Category: reverse engineering

We are given a file called “impossible_password.bin”. Using xxd, I looked at the header of the file and found out that it was actually an ELF which meant that it could be executed. When I set executing permissions and ran the file, it prompted me for an input, which I guessed would be a password.

Since there seemed to be no other features to the program, I opened it in IDA to try to discern what the first input should be. The first thing you see after entering main is a string called “SuperSeKretKey” being stored in…

Category: Forensics

We are given a Wireshark packet capture file called “capture.pcap” and an RSA key called “picopico.key”. When you open capture.pcap in Wireshark you see a TLS stream that is likely to hold the flag somewhere in it.

When you follow the TLS stream, you can tell that it’s obviously encrypted since that is the job of the protocol. You can still make out a few headers, but none of these contain relevant information to find the flag. Using the given key file, we can decrypt the TLS stream by setting an RSA key in Wireshark’s TLS preferences.

To…

Category: reverse engineering and forensics

We are given a binary called “mystery” and an image named “encoded.bmp”. When I opened mystery in IDA, I saw that three files were being opened, two that are being read from (flag.txt and original.bmp) and one that is being appended to (encoded.bmp). I renamed the streams that were returned after each fopen call with the name of the file it referenced.

The next few blocks of assembly dealt with error handling in case these files are not found. If this is the case, the program prints an output message telling you to run mystery…

Category: binary exploitation

We are given a binary and it’s source code called “auth” and “auth.c”. By looking at auth.c, you can tell that this program is essentially a simple authentication program. There are a few important features of the source code that show us how everything works, which are the functions login, logout, print_flag, as well as the user struct that looks like the following.

In order to get the flag, a user needs to have the correct access code. …

Category: reverse engineering

We are given a binary called “otp” and a text file called “flag.txt”. If you execute otp, you will notice that you need to pass a key as an argument in order for the program to run. When I opened otp in IDA, I saw that this key is scrambled with unknown logic, then compared to another string. If these strings match, the program prints “You got the key, congrats! Now xor it with the flag!”

This indicates that flag.txt does not contain any part of the actual flag, and finding the key is likely the only…

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well…

Category: reverse engineering

We are given a binary called “need-for-speed”. When you first run the program, there is no needed input from the user. The program simply starts generating a key, but exits before the process is finished with the message “Not fast enough. BOOM!”. When I opened the program in IDA, I saw that there were four main functions that controlled the program logic.

The header function is only responsible for printing the banner when the program is first fun. If you look inside set_timer, you will see that there is a signal set up to terminate the program…

Category: reverse engineering

We are given a binary named “rev” and a text file named “rev_this”. If you look at the contents of rev_this, you can see the output of rev, or an encoded flag. When I opened rev in IDA, I saw that two files were needed in order for rev to run: “flag.txt” and “rev_this”.

Flag.txt is opened in read mode, and rev_this is opened in append mode, which confirms that the output of rev is stored in rev_this each time it is run. The binary takes the original flag in flag.txt, encodes it, then appends it. After…