YUBITSEC CTF: Learn the reverse or +925 points for a few minutes


All kind time of day. Just reached the end of another CTF from YubitSec, despite the difficulties that arose in the beginning due to heavy DDoS and all sites with jobs, the battle was quite hard. The job is still available on the link.

the

Gifted 50


The first and most simple task. No description, but there are file, download it and begin analysis, and almost immediately pick up the flag:

the 
gh0st3rs@leacher-pc:Gifted$ file gifted
gifted: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=90d4894c52975348b52134af2f3b33b9da7f0112, not stripped
gh0st3rs@leacher-pc:Gifted$ strings gifted | grep YUBIT
YUBITSEC{MEH_IT_IS_SOMETHING}

the

The Twin Towers 125


The description is still there, but this time instead of binary, we offer java class.
Taking advantage of jd-gui extracted the source code:

Wtf.class
import java.io.PrintStream;

public class Wtf
{
public static void main(String[] paramArrayOfString)
{
System.out.println("Tonight, as we mark the conclusion of our celebration of Black History Month, we are remindedof our Nation's path toward civil rights and the work that still remains. Recent threats targeting Jewish Community Centers and vandalism of Jewish cemeteries, as well as last week's shooting in Kansas City, remind us that while we may be a Nation  divided  on policies, we are a country that stands united in condemning hate and evil in all its forms.");

String str = "0YUBITSEC{BUSH_DID_9_11}0";
if (str == "BUSH DID 9.11") {
flag();
}
}

public static void flag()
{
String str1 = null;
int i = 3;
int j = 3;
String str2 = null;
j = 0 + j;
if (j % 2 == 0)
{
String str3 = str2 + "error";
String str4 = "Flag is not actually here...";
String str5 = "59554249545345437B5730575F4D5543485F50524F4752414D4D494E475F4A4156417D";
}
else
{
int k = 59;
int m = 554;
int n = 249;
int i1 = 545;
int i2 = 345;
int i3 = 437;

String str6 = "B77";
int i4 = 686;
String str7 = "F5F757";

str1 = Integer.toString(k) + Integer.toString(m) + Integer.toString(n) + Integer.toString(i1) + Integer.toString(i2) + Integer.toString(i3) + str6 + Integer.toString(i4) + str7 + "365735F6A6176615F696E5F323031377D";
}
System.out.println(str1);
}
}


Judging by the code we are interested in the unit, which is located in the branch else, copy it to Python by making a small edit, then start it:

the 
def flag():
k = 59
m = 554
n = 249
i1 = 545
i2 = 345
i3 = 437
str6 = "B77"
i4 = 686
str7 = "F5F757"
str1 = str(k) + str(m) + str(n) + str(i1) + str(i2) + str(i3) + str6 + str(i4) + str7 + "365735F6A6176615F696E5F323031377D"
print(str1)
>>> flag()
59554249545345437B77686F5F757365735F6A6176615F696E5F323031377D

Decode the received HEX line and pick up a new flag:

YUBITSEC{who_uses_java_in_2017}

the

Reverse101 225


The description contains only 1 phrase:
Jump over it.

And attached file. Open it in IDA:

It just...
.text:00000000004007AF mov dword ptr [rax], 'Y',
.text:00000000004007B5 add rax, 4
.text:00000000004007B9 sub rdx, 1
.text:00000000004007BD mov dword ptr [rax], 'U'
.text:00000000004007C3 add rax, 4
.text:00000000004007C7 sub rdx, 1
.text:00000000004007CB mov dword ptr [rax], 'B'
.text:00000000004007D1 add rax, 4
.text:00000000004007D5 sub rdx, 1
.text:00000000004007D9 mov dword ptr [rax], 'I'
.text:00000000004007DF add rax, 4
.text:00000000004007E3 sub rdx, 1
.text:00000000004007E7 mov dword ptr [rax], 'T'
.text:00000000004007ED add rax, 4
.text:00000000004007F1 sub rdx, 1
.text:00000000004007F5 mov dword ptr [rax], 'S'
.text:00000000004007FB add rax, 4
.text:00000000004007FF sub rdx, 1
.text:0000000000400803 mov dword ptr [rax], 'E'
.text:0000000000400809 add rax, 4
.text:000000000040080D sub rdx, 1
.text:0000000000400811 mov dword ptr [rax], 'C'
.text:0000000000400817 add rax, 4
.text:000000000040081B sub rdx, 1
.text:000000000040081F mov dword ptr [rax], '{'
.text:0000000000400825 add rax, 4
.text:0000000000400829 sub rdx, 1
.text:000000000040082D mov dword ptr [rax], 'U'
.text:0000000000400833 add rax, 4
.text:0000000000400837 sub rdx, 1
.text:000000000040083B mov dword ptr [rax], 'S'
.text:0000000000400841 add rax, 4
.text:0000000000400845 sub rdx, 1
.text:0000000000400849 mov dword ptr [rax], 'E'
.text:000000000040084F add rax, 4
.text:0000000000400853 sub rdx, 1
.text:0000000000400857 mov dword ptr [rax], '_'
.text:000000000040085D add rax, 4
.text:0000000000400861 sub rdx, 1
.text:0000000000400865 mov dword ptr [rax], 'G'

.text:000000000040086F sub rdx, 1
.text:0000000000400873 mov dword ptr [rax], 'D'
.text:0000000000400879 add rax, 4
.text:000000000040087D sub rdx, 1
.text:0000000000400881 mov dword ptr [rax], 'B'
.text:0000000000400887 add rax, 4
.text:000000000040088B sub rdx, 1
.text:000000000040088F mov dword ptr [rax], '_'
.text:0000000000400895 add rax, 4
.text:0000000000400899 sub rdx, 1
.text:000000000040089D mov dword ptr [rax], 'P'
.text:00000000004008A3 add rax, 4
.text:00000000004008A7 sub rdx, 1
.text:00000000004008AB mov dword ptr [rax], 'E'
.text:00000000004008B1 add rax, 4
.text:00000000004008B5 sub rdx, 1
.text:00000000004008B9 mov dword ptr [rax], 'D'
.text:00000000004008BF add rax, 4
.text:00000000004008C3 sub rdx, 1
.text:00000000004008C7 mov dword ptr [rax], 'A'
.text:00000000004008CD add rax, 4
.text:00000000004008D1 sub rdx, 1
.text:00000000004008D5 mov dword ptr [rax], '_'
.text:00000000004008DB add rax, 4
.text:00000000004008DF sub rdx, 1
.text:00000000004008E3 mov dword ptr [rax], 'S'
.text:00000000004008E9 add rax, 4
.text:00000000004008ED sub rdx, 1
.text:00000000004008F1 mov dword ptr [rax], 'R'
.text:00000000004008F7 add rax, 4
.text:00000000004008FB sub rdx, 1
.text:00000000004008FF mov dword ptr [rax], 'S'
.text:0000000000400905 add rax, 4
.text:0000000000400909 sub rdx, 1
.text:000000000040090D mov dword ptr [rax], 'L'
.text:0000000000400913 add rax, 4
.text:0000000000400917 sub rdx, 1
.text:000000000040091B mov dword ptr [rax], 'Y',
.text:0000000000400921 add rax, 4
.text:0000000000400925 lea rcx, [rdx-1]
.text:0000000000400929 mov dword ptr [rax], '}'
.text:000000000040092F lea rdx, [rax+4]
.text:0000000000400933 lea rax, [rcx-1]


Can be rewritten directly from here or as suggested in the description, put a breakpoint at the end and stampit memory. Actually the flag:

YUBITSEC{USE_GDB_PEDA_SRSLY}

the

Password 250


From the small description, it follows that the flag is a number:
The flag is the password. (Integer)

Flag format: YUBITSEC{}

Download file and run IDA and looked through a bit of the function main find the function call check_password:



The password is found, it is also the part of the flag:
YUBITSEC{1453}

the

Reverse The Snake! 275


Description again, but there are *.pyc file. After decompiling, we get the following:

the 
gh0st3rs@leacher-pc:ReverseTheSnake!$ uncompyle6 WTF.pyc 
# uncompyle6 version 2.9.10
# The bytecode of Python 2.7 (62211)
# Decompiled from: Python 3.4.3 (default, Nov 17 2016, 01:08:31) 
# [GCC 4.8.4]
# Embedded file name: ./decompile.py
# Compiled at: 2017-04-20 04:11:32


def flag():
a = 5955
b = 4249
c = 5453
d = 4543
f = 7
e = 'b4641524557454C4C5F42414C4C41447d'
flg = str(a) + str(b) + str(c) + str(d) + str(f) + e


print 'You must decompile me.'
# decompiling okay WTF.pyc

After starting the function in the interpreter, we get the next flag, or rather its HEX performance:
59554249545345437b4641524557454c4c5f42414c4c41447d -> YUBITSEC{FAREWELL_BALLAD}

Thus, the total, without effort, it turns out +925 to the overall rating of the team. Learn the reverse — it is interesting!
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Tactoom. How about the middle of blogging?

Изображение
*Auto-invite works only with this page, click on the logo* UPD: Registration is open. the Evolution. “Angels” unleashed us wings were given full freedom in the formation of the concept of the project is not only to launch, but some time after. Initially we knew about Tactoom one — it will be a web-based platform for communication on the basis of mutual interests. No social network, not a forum, but a universal way to communicate on different topics with different people, most importantly, on mutually interesting topics. In less than 6 months from closed beta, Tactum was evolution, changing from “do not know what the” in: 1. Social blogging platform based on your interests. the Essence in one sentence: tags in your posts are the interests of other people. Roughly speaking, the ability to write for the target audience — the function by default. 2. Service middle blogs. Yes, that's what you thought, in the middle between microblogging and blogging classic. ...
Далее...

SumIT Weekend of 18-19 February, the idea for iPad and Hackathon

Изображение
the Good news SumIT Weekend there are only 2 days, but still have the opportunity to apply to participate in the contest ideas and win iPad ! do Not have time until Friday? Come in Saturday February 18 at SumIT Weekend and present your projects to the experts. Maybe you will get 20 000$ on March 14 in a closed invest-session SumIT . If no ideas, but want to join an interesting and promising project, you will be happy to SumIT Weekend. Take a look and choose now http://startup-network.ru/ideas . But if you already have an established startup that is looking for employees in permanent jobs, freelance or option, place the job IT Portfolio . SumIT Weekend will take place on 18 and 19 February, i.e. next weekend. Meeting place same as last time, the Assembly hall of the ITMO University, Saint petersubrg, 49 Kronverkskiy prospect (entrance from Sytninskaya street). What? Saturday (18 Feb) 13:00 – 13:30 Registration. Morning coffee 13:30 – 14:45 Openin...
Далее...

Knowledge base. Part 2. Freebase: make requests to the Google Knowledge Graph

Изображение
More than a year ago, Google announced that from now on in their search is the mysterious Knowledge Network (an official translation of the Knowledge Graph). Perhaps not everyone knows that a significant part of the data Network available for anyone to use and available via well described APIs. This part is the knowledge base Freebase, supported by Google and enthusiasts. In this article, we first a little nuts, and then try to do a few simple queries in MQL. This article is the second of the knowledge Base. Stay tuned. the the Part 1 — Introduction the Part 2 — Freebase: we make requests to the Google Knowledge Graph the Part 3 — Dbpedia — a kernel of the world of Linked Data the Part 4 — Wikidata — semantic Wikipedia Google Knowledge Graph from the point of view of an ordinary user One of the visible manifestations of the Google Knowledge Graph is the information panel that briefly describes the object that you are looking for. They often arise from the se...
Далее...