Bugs Bunny CTF 2k17 - mysterious!
i ran the binary but no password match but believe this is another simple reverse engineering challenge . rev75.zip
This was an interested challenge, which helped me learn some more of pwntools.
./rev p4ssw0rd gives
good but no flag for you hihihi xD
In case you’re wonder why
p4ssw0rd, I got it from the Strings subview in IDA (shortcut: Shift+F12). Never a bad idea to go through the strings in the binary. You can also run
strings on the binary if you don’t have IDA.
The binary had 815 functions with names of the form
a*, each containing a 12 character string which looked like base64. So I decided to extract them using pwntools. Here goes:
from pwn import * # Load the ELF file e = ELF("./rev75") base64str = '' # Go through all 'a*' functions for i in range(815): func_addr = e.symbols['a' + str(i)] # Read address of function str_addr = u32(e.read(func_addr+17, 4)) # Read address of base64 blob # Note: The blob is at 17 bytes offset to the function base64str += e.read(str_addr, 12) # Read base64 blob (12 bytes in length) image = open("flag.png", 'w') image.write(base64str.decode('base64')) # Write to file
Note that I didn’t know in advance that the base64 string will give a PNG image. I wrote to a file, ran the
file command on it and realised it was a PNG file.
flag.png and you have your flag.
Go through other writeups for more such fun challenges.
pwnable.kr - Toddler's Bottle