numbers and ask about hash to access account. if we enter enter nothing it shows error. with try and hit technique we find that it accept only numbers else it's shows error and exit program.
Once we download binary file we use file linux command to get details about binary file and details we get are:
As challenge itself shows it's related to reverse engineering shows I first put binary file into Ghidra and analyze it. Ghidra shows functions defined there are makesecret, hash, main. With Ghidra we can see that main function calls makesecret to store password and then makesecret calls hash function. which return hash value to main functions directly because makesecret does not have any return type.

To analyze what values are stored at RAX register when makesecret function executed, we load binary execute with GDB and verify functions definition and see assembly language.
gdb system.outinfo functionsdiass mainWe analyze main functions and see that makesecret function are called just before conditional check for open flag file. so we put a breakpoints at these two locations
b mainb make_secretOnce makesecret function is executed we can see RAX register, because in assembly function return value are stored at RAX register. We check value inside RAX and that was 0xd3770d6251b31be2, this value was same every time and it's same value that are return by hash function, which have defined number and salt value to generate hash.

CMP (compare) instruction comparing 2 value, one is return value from makesecret function and another is from strtoul function, which return first number from given string and ignore other string after spaces or characters. To get RAX and rbp-0xf8, we use these GDB commands:
info reg raxx $rbp-0xf8We analyze that $rbp-0xf8 holds value or first number we enter while program asking for hash to access account. So to get flag we need to enter decimal number of hash value which is 15237662580160011234₁₀ (0xd3770d6251b31be2).

THANK YOU !!!