flag From Pwnable.kr

###### tags: `pwnable.kr` `tutorials` `CTF` `hacking` `beginner` `flag` `binary exploitation` `pwn` `Toddlers' Bottle` # flag From Pwnable.kr #### Category : Toddler's Bottle The challenge flag was of reverse engineering category. Reverse Engineering is a handy skill to have while pwning binaries. The challenge gives only a binary and which mentions that it has allocated a malloc and saved the flag in that. So let's start the challenge. Let's read the prompt and download the important files to our box. ![](https://i.imgur.com/Z0b7GXK.png) ```bash wget http://pwnable.kr/bin/flag chmod +x flag ``` ## Dry Run Let's give the binary a dry run and see what happens. ```bash ./flag I will malloc() and strcpy the flag there. take it. ``` The binary says its has stored the contents of flag in the malloc that it created. So this should be easy, we open the binary in gdb and grab the contents that its strcpy to the malloc. ```bash gdb ./flag info fun ``` ![](https://i.imgur.com/q34PefX.png) There are no functions or calls in the binary. This is weird. On first glance this weird behaviour is difficult to analyze. One of the reasons that the binary shows no function in the gdb could be it is packed with upx. The man page of upx states that:- ```bash UPX is a portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers *very* fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression. ``` ## Unpack the binary Now let's unpack the binary with upx and analyse it in the gdb again. ```bash upx -d flag -o flag2 ``` ![](https://i.imgur.com/BKIhNz3.png) Now when you open it in gdb and check for functions you'll be able to see more data than earilier. ```bash gdb ./flag2 info fun ``` ![](https://i.imgur.com/YkTJHEv.png) That being said, now all we need to get the flag from the malloc. ## Getting the flag. 1. Set a breakpoint at main 1. Run the binary with command `r` 1. Run the binary step by step and see the memory (command `ni`). We see that, first a malloc is being created with argument 0x64 i.e 100. ![](https://i.imgur.com/Wer5s2J.png) And we see the flag being passed to malloc occupied memory. ![](https://i.imgur.com/WlYCiHT.png) Flag is: ```bash UPX...? sounds like a delivery service :) ```