⏪
CTFs
TwitterGithub
  • 👋Introduction
  • 📚Write Up
    • 2024
      • 📖1337UP LIVE CTF
        • Reverse Engineering
        • Mobile
        • Forensic
        • Misc
      • 📖HKCERT CTF Quals
        • Reverse Engineering
        • Binary Exploitation
      • 📖Flare-On 11
        • Challenge #1 - frog
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖Cyber Breaker Competition (1v1)
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
        • Binary Exploitation
      • 📖Cyber Breaker Competition Quals
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖BlackHat MEA Quals
        • Reverse Engineering
        • Forensic
      • 📖TFC CTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖DeadSec CTF
        • Reverse Engineering
        • Web Exploitation
      • 📖Aptos - Code Collision CTF
        • Reverse Engineering
        • Misc
      • 📖DownUnder CTF
        • Reverse Engineering
      • 📖JustCTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖Akasec CTF
        • Reverse Engineering
        • Forensic
      • 📖Codegate CTF Preliminary
        • Reverse Engineering
      • 📖NahamCon CTF
        • Cryptography
        • Reverse Engineering
        • Malware
        • Misc
        • Mobile
        • Scripting
        • Web Exploitation
        • Forensic
      • 📖SAS CTF Quals
        • Reverse Engineering
      • 📖SwampCTF
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖UNbreakable International
        • Reverse Engineering
        • Network
        • Cryptography
      • 📖ACSC
        • Reverse Engineering
        • Hardware
        • Web Exploitation
      • 📖0xL4ugh
        • Mobile
    • 2023
      • 📖BlackHat MEA Final
        • Reverse Engineering
        • Web Exploitation
      • 📖Flare-On 10
        • Challenge #1 - X
        • Challenge #2 - ItsOnFire
        • Challenge #3 - mypassion
        • Challenge #4 - aimbot
        • Challenge #5 - where_am_i
        • Challenge #6 - FlareSay
        • Challenge #7 - flake
        • Challenge #8 - AmongRust
        • Challenge #9 - mbransom
        • Challenge #10 - kupo
        • Challenge #11 - over_the_rainbow
        • Challenge #12 - HVM
        • Challenge #13 - y0da
      • 📖LakeCTF Quals
        • Reverse Engineering
        • Cryptography
      • 📖TSG CTF
        • Reverse Engineering
        • Cryptography
      • 📖ISITDTU Quals
        • Web Exploitation
        • Misc
        • Reverse Engineering
      • 📖BlackHat MEA Quals
        • Reverse Engineering
      • 📖ASCIS Final
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖ASCIS Quals
        • Reverse Engineering
        • Forensic
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Misc
      • 📖Cyber Jawara International
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Web Exploitation
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖CSAW Quals
        • Reverse Engineering
      • 📖SECCON Quals
        • Reverse Engineering
      • 📖CTFZone Quals
        • Reverse Engineering
      • 📖Securinets Quals
        • Reverse Engineering
      • 📖Compfest Final (Attack Defense)
        • Web Exploitation
        • Cryptography
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
        • Forensic
        • Misc
      • 📖Tenable
        • Reverse Engineering
        • Cryptography
        • Steganography
      • 📖ASCWG Quals
        • Reverse Engineering
        • Cryptography
      • 📖Gemastik Quals
        • Reverse Engineering
      • 📖BSides Indore
        • Reverse Engineering
        • Cryptography
      • 📖NahamCon CTF
        • Cryptography
      • 📖HSCTF
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
        • Misc
      • 📖ACSC
        • Reverse Engineering
      • 📖HackTM Quals
        • Reverse Engineering
    • 2022
      • 📖Intechfest
        • Reverse Engineering
        • Mobile
        • Cryptography
      • 📖NCW Final
        • Reverse Engineering
      • 📖NCW Quals
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
        • Forensic
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Forensic
    • 2021
      • 📖Cyber Jawara Final
        • Reverse Engineering
      • 📖Cyber Jawara Quals
        • Reverse Engineering
        • Cryptography
      • 📖DarkCon CTF
        • Reverse Engineering
      • 📖Wreck IT Quals
        • Mobile
      • 📖MDT4.0 Final
        • Reverse Engineering
        • Cryptography
        • Forensic
      • 📖MDT4.0 Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
    • 2020
      • 📖Deep CTF
        • Reverse Engineering
  • 🚩Lifetime CTF
    • 📖Hack The Box
      • Reverse Engineering
        • TBU
Powered by GitBook
On this page
  • Baby SoC (256 pts)
  • Description
  • Solution
  • Budget SoC (363 pts)
  • Description
  • Solution
  1. Write Up
  2. 2024
  3. JustCTF

Forensic

PreviousReverse EngineeringNextMisc

Last updated 10 months ago

Challenge
Link

Baby SoC (256 pts) 🥈

Budget SoC (363 pts) 🥈

Baby SoC (256 pts)

Description

We found really funny device. It was broken from the beginning, trust us! Can you help with recovering the truth?

Solution

Given flashdump.bin, parse the executable using parser. There will be issue if we use the newer version of esptool library, use this to solve the issue. First, take a look on available partition on the flashdump.bin

python3 esp32_image_parser.py show_partitions flashdump.bin

Dump app0 executable using create_elf argument.

python esp32_image_parser.py create_elf flashdump.bin -partition app0 -output app.elf

Use ghidra to decompile the ELF file. Looking at available strings that there is "Flag" string.

FUN_400d2964
---snippet---
  memw();
  memw();
  iStack_24 = _DAT_3ffc4170;
  FUN_400d8108(0x3ffc3f3c,&DAT_3f400120);
  memcpy_(auStack_7c,s__<!DOCTYPE_html>_<html>_<head>_<_3f400125);
  if (DAT_3ffc3ce8 != '\0') {
    FUN_400d8108(0x3ffc3f3c,s_here2_3f4002d0);
    FUN_400d293c(auStack_49);
    memcpy_(auStack_6c,auStack_49);
    memcpy_(auStack_5c,s_<h2>Flag:_3f4002d6);
    uVar2 = FUN_400d87ec(auStack_5c,auStack_6c);
    uVar2 = FUN_400d881c(uVar2,s_</h2>_3f4002e1);
    FUN_400d8708(auStack_7c,uVar2);
    FUN_400d82dc(auStack_5c);
    FUN_400d80f0(0x3ffc3f3c,auStack_6c);
    FUN_400d82dc(auStack_6c);
  }
  FUN_400d87b8(auStack_7c,s_</body></html>_3f4002e7);
  FUN_400d7334(0x3ffc3cec,200,s_text/html_3f4002f6,auStack_7c);
  FUN_400d82dc(auStack_7c);
---snippet---

As we can see on line 12 there is code like an string builder that result <h2>Flag: ??? </h2>. So we can assume that auStack_6c is the variable that store the flag. auStack_6c copied from auStack_49 that constructed from FUN_400d293c. Take a look on FUN_400d293c.

void FUN_400d293c(byte *param_1)

{
  *param_1 = DAT_3ffbdb68 ^ DAT_3ffbdb8d;
  return;
}

FUN_400d293c do xor for two static values which are DAT_3ffbdb68 and DAT_3ffbdb8d. To get the flag we just need to do xor for those static values.

a = [0xEE,0xCE,0x48,0x21,0x63,0xA8,0x1C,0xB8,0xA8,0x61,0x61,0x0D,0x8B,0x36,0xF0,0x07,0x25,0x85,0x5C,0xB0,0x6A,0x4B,0xC6,0xEF,0xBB,0x74,0x80,0x06,0x67,0x44,0xED,0x2A,0xD3,0x26,0xF7, 0xC6]
b = [0x84,0xBB,0x3B,0x55,0x20,0xFC,0x5A,0xC3,0xD1,0x0E,0x14,0x52,0xF3,0x06,0x82,0x58,0x48,0xE0,0x03,0xC2,0x5B,0x2C,0xAE,0x9B,0xE4,0x06,0xB0,0x73,0x09,0x20,0xB2,0x48,0xE7,0x44,0x8E,0xBB]

flag = b""
for i in range(len(a)):
    flag += bytes([a[i] ^ b[i]])
print(flag)

Flag: justCTF{you_x0r_me_r1ght_r0und_b4by}

Budget SoC (363 pts)

Description

We've obtained a mysterious device. Our forensic team tried to retrieve the original source code, but something went wrong. Fortunately, we managed to dump the memory into a file. Can you find what we need?

Solution

python3 esp32_image_parser.py show_partitions flashdump.bin

Dump app0 executable using create_elf argument.

python esp32_image_parser.py create_elf flashdump.bin -partition app0 -output app0.elf

Open it using ghidra and look at string "flag" we will found reference to the function that will produce flag like in previous SOC challenge.

Rename some variable and function to make it easier to understand.

FUN_400d29b
---snippet--- 
memw();
  memw();
  iStack_24 = _DAT_3ffc4120;
  FUN_400d88c4(0x3ffc3eec,&DAT_3f400120);
  memcpy_(auStack_94,s__<!DOCTYPE_html>_<html>_<head>_<_3f400125);
  if (DAT_3ffc3ca8 != '\0') {
    FUN_400d88c4(0x3ffc3eec,s_here2_3f4002d0);
    if (0x83 < _DAT_3ffc3e3c) {
      allocation_(ciphertext,_DAT_3ffc3e38 + 100,0x20);
    }
    FUN_400d296c(ciphertext,decrypted,0x20);
    memcpy_(auStack_84,decrypted);
    memcpy_(auStack_74,s_<h2>Flag:_3f4002d6);
    uVar2 = FUN_400d8fa8(auStack_74,auStack_84);
    uVar2 = FUN_400d8fd8(uVar2,s_</h2>_3f4002e1);
    FUN_400d8ec4(auStack_94,uVar2);
    FUN_400d8a98(auStack_74);
    FUN_400d88ac(0x3ffc3eec,auStack_84);
    FUN_400d8a98(auStack_84);
  }
---snippet---

So the ciphertext are processed on function FUN_400d296c, next take a look on function FUN_400d296c. There are some constant in the function so it nice to search it on github.

From above code we can see that the constant is actually from aes decrypt process. Looking at another function looks like it is same like in the app0.elf function. So the last step is basically finding the key and the ciphertext used by the function in app0.elf.

undefined4
FUN_400d82e4(int instance,undefined4 ciphertext,int param_3,undefined4 param_4,undefined4 key,
            undefined2 length,undefined4 param_7)

{
  undefined4 uVar1;
  int iVar2;
  
  *(instance + 0xfc) = param_3;
  aes_key_expand(instance,key,length);
  iVar2 = param_3 + 0xf;
  if (-1 < param_3) {
    iVar2 = param_3;
  }
  aes_(instance,ciphertext,param_4,iVar2 >> 4,param_7);
  uVar1 = FUN_40173bc4(instance,param_4,param_3);
  return uVar1;
}

From the caller function we get the key, which is on the fifth argument (DAT_3ffbdb68). The ciphertext is on second argument and it allocated from function allocation_ that we assume the data is from _DAT_3ffc3e38.

FUN_400d831c(auStack_134,ciphertext,param_3,output,&DAT_3ffbdb68,0x10,uVar1);

Looking at ELF file, we know that _DAT_3ffc3e38 is not stored on it.

So we assume that the data is maybe on runtime memory. Because we have the flashdump.bin we try to directly find the ciphertext by bruteforcing all 32 bytes value in the flashdump.bin. Below is our script to do bruteforce.

from Crypto.Cipher import AES

f = open("flashdump.bin", "rb").read()
key = [0x33,0xBD,0xFB,0x72,0x4C,0x22,0x87,0x33,0x62,0xFF,0x75,0x41,0xD5,0x14,0xF6,0xFD]
bytes_key = bytes(key)

for i in range(0, len(f) - 32):
	cipher = AES.new(bytes_key, AES.MODE_ECB)
	tmp = f[i:i+32]
	res = cipher.decrypt(tmp)
	if b"just" in res:
		print(i, res)

Looks like we got partial flag, so the mode should be not ECB. The next step we do is trying to use AES CBC with iv null bytes, because the first block is already correct plaintext.

from Crypto.Cipher import AES

f = open("flashdump.bin", "rb").read()
key = [0x33,0xBD,0xFB,0x72,0x4C,0x22,0x87,0x33,0x62,0xFF,0x75,0x41,0xD5,0x14,0xF6,0xFD]
bytes_key = bytes(key)
iv = b"\x00"*16
i = 42308
cipher = AES.new(bytes_key, AES.MODE_CBC, iv)
tmp = f[i:i+32]
print(cipher.decrypt(tmp))

Flag: justCTF{dUmp3d_r3v3rs3d_h4ck3d}

Given flashdump.bin, parse the executable using parser. There will be issue if we use the newer version of esptool library, use this to solve the issue. First, take a look on available partition on the flashdump.bin.

Search for the constant in 4 bytes format, and i found .

📚
📖
this
patch
https://github.com/search?q=0x52096ad5&type=code
this
Here
Here
this
patch