The CTF Open Challenge is a series of technical problems designed to utilize creative technical problem-solving abilities to solve technical challenges.
Actually I have solved more than the writeups, but I will only writeup the interesting ones or the one that I learned something new from.
- 🏆 124th of ASEAN
- 🚩 10 flags solved
Table of Contents
Reverse Engineering
simple_server (100 pts)
Please download the zip file and solve the challenge by using reverse engineering knowledge.
From the config file, we know that it use dotnet8.0 to run, so make sure we have the compatible version.
I will try running the program first
Then try decompile it with dnSpy
After search for useful string like flag, I found this function which actually might print out the flag!
So, I search SystemSecrets to find where this function is called. Then I know that I had to navigate to Advanced Option menu then bypass the if (!(choice == "4")) to then bypass condition in SystemSecrets to print flag.
So, I will patch by change condition to if (a == "4") and bypass all security check condition in SystemSecrets. then save the file.
Then running again:
Flag solved!
modern_crackme1 (200 pts)
Please download the zip file and solve the challenge by using reverse engineering knowledge
File inspection
┌──(kali㉿kali)-[~/CTF/rev]└─$ file modern_crackme1modern_crackme1: Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE|HAS_TLV_DESCRIPTORS>arm executable file, I can’t run it directly. So, I just throw in ghidra.
Static Analysis with Ghidra
Found entry:
┌──(kali㉿kali)-[~/CTF/rev]└─$ file modern_crackme1modern_crackme1: Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE|HAS_TLV_DESCRIPTORS>After observation, it’s a program that contains some options that perform different functions and also an anti-debugging function.
It also controls the flow of program using a state machine.
After checking where the menu options go, I found that all of the function names contain fake.
So, I tried searching for real. Then got this suspicious function.
At the entry code of real_hidden_function() it checks the REAL_TRIGGER value to convert some string.
After tracing to look data at the address, I found some string that might be a flag.
Construct it with the flag format flag{md5} and we solved the challenge!
Forensics
Bombadiro Crocadiro (200 pts)
First given bombardino.zip → extract and get container.vc and secret.zip.
Since zip need password to extract, I use zip2john to get the hash then use john to crack it:
Inside secret.zip there is a secret.txt which contain string naruto.
The password must be used with something so I run binwalk on container.vc and after some research I learned it is a VeraCrypt disk file.
So I decrypt it with naruto passphrase:
The odt file needs a password to open. So, I import the key.asc to gpg and decrypt it by using john again to crack the key passphrase.
After opening the file, we got first part of flag:
As hint stated, “In part 2, the ‘file key’ replaces the password”. So mount the vc file again, but use key.asc as the key file.
After listing all files, I found .git. Well, let’s check it.
Found suspicious commit here:
Dump, unzip, open then, Flag Solved!
