Cyber Apocalypse 2023

She Shells C Shells

Solved by warlordsam

Challenge description

In this challenge we are given a ELF 64-bit LSB pie executable (not stripped).

Using ghidra , we can get the flag. Open the binary in CodeBrowser and find the function called func_flag.

Observing the code snippet from the func_flag ; we can see that it uses memcmp to compare the user input and stored bits.

  fgets((char *)&local_118,0x100,stdin);
  for (local_c = 0; local_c < 0x4d; local_c = local_c + 1) {
    *(byte *)((long)&local_118 + (long)(int)local_c) =
         *(byte *)((long)&local_118 + (long)(int)local_c) ^ m1[(int)local_c];
  }
  local_14 = memcmp(&local_118,t,0x4d);
  if (local_14 == 0) {
    for (local_10 = 0; local_10 < 0x4d; local_10 = local_10 + 1) {
      *(byte *)((long)&local_118 + (long)(int)local_10) =
           *(byte *)((long)&local_118 + (long)(int)local_10) ^ m2[(int)local_10];
    }
    printf("Flag: %s\n",&local_118);
    uVar1 = 0;
  }
  else {
    uVar1 = 0xffffffff;
  }
  return uVar1;
}

There are three arrays m1, m2 and t that we need to look at. The user input is stored in m1 array and compared with the t array which is a stored block of password starting at memory address:0x55fb06ae0200 to check if we got the correct input. It performs XOR on each bit of both arrays.

To get the flag; We can directly see hex values of t and m2 in memcmp. Total length is 77 characters. Each bit of t and m2 undergo XOR to form a flag with format of HTB{

Copying all the hex values present in t and m2; and performing XOR using online calculator: https://xor.pw/ we can obtain the flag.

For Example: bits in t and m2 respectively are:

1. t: 2c 4a b7 
2. m2 : 64 1e f5 

Flag : HTB….so on