Tuesday, March 8, 2016

BKP Writeup - JIT in my Pants

Author: Spitfire

This challenge was a reversing challenge for Boston Key Party CTF 2016.

The challenge name immediately gave away that dynamic debugging is the key to solving this challenge. According to Wikipedia: " In computing, just-in-time (JIT) compilation, also known as dynamic translation, is compilation done during execution of a program - at run time - rather than prior to execution."

I initially ran the program with no arguments, and it immediately exited. It takes one argument, the flag, and the program will check to make sure it is the correct flag.

My strategy to solving the challenge was figuring out where the program starts (via readelf and IDA), find where my input is initially stored in memory, and then from there set a watchpoint whenever that input is reused. I set a couple breakpoints at the start of the program, which resulted in the following output upon execution.

I then set a watchpoint on the flag guess I inputted (BKP{HACK_ALL_THE_THINGS}), and continued. I was able to continue through the program a couple steps until I hit the following output.

I noticed that the address 0x778333 was beyond the final memory address in IDA, which meant that somewhere between the start of the program and now, the binary compiled this latter part of memory. Awesome! I know I'm at a good spot.

In the registers, you see the first character of my input and the first character of some random string being stored. I can assume this string is the encrypted flag, which will somehow compare itself against my input.
As you can see above, the next few instructions take the first character of my input, xor it by five, subtract by one, and then compares it to the first character of the random string. 
So, to make this simple, I took the random string, added one to each character, and then xor'd each character with five.  
The result:

Flag: BKPCTF{S1de_Ch4nnel_att4cks_are_s0_1338}

Thursday, September 24, 2015

Writeup - CSAW 2015 : Crypto 50 - whiter0se


White rose presents us with a broken m4v file, which becomes readily obvious when opening it up in HxD.  HxD shows us that the content of the file is:


Work smarter, not harder: http://www.quipqiup.com/index.php is a great cryptogram solver by Edwin Olson which I’ve used to solve a bunch of similar challenges.  When you put the content of whiter0se in quipquip, it kicks back the flag!

Writeup - CSAW 2015 : Forensics - Airports



Airports presented us with 4 images of airports from around the world and one image called “Steghide.jpg” (Might be a hint!?).  After 15 minutes of recon-ing these pictures, we found all of the airport codes: HAV, HKG, LAX and YYZ.  We concat’ed these all together, resulting in the passphrase “HAVHKGLAXYYZ”.  Using the tool from the hint, Steghide, we ran “steghide extract –sf steghide.jpg –p HAVHKGLAXYYZ.”  This gave us a key.txt file, which contained the flag “iH4t3A1rp0rt5”!