WolvSec CTF

I briefly participated in a CTF hosted by WolvSec here: https://ctf.wolvseccon.org/. This post is going to be looking at a “Medium” level difficulty Reverse Engineering problem!


When we run the file, it prints a single statement, before terminating

Firing this binary in Ghidra, we see a deep level of nested function calls, however, they would all not be triggered because the boolean logic is always “false”. In some of those functions (like in the second picture), it prints out a single character, whereas most of them print out (0).

If we patch the binary and change the first boolean check to be if true, the string with a ‘w’ appended is printed out.

Since the flag is in the format ‘wsc{…}’, my hypothesis is that if we print out all the characters, it should print out the flag.

My initial approach was to fire the binary up in IDA, step through the execution and Set IP to bypass the boolean check so that it prints out the char… until I remembered that I had to do this a thousand times. Clearly not the right approach.

Clearly then we had to patch the binary to to remove the Jumps., or changing the opcode from 7514 to 9090, which is a NOP.

My approach was to dump out the hex content of the binary using xxd, using a text editor (vim) to replace 7514 with 9090, and reconstruct the binary

dumping it with xxd
one of the thousand jumps we have to patch with nop
vim replace
Should be correct, as the first function was not a JNZ, so we replaced the other 999 functions
reconstructing the file and hopefully its still a valid file

Now when we run the file, it prints out everything. Looking at it in IDA, this is what the functions become

The JNZ become nops, and all the functions are now unconditional calls.

We run the file and save the outputs, then use vim to clean it up to get the flag

removing all extra stuff and newlines
the flag!

Closing notes

I’ve recently join a CTF team called Social Engineering Experts, so i’ll be participating more in CTFs. It’s definitely something new and refreshing compared to HTB where the approaches are kind of similar (recon -> foothold -> priv esc), and i’ve been so brain damaged by some of the challenges. This serves as a humbling beginning to learn something new again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: