PicoCTF 2024: packer

yowise

a.infosecflavour

Posted on April 5, 2024

PicoCTF 2024: packer

This challenge's description is asking: "Reverse this linux executable?". I answer: "Challenge accepted!"

challenge accepted

Right after downloading the binary, I checked what type of file it was.

file

The next step was to verify the strings (strings out). It was an endless output, from which something caught my eye. πŸ‘οΈπŸ€”

packer
It was the πŸ₯‡st time I saw something like this. In consequence, I decided to activate my research skills πŸ”.πŸ”Ž

According to this source:

UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.

All right, seems it works like an archiver. If something was compressed, then it can be also decompressed, right? πŸ€“πŸ™Œ

To my curiosity, I looked for ways to decompress a UPX file.
upx

If you don't have it already, you can install according to this documentation.

With that being said, let's see what we got.

decompressed
It seems that we obtained more details after decompressing the file.
We can look for the flag either by:
πŸ•› using strings and look carefully after some hints
πŸ• using strings and search for the text pattern
πŸ•‘ summoning Ghidra
πŸ•’ using debuggers...

Honestly, the easiest way is using strings and grepping for flags
strings

Then we take the encrypted text and use CyberChef to decrypt it.

Thanks to the magic wand πŸͺ„, we get the flag!!

flag

On Ghidra we also obtain the same result, but it will take a bit longer until the function "main" will appear and it will not be so obvious: you should search for it.

ghidra

Aand using the debuggers. I used pwndbg. I put a break on the puts instruction raised

puts

and found this out:
debug

Wait, we also have another encrypted text. Curious what's there?
text

texxt

And that was it! A binary challenge can be solved multiple ways, there will be times when strings function will not reveal the answer, so we need to use other tools 😺.

Congrats! πŸ‘ What are your thoughts?πŸ€”

πŸ’– πŸ’ͺ πŸ™… 🚩
yowise
a.infosecflavour

Posted on April 5, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

PicoCTF 2024: packer
community PicoCTF 2024: packer

April 5, 2024