n00bs CTF Level 8

Link: Webpage Points: 80
Useful Tools: file strings grep Tags: beginner reverse engineering

Show Solution …

The Challenge

The main page for level 8 presents another file to examine. Of course, I still recommend looking at the source code first just in case there is useful information there as well.

Level 8 Main Page

We learned in the earlier lessons a way to identify what our true file-type is. You should get used to performing this check first to ensure that the file is really what you think it is.

$ file app.exe
app.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

Looks good; this file truly is a Windows executable. PE32 represents a 32-bit Windows program. Before beginning to reverse engineer this (a surely daunting task), I usually like to first look at the plaintext strings that are buried within the binary file. This is going to return a lot of junk to your screen, but it can be worth sifting through to see if there is are any useful hardcoded strings in there. In this case, the flag string was indeed hardcoded in.

$ strings app.exe
!This program cannot be run in DOS mode.
.text
`.data
.rdata
< clipped >
% Q@
%$Q@
infosec_flagis_0x1a
###########################################
#Welcome to infosec institute net app v1.0#
netstat
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
%s:%u: failed assertion `%s'
< clipped >

The strings command can give you a decent indication of what the binary executable does when run, which can be a good way to get your bearings before diving in for reverse engineering. In this case, we don’t need to reverse engineer it at all, because the flag is immediately visible. infosec_flagis_0x1a

Note that you can make this much easier to sift through if you use grep to search for what you are interested in. Since you know the flag format, we can search the strings for the flag to see if it’s there.

$ strings app.exe | grep infosec_flagis
infosec_flagis_0x1a

Lessons Learned

This level gave us another commonly used and powerful Linux command: strings. This command will dump out any and all strings that are found in any file you give it, whether its a text file, binary executable, image file, etc. If it’s a binary file, most of the output will be junk (it returns any instance where 4 or more printable characters appear, by default), but you can use grep to search through it if you know what you are looking for. You can also increase the minimum number of characters from 4 to something much higher, such as 10: strings -n 10 app.exe

Read More

Analysis of Apache Guacamole

### OverviewThis post will be focusing on an analysis of Apache Guacamole's web traffic. From their website:> Apache Guacamole is a clien...… Continue reading

SHA2017 Junior CTF - Rotation

Published on August 14, 2017

Welcome!

Published on August 12, 2017