Sunday, September 28, 2014

SU CTF 2014 - 2048 write-up

Question:

What is the ip of the victim? 
Falg is: md5(ip)

Solution:

Scrolling down the code in IDA two funtions pop out:
  • bot_run
  • attack


there is a "system" call in the attack function which tries to run this command:
wget http://ctf.sharif.edu/{code}/target.txt
by more inspection  one must notice the binary MD5 must not change and the generated {code} is time-dependent. 

 in check time function 
Calculates 52c35a80 = 1388534400 
-->  UNIX time --> Wednesday 1st January 2014 12:00:00 AM 
Set time, and got correct file:
http://ctf.sharif.edu:2048/7266de4447eba9a354622271cff2dde5/target.txt
target.txt contain an IP address which was 95.211.102.203 and the flag becomes 5cfed0f91a2b71a5d79aa681eaf10adb

 happy hunting!
Posted by at
Labels: , ,

2 comments:

  1. EditörSeptember 28, 2014 at 8:12 AM

    how did you find the key ? guessing ?

    ReplyDelete
    Replies
    1. UnknownSeptember 29, 2014 at 5:59 AM

      in the attack function the hash is generated. one can follow the calculations but not really necessary since it's the argument passed to _system function and can be retrieved by setting a breakpoint before _system function call.

      Delete

Subscribe to: Post Comments (Atom)