re

# Cyber Apocalypse 2023

## She Shells C Shells

Solved by warlordsam

Challenge description

In this challenge we are given a ELF 64-bit LSB pie executable (not stripped).

Using ghidra , we can get the flag. Open the binary in CodeBrowser and find the function called func_flag.

Observing the code snippet from the func_flag ; we can see that it uses memcmp to compare the user input and stored bits.

``````  fgets((char *)&local_118,0x100,stdin);
for (local_c = 0; local_c < 0x4d; local_c = local_c + 1) {
*(byte *)((long)&local_118 + (long)(int)local_c) =
*(byte *)((long)&local_118 + (long)(int)local_c) ^ m1[(int)local_c];
}
local_14 = memcmp(&local_118,t,0x4d);
if (local_14 == 0) {
for (local_10 = 0; local_10 < 0x4d; local_10 = local_10 + 1) {
*(byte *)((long)&local_118 + (long)(int)local_10) =
*(byte *)((long)&local_118 + (long)(int)local_10) ^ m2[(int)local_10];
}
printf("Flag: %s\n",&local_118);
uVar1 = 0;
}
else {
uVar1 = 0xffffffff;
}
return uVar1;
}
``````

There are three arrays m1, m2 and t that we need to look at. The user input is stored in m1 array and compared with the t array which is a stored block of password starting at memory address:0x55fb06ae0200 to check if we got the correct input. It performs XOR on each bit of both arrays.

To get the flag; We can directly see hex values of t and m2 in memcmp. Total length is 77 characters. Each bit of t and m2 undergo XOR to form a flag with format of HTB{

Copying all the hex values present in t and m2; and performing XOR using online calculator: https://xor.pw/ we can obtain the flag.

For Example: bits in t and m2 respectively are:

``````1. t: 2c 4a b7
2. m2 : 64 1e f5
``````

Flag : HTB….so on

Published on : 27 Mar 2023
re