NOVA CTF {2024} -Sherlock Scandal
REVERSE ENGINEERING CHALLENGE
Challenge Description:
As a cybersecurity consultant, you’ve been tasked with assessing the security of a prominent corporation’s network. Your mission is to penetrate their encrypted secret vault, housing valuable trade secrets and sensitive data, all safeguarded by a password system. Can you successfully breach the defenses and gain entry to the corporate vault.
Analysing the File :
ELF stands for Executable and Linkable Format. It is a common file format for executable files, object code, shared libraries, and core dumps. ELF files are used on Linux and other Unix-based systems.
The ELF format is versatile and can be executed on various processor types. It supports big-endian, little-endian, 32-bit, and 64-bit architectures systems and different CPUs.
The ELF format has several capabilities, including dynamic linking, dynamic loading, imposing run-time control on a program, and an improved method for creating shared libraries.The ELF format is the standard binary format on operating systems such as Linux.
You need to enter the correct password to access the secret vault.
Strings:
Looking into Main Function and analysing in Ghidra
It checks if the program is invoked with exactly two arguments
( param_1 == 2 ) If the program is called with two arguments, it proceeds to convert the second argument ( param_2[1] ) to an integer using the atoi function.It checks if the converted integer matches the hexadecimal value 0x4e4f5641 which is equavalent to decimal value 1313822273 .
If the password matches, it prints “Access granted.”, calls the function giveFlag() , and returns 0 to indicate successful execution.
If the password doesn’t match, it prints “Access denied.” and returns 1 to indicate failure. From this we can find that we need to input the 1313822273 to get access to the vault and lets look into giveFlag() function.
{
if ( argc == 2 )
{
if ( atoi(argv[1]) == 1313822273 )
{
puts("Access granted.");
giveFlag();
return 0;
}
else
{
puts("Access denied.");
return 1;
}
}
else
{
printf("Usage: %s password\n", *argv);
return 1;
}
}
//----- (08048524) --------------------------------------------------------
int giveFlag()
{
char s[60]; // [esp+0h] [ebp-148h] BYREF
_BYTE v2[240]; // [esp+3Ch] [ebp-10Ch] BYREF
unsigned int i; // [esp+12Ch] [ebp-1Ch]
qmemcpy(v2, "\r", sizeof(v2));
memset(s, 65, sizeof(s));
for ( i = 0; i <= 0x3B; ++i )
s[i] += v2[4 * i];
return puts(s);
}You can also solve this challenge using online decompiler like https://dogbolt.org/
Finally we found the flag as NOVA{ReverseEng_expertise_unveiled_assemblyMaster_unlocked}
Thanks For Reading :)
I hope you learnt something and enjoyed the challenge.Don’t miss out on my upcoming articles! Follow me on Medium for more insightful content. Clap and share this article.
Connect me via LinkedIn, https://www.linkedin.com/in/kishoreram-k/
Best of luck in capturing flags ahead!!!
