⏪
CTFs
TwitterGithub
  • 👋Introduction
  • 📚Write Up
    • 2024
      • 📖1337UP LIVE CTF
        • Reverse Engineering
        • Mobile
        • Forensic
        • Misc
      • 📖HKCERT CTF Quals
        • Reverse Engineering
        • Binary Exploitation
      • 📖Flare-On 11
        • Challenge #1 - frog
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖Cyber Breaker Competition (1v1)
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
        • Binary Exploitation
      • 📖Cyber Breaker Competition Quals
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖BlackHat MEA Quals
        • Reverse Engineering
        • Forensic
      • 📖TFC CTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖DeadSec CTF
        • Reverse Engineering
        • Web Exploitation
      • 📖Aptos - Code Collision CTF
        • Reverse Engineering
        • Misc
      • 📖DownUnder CTF
        • Reverse Engineering
      • 📖JustCTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖Akasec CTF
        • Reverse Engineering
        • Forensic
      • 📖Codegate CTF Preliminary
        • Reverse Engineering
      • 📖NahamCon CTF
        • Cryptography
        • Reverse Engineering
        • Malware
        • Misc
        • Mobile
        • Scripting
        • Web Exploitation
        • Forensic
      • 📖SAS CTF Quals
        • Reverse Engineering
      • 📖SwampCTF
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖UNbreakable International
        • Reverse Engineering
        • Network
        • Cryptography
      • 📖ACSC
        • Reverse Engineering
        • Hardware
        • Web Exploitation
      • 📖0xL4ugh
        • Mobile
    • 2023
      • 📖BlackHat MEA Final
        • Reverse Engineering
        • Web Exploitation
      • 📖Flare-On 10
        • Challenge #1 - X
        • Challenge #2 - ItsOnFire
        • Challenge #3 - mypassion
        • Challenge #4 - aimbot
        • Challenge #5 - where_am_i
        • Challenge #6 - FlareSay
        • Challenge #7 - flake
        • Challenge #8 - AmongRust
        • Challenge #9 - mbransom
        • Challenge #10 - kupo
        • Challenge #11 - over_the_rainbow
        • Challenge #12 - HVM
        • Challenge #13 - y0da
      • 📖LakeCTF Quals
        • Reverse Engineering
        • Cryptography
      • 📖TSG CTF
        • Reverse Engineering
        • Cryptography
      • 📖ISITDTU Quals
        • Web Exploitation
        • Misc
        • Reverse Engineering
      • 📖BlackHat MEA Quals
        • Reverse Engineering
      • 📖ASCIS Final
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖ASCIS Quals
        • Reverse Engineering
        • Forensic
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Misc
      • 📖Cyber Jawara International
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Web Exploitation
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖CSAW Quals
        • Reverse Engineering
      • 📖SECCON Quals
        • Reverse Engineering
      • 📖CTFZone Quals
        • Reverse Engineering
      • 📖Securinets Quals
        • Reverse Engineering
      • 📖Compfest Final (Attack Defense)
        • Web Exploitation
        • Cryptography
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
        • Forensic
        • Misc
      • 📖Tenable
        • Reverse Engineering
        • Cryptography
        • Steganography
      • 📖ASCWG Quals
        • Reverse Engineering
        • Cryptography
      • 📖Gemastik Quals
        • Reverse Engineering
      • 📖BSides Indore
        • Reverse Engineering
        • Cryptography
      • 📖NahamCon CTF
        • Cryptography
      • 📖HSCTF
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
        • Misc
      • 📖ACSC
        • Reverse Engineering
      • 📖HackTM Quals
        • Reverse Engineering
    • 2022
      • 📖Intechfest
        • Reverse Engineering
        • Mobile
        • Cryptography
      • 📖NCW Final
        • Reverse Engineering
      • 📖NCW Quals
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
        • Forensic
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Forensic
    • 2021
      • 📖Cyber Jawara Final
        • Reverse Engineering
      • 📖Cyber Jawara Quals
        • Reverse Engineering
        • Cryptography
      • 📖DarkCon CTF
        • Reverse Engineering
      • 📖Wreck IT Quals
        • Mobile
      • 📖MDT4.0 Final
        • Reverse Engineering
        • Cryptography
        • Forensic
      • 📖MDT4.0 Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
    • 2020
      • 📖Deep CTF
        • Reverse Engineering
  • 🚩Lifetime CTF
    • 📖Hack The Box
      • Reverse Engineering
        • TBU
Powered by GitBook
On this page
  • What am I? (80 pts)
  • Description
  • Solution
  • Light up the Server (320 pts)
  • Description
  • Solution
  1. Write Up
  2. 2023
  3. BlackHat MEA Quals

Reverse Engineering

PreviousBlackHat MEA QualsNextASCIS Final

Last updated 1 year ago

Challenge
Link

What am I? (80 pts)

Can you break the armor? (180 pts)

Light up the Server (320 pts)

What am I? (80 pts)

Description

-

Solution

Given DLL file, decompiling the file we don't find any interesting part. So the next step we do is checking the executable file using CFF Explorer. Take a look on resource editor we found flag in image format

Flag : BHFlagY{c3wl_r3s0rce_f1nding}

Light up the Server (320 pts)

Description

-

Solution

Given elf 64 bit file

Opening it using IDA, take a look on main function and strings window

In this case i tried to search string "-f filename of the config-file" on github and found this

Now, we know that the executable maybe lighttpd since it contains some string that available on lighttp repository. The given executable contains many function that can be function available on original lighttpd. So my approach is to find function that is not available on original lighttpd. First step i do is finding the correct version of lighttpd used in the challenge.

From the string window we found there is "1.4.72-devel" before "\nusage" and based on repository we found that string should be the version of lighttp used.

Now clone the specific version from lighttpd repository and build the binary.

git clone -b lighttpd-1.4.72 https://github.com/lighttpd/lighttpd1.4.git
cd lighttpd1.4
cmake .
make
file build/lighttpd

Next open challenge file then load diaphora again. Now put lighttpd_new.sqlite to SQLite database to diff against form then click ok.

There are some tab opened after diaphora analysis done. Since challenge binary is on first position, so open primary tab then check one by one the function.

Latest stripped function before libc function is suspicious.

^\\([a-z]\\?[^a-e,g-z]\\)la[g]{\\(h\\)0\\(s\\)t_\\2\\(e\\)4d\\4\\(r\\([_]\\?[^a-z]\\)\\)\\(!\\)n\\(\\(j\\(3\\)\\)cti0\\)n\\(_\\)1s\\6\\{1\\}5up3\\5c3wl}$
^([a-z]?[^a-e,g-z])la[g]{
  • [a-z]? a until z (optional), so can be blank

  • [^a-e,g-z], not a-e or g-z, so it string "f"

  • la, string "la"

  • [g], string "g"

So, we just need to continue debugging the next pattern

(h)0(s)t_\2(e)4d\4(r([_]?[^a-z]))(!)n((j(3))cti0)n(_)1s\6{1}5up3\5c3wl}$

create group based on round brackets ()
+ group 1, 0-1	  f
+ group 2, 5-6	  h 
+ group 3, 7-8	  s
+ group 4, 11-12  e
+ group 5, 15-17  r_
+ group 6, 16-17  _
+ group 7, 17-18  !
+ group 8, 19-25  j3cti0
+ group 9, 19-21  j3
+ group 10, 20-21 3
+ group 11, 26-27 _

- (h) == h
- 0 == 0
- (s) == s
- t == t
- _ == _
- \2 == h, match second group
- (e) == e
- 4d == 4d
- \4 == e, match fourth group
- (r([_]?[^a-z])) == r_ , r then underscore with optional a-z after that
- (!) == !
- n == n
- ((j(3))cti0) == j3cti0
- n == n
- (_) == _
- 1s == 1s
- \6{1} == _, match sixth group
- 5up3 == 5up3
- \5 == r_, match fifth rgroup
- c3wl}$ == c3wl}

Flag : flag{h0st_he4der_!nj3cti0n_1s_5up3r_c3wl}

Now we have lighttpd original binary, next we need to findout how to compare two binary in low level. Searching on google i found this plugin on ida . Download the plugin then open diaphora.py through script file. First, i open lighttpd original file then use diaphora to dump IDA database in SQLite format with option below.

We can see that the function compile the regex and match a variable with the pattern. Analyzing a few first part of the pattern we found that it match with flag format. I use this online regex to debug it . We need to remove some backslash to make the pattern valid

📚
📖
http://diaphora.re/
https://regex101.com/
Here
Here
Here
main function
strings window
lighttpd binary