CTF 2023 solutions from Doctor Web. Part 3

Friends, we continue to publish the solutions of our CTF marathon! It had five levels of difficulty, each with five tasks, for a total of 25 tasks. Every week we post 5 solutions – today we are talking about the third level of difficulty. You can check the previous levels here: part 1, part 2.

Marathon results we summed up at the beginning of April, but the assignments are still available – and you can try to solve them for yourself.

Doctor Web’s CTF-2023: Epic level tasks

1. Load me up

The task tests the understanding of assembly language and knowledge of bytecode in general. The task is given a shellcode – by opening its bytecode in Hiew and setting the instruction size to x32, you can see the following picture:

To get the flag, you need to read the ASM, take the yards and use xor to divide them into “keys” in the form of yards side by side. We get the flag: “DrWeb{5h3ll_u53r_}”.

2. Dungeon Master

The task gives a small text game on Linux:

If you enter a random set of characters as an answer, then the game ends with one of the answer options:

For the first task, you can simply find the sewn answer in plain text, so look for it and paste it:

Now we already need to find two keys, and this time they are not sewn into the code with a simple plaintext.

If you enter a random character set, the game gives the following answer:

Since it didn’t work out, you need to look at the code. After it didn’t work out, let’s go and look at the code, we find two functions of a similar format, both of them decrypt the keys using the usual xor with the key “11111111”

We get two keys: “0—open” and “door—0”:

Let’s go to the third level:

We are trying to guess something and defeat the dragon:

Sometimes, at random, something even works out, but only at random:

After analyzing the code, you can understand the principle by which this battle works:

It turns out that the fight with the dragon is the last level, and the correct results will immediately go to the flag:

The flag is formed according to the following principle: DrWeb{[A-H][P-Z][#$%&][a-h][p-z]}.

We form a flag: “DrWeb{AH#er}”. It may be different for each participant.

3. The essence of art is DrWeb!

Not at all a difficult task if you know what you can do here. 😊

Download the file, open it, see the following picture in .png format:

There is nothing superfluous in the picture, nothing is encrypted in it, it is just an image, and not of the largest size. And to find the flag, you need to conduct a certain research.

IN one of the first jobs the esoteric language LOLCODE was used – and if you remember this and study what other esoteric languages ​​​​are, you can find the Piet language. Let’s add from ourselves that writing in this language was a very non-trivial task! 😊

Assuming that the file is written in this particular language, you can try to solve the task. To do this, you need to use a special utility to launch Piet – for example, this. You can also use the tools from GitHub. This is what the site we chose to work with looks like:

We load our image, open the debugger, click run and look:

Then it remains only to wait for the entire program to be executed:

Flag: “DrWeb{P41n7_M3_70_7h3_P137}”.

4 Robo Mayhem

The task is given a game in which somewhere in malware lands…

In order to find the flag, several conditions must be met, which are obviously impossible:

  1. Dial 65535 coins.

  2. Lower the number of your lives to zero.

  3. Destroy all enemies.

To solve the task, it is important to note the hint that is given when opening the file – this is Godot:

Therefore, to solve the task, there are two tools: Godot decompilation and Cheat Engine.

After decompilation, unlike the Godot game that was on previous marathon levelwe get obfuscated code:

The code has been manually obfuscated and the deobfuscator is not publicly available. You can try to restore the script using logic and find the key, or you can try to debug the code – run the project in Godot and change the values ​​​​of variables during debugging, similar to Cheat Engine.

It is quite easy to fulfill the first condition and wind up the number of coins, since the counter can be constantly updated. To do this, you need to run the Cheat Engine to find the number of current coins and after new coins have been picked up, start a new search and sort the results. The first condition is met.

As a result, we get such a hint that hints at what needs to be done next:

Next, you need to find a variable that is responsible for the character’s life. It will be possible to do this by typing – and after the desired value is found, it must be changed to zero. The second condition is fulfilled.

Change parameters to lower HP to zero:

To fulfill the third condition, you need to destroy all the enemies, but there is a problem – some of them are sitting in the “bunker”, where the character cannot go down:

You need to find the parameters that are responsible for the character’s coordinates, and if you change them, you will be able to teleport to the “bunker”. The coordinates are not even obfuscated:

By trial, error and getting stuck in the walls, it turns out to place the character in the right place and destroy the opponents:

The third condition is met – and in one of the variables we find the flag:

After that, we already get the flag: “DrWeb{Pl4y_64m3_Ch347}”.

5. Tickets, please

The task is given two files: an executable file and ticket.png. The image of the ticket looks like this – and it is important to note that the “ticket” has expired:

Looking at the ticket through a hex editor, you can see a fragment that is responsible for verifying the ticket:

The XML size is clearly smaller than this xml_size, but the code does not check the XML for correctness, you can ignore this parameter – perhaps the dimensions have moved due to an error with the file encoding.

It turns out that the file looks at the following constructs: “ ”, “ ”, “ ”.

IDA was not very enthusiastic about the optimized code, but its detailed restoration is not required – the constructions are not so complicated: std::strings are assigned the value from c_str.

You can see the validation of the flag – it happens in “ ”:

There is also validation by time:

Now you can jump over the validation in the debugger – or patch the “ticket”:

With this configuration, the program skips the ticket.

Then, at address 00401970, there is a fragment that decrypts a certain payload with a key that was transmitted through the ticket. If you open its code, you can see that it loads the addresses of the functions RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA for use in the payload. The values ​​of the keys themselves are not visible – the payload is sewn for a reason.

Now it is known that the entry will occur in the registry keys, and therefore the easiest way is not to reverse the shellcode, but to run procmon and find our executable there.

As a result, a new key is given in the registry, the flag turned out to be sewn into it.

Flag: “DrWeb{R3g1s7r0g3d0n}”.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *