PicoCTF 2024: packer
a.infosecflavour
Posted on April 5, 2024
This challenge's description is asking: "Reverse this linux executable?". I answer: "Challenge accepted!"
Right after downloading the binary, I checked what type of file it was.
The next step was to verify the strings (strings out). It was an endless output, from which something caught my eye. ποΈπ€
It was the π₯st time I saw something like this. In consequence, I decided to activate my research skills π.π
According to this source:
UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.
All right, seems it works like an archiver. If something was compressed, then it can be also decompressed, right? π€π
To my curiosity, I looked for ways to decompress a UPX file.
If you don't have it already, you can install according to this documentation.
With that being said, let's see what we got.
It seems that we obtained more details after decompressing the file.
We can look for the flag either by:
π using strings and look carefully after some hints
π using strings and search for the text pattern
π summoning Ghidra
π using debuggers...
Honestly, the easiest way is using strings and grepping for flags
Then we take the encrypted text and use CyberChef to decrypt it.
Thanks to the magic wand πͺ, we get the flag!!
On Ghidra we also obtain the same result, but it will take a bit longer until the function "main" will appear and it will not be so obvious: you should search for it.
Aand using the debuggers. I used pwndbg. I put a break on the puts instruction raised
Wait, we also have another encrypted text. Curious what's there?
And that was it! A binary challenge can be solved multiple ways, there will be times when strings function will not reveal the answer, so we need to use other tools πΊ.
Congrats! π What are your thoughts?π€
Posted on April 5, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.