n00bs CTF Level 8
Show Solution …
The main page for level 8 presents another file to examine. Of course, I still recommend looking at the source code first just in case there is useful information there as well.
We learned in the earlier lessons a way to identify what our true file-type is. You should get used to performing this check first to ensure that the file is really what you think it is.
Looks good; this file truly is a Windows executable.
PE32 represents a 32-bit Windows program. Before beginning to reverse engineer this (a surely daunting task), I usually like to first look at the plaintext strings that are buried within the binary file. This is going to return a lot of junk to your screen, but it can be worth sifting through to see if there is are any useful hardcoded strings in there. In this case, the flag string was indeed hardcoded in.
strings command can give you a decent indication of what the binary executable does when run, which can be a good way to get your bearings before diving in for reverse engineering. In this case, we don’t need to reverse engineer it at all, because the flag is immediately visible.
Note that you can make this much easier to sift through if you use
grep to search for what you are interested in. Since you know the flag format, we can search the strings for the flag to see if it’s there.
This level gave us another commonly used and powerful Linux command:
strings. This command will dump out any and all strings that are found in any file you give it, whether its a text file, binary executable, image file, etc. If it’s a binary file, most of the output will be junk (it returns any instance where 4 or more printable characters appear, by default), but you can use
grep to search through it if you know what you are looking for. You can also increase the minimum number of characters from 4 to something much higher, such as 10:
strings -n 10 app.exe