ECOWAS CTF Pre-Qual 2023

## ECOWAS CTF Pre-Qual 2023 ![](https://hackmd.io/_uploads/HkdM9St2h.png) i participated in ECOWAS CTF pre-qualification and had a blast! While some challenges were tough, it was all part of the fun. Here i the solutions of the Reverse challenges i cracked and blooded :100: ### Reverse challenges #### veyize : 100 points ![](https://hackmd.io/_uploads/rky9yKRT3.png) This reverse challenge was quiet weird and simple at the same time. let go :100: i started opening the file in ghidra , main function shows there are three checks to be passed! and if you fail any explode function is called which basically quits the program with a try harder message ![](https://hackmd.io/_uploads/r1F3Ad0ph.png) ### Phase1 On phase1 function we get a loop that is basically comparing each character of our input with another character of a hardcoded string! If any of the characters don’t match explode function is called as weell. To be able to pass this check we need to supply that exact string… ![](https://hackmd.io/_uploads/HJRWWF0an.png) ### Phase2 The phase2 is doing alot of job , trying to understand the decompiled code proved to be tiresome, but the code helps in that we know the input we give should be equal to that hardcoded value! ![](https://hackmd.io/_uploads/HJ0qZYRan.png) one of the best way to be able to know that is to enumerate the right input to give is using dynamic analysis, we are suppossed to enter 4 numbers , since we dont have a bruteforce script we can enter the same number 4 times and check if the resultant value is close the hardcoded value. eg 500 gives 2040000 which is slightly higher than the required value ![](https://hackmd.io/_uploads/ryXBqKCT2.png) ![](https://hackmd.io/_uploads/r1zxhKRp3.png) ```c= (gdb) disass phase2 Dump of assembler code for function phase2: 0x00000a04 <+0>: push %ebp 0x00000a05 <+1>: mov %esp,%ebp 0x00000a07 <+3>: push %ebx 0x00000a08 <+4>: sub $0x34,%esp 0x00000a0b <+7>: call 0x700 <__x86.get_pc_thunk.bx> 0x00000a10 <+12>: add $0x2590,%ebx 0x00000a16 <+18>: mov %gs:0x14,%eax 0x00000a1c <+24>: mov %eax,-0xc(%ebp) 0x00000a1f <+27>: xor %eax,%eax 0x00000a21 <+29>: sub $0xc,%esp 0x00000a24 <+32>: lea -0x20a2(%ebx),%eax 0x00000a2a <+38>: push %eax 0x00000a2b <+39>: call 0x640 <puts@plt> 0x00000a30 <+44>: add $0x10,%esp 0x00000a33 <+47>: movl $0x0,-0x34(%ebp) 0x00000a3a <+54>: jmp 0xa4e <phase2+74> 0x00000a3c <+56>: call 0x8cd <get_number> 0x00000a41 <+61>: mov %eax,%edx 0x00000a43 <+63>: mov -0x34(%ebp),%eax 0x00000a46 <+66>: mov %edx,-0x1c(%ebp,%eax,4) 0x00000a4a <+70>: addl $0x1,-0x34(%ebp) 0x00000a4e <+74>: cmpl $0x3,-0x34(%ebp) 0x00000a52 <+78>: jle 0xa3c <phase2+56> 0x00000a54 <+80>: movl $0x0,-0x30(%ebp) 0x00000a5b <+87>: movl $0x0,-0x2c(%ebp) 0x00000a62 <+94>: jmp 0xab5 <phase2+177> 0x00000a64 <+96>: mov -0x2c(%ebp),%eax 0x00000a67 <+99>: mov -0x1c(%ebp,%eax,4),%eax 0x00000a6b <+103>: mov %eax,-0x20(%ebp) 0x00000a6e <+106>: movl $0x0,-0x28(%ebp) 0x00000a75 <+113>: jmp 0xaab <phase2+167> 0x00000a77 <+115>: movl $0x0,-0x24(%ebp) 0x00000a7e <+122>: jmp 0xaa1 <phase2+157> 0x00000a80 <+124>: mov -0x28(%ebp),%eax 0x00000a83 <+127>: lea 0x0(,%eax,4),%edx 0x00000a8a <+134>: mov -0x24(%ebp),%eax 0x00000a8d <+137>: add %edx,%eax 0x00000a8f <+139>: mov 0x80(%ebx,%eax,4),%eax 0x00000a96 <+146>: imul -0x20(%ebp),%eax --Type <RET> for more, q to quit, c to continue without paging--c 0x00000a9a <+150>: add %eax,-0x30(%ebp) 0x00000a9d <+153>: addl $0x1,-0x24(%ebp) 0x00000aa1 <+157>: cmpl $0x3,-0x24(%ebp) 0x00000aa5 <+161>: jle 0xa80 <phase2+124> 0x00000aa7 <+163>: addl $0x1,-0x28(%ebp) 0x00000aab <+167>: cmpl $0x3,-0x28(%ebp) 0x00000aaf <+171>: jle 0xa77 <phase2+115> 0x00000ab1 <+173>: addl $0x1,-0x2c(%ebp) 0x00000ab5 <+177>: cmpl $0x3,-0x2c(%ebp) 0x00000ab9 <+181>: jle 0xa64 <phase2+96> 0x00000abb <+183>: cmpl $0x1cc320,-0x30(%ebp) 0x00000ac2 <+190>: je 0xac9 <phase2+197> 0x00000ac4 <+192>: call 0x92d <explode> 0x00000ac9 <+197>: mov $0x1,%eax 0x00000ace <+202>: mov -0xc(%ebp),%ecx 0x00000ad1 <+205>: xor %gs:0x14,%ecx 0x00000ad8 <+212>: je 0xadf <phase2+219> 0x00000ada <+214>: call 0xe30 <__stack_chk_fail_local> 0x00000adf <+219>: mov -0x4(%ebp),%ebx 0x00000ae2 <+222>: leave 0x00000ae3 <+223>: ret End of assembler dump. (gdb) b *phase2+183 Breakpoint 1 at 0xabb (gdb) r Starting program: /root/Downloads/ecowas-ctf/veyize [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Are u ready for a bomb lab? Let's begin!! Phase 1 Begin!!! slimelove Better luck next time ... [Inferior 1 (process 514529) exited with code 0255] (gdb) r Starting program: /root/Downloads/ecowas-ctf/veyize [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Are u ready for a bomb lab? Let's begin!! Phase 1 Begin!!! slimelove Better luck next time ... [Inferior 1 (process 515733) exited with code 0255] (gdb) r Starting program: /root/Downloads/ecowas-ctf/veyize [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Are u ready for a bomb lab? Let's begin!! Phase 1 Begin!!! slime love passed phase1 Alright! Here is phase 2:) 500 500 500 500 Breakpoint 1, 0x56555abb in phase2 () (gdb) x $ebp-0x30 0xffffd488: 0x001f20c0 (gdb) p 0x001f20c0 $1 = 2040000 (gdb) p 0x1cc320 $2 = 1884960 (gdb) ``` we can keep reducing the value till we get the right one :100: ### Phase3 The phase 3 creates some kind of linked list and calls the validate function like this ![](https://hackmd.io/_uploads/B17IJcAp3.png) let’s go . this the validate function . In order to pass this phase we need to enter the ascii characters in their decimal equivalent, in the way that the node is followed very simple hehe smile in pain 😂 ![](https://hackmd.io/_uploads/S1Eee5C6h.png) This is kind of linked list and it checks for node 42 which is the first one and checks if it holds character A , which i believe is 42 in decimal it continues like that till the end . the second it checks if node 27 holds letter K and so on , here the concept is simple you just need to understand the logic behind linked lists , one value points to the other , the other to another etc . so just you start with 42 which is already defined and enter the rest as well , very simple . To make easy Uvar2 is the node created with first value as 42 and then now from 42 you go to 65 and like that to 35. piece of cake 🎂 just like this : ```cy= 1st => 65 2nd => 27 3rd => 75 4th => 57 5th => 12 6th => 35 ``` All that work good and as final result we got like : ```py= phase 1 slime love phase 2 462 phase 3 1st => 65 2nd => 27 3rd => 75 4th => 57 5th => 12 6th => 35 ``` it work properly hehe then run it now : ![](https://hackmd.io/_uploads/HyV_EqRa3.png) ```flag{32B1t_b0mB_l48_compl3te}```