TSG CTF 2021
author: @m1kit
You are given a binary that tells you if a flag is correct or not.
๐ Solution below
๐
๐
๐
๐
๐
๐
As mentioned in the hint, we can run the program first.
Now we know this programs determine correctness of something with 32 chars length.
Next, let's read the program with ghidra.
We can see the entrypoint like this.
It calls check
only if it has 32 chars.
Let's see check
.
There are some interesting system calls!
The key point is the program calls fork()
five times in for
-loop.
Therefore we have 32 processes, and each of them checks one character in the flag around line number 29.
Hope this rough illust of 4 processes example will help you.
After that results from processes are aggregates around line number 35.
Each process prints the result to stdout at line number 38-43, however, only the message from the root process is visible since anything else is redirected to /dev/null
at line number 23.
With strace command, you can observe system calls executed.
We can use this to check the number of times puts("correct");
has been called.
We can create a simple brute force script to determine the flag.
Note that you need to check from the back to the front, due to the structure of the process tree.
@moratorium08's solution
Alternatively, you can patch the binary to remove dup2(open("/dev/null", 1),1);
.
Now you can see the number of "correct"s in your stdout.
@taiyoslime's solution
You can write a gdb script to leak a hint for the flag.
But you need some efforts to avoid anti-debugging codes in is_correct
function.
FYI: this is my anti-debugging mechanism.
Here's our original C code for check
.