Home PicoCTF 2018 Reversing 200: quackme
Writeup
Cancel

Reversing 200: quackme

Challenge
Can you deal with the Duck Web? Get us the flag from this program
You can also find the program in /problems/quackme_0_29c1eeadf7509d3b370e5d76c6fa54e5.

Hints
Objdump or something similar is probably a good place to start.

Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
$ objdump -s -d -j .rodata writeupfiles/quackme

writeupfiles/quackme:     file format elf32-i386

Contents of section .rodata:
 80487e8 03000000 01000200 596f7520 68617665  ........You have
 80487f8 206e6f77 20656e74 65726564 20746865   now entered the
 8048808 20447563 6b205765 622c2061 6e642079   Duck Web, and y
 8048818 6f752772 6520696e 20666f72 20612068  ou're in for a h
 8048828 6f6e6b69 6e272067 6f6f6420 74696d65  onkin' good time
 8048838 2e0a4361 6e20796f 75206669 67757265  ..Can you figure
 8048848 206f7574 206d7920 74726963 6b3f0000   out my trick?..
 8048858 2906164f 2b35301e 511b5b14 4b085d2b  )..O+50.Q.[.K.]+
 8048868 5c100606 18455100 5d004e6f 206c696e  \....EQ.].No lin
 8048878 65207265 61642e2e 2e000000 6d616c6c  e read......mall
 8048888 6f632829 20726574 75726e65 64204e55  oc() returned NU
 8048898 4c4c2e20 4f757420 6f66204d 656d6f72  LL. Out of Memor
 80488a8 790a0059 6f752061 72652077 696e6e65  y..You are winne
 80488b8 72210054 68617427 7320616c 6c20666f  r!.That's all fo
 80488c8 6c6b732e 00                          lks..

Disassembly of section .rodata:

080487e8 <_fp_hw>:
 80487e8:       03 00 00 00                                         ....

080487ec <_IO_stdin_used>:
 80487ec:       01 00 02 00 59 6f 75 20 68 61 76 65 20 6e 6f 77     ....You have now
 80487fc:       20 65 6e 74 65 72 65 64 20 74 68 65 20 44 75 63      entered the Duc
 804880c:       6b 20 57 65 62 2c 20 61 6e 64 20 79 6f 75 27 72     k Web, and you'r
 804881c:       65 20 69 6e 20 66 6f 72 20 61 20 68 6f 6e 6b 69     e in for a honki
 804882c:       6e 27 20 67 6f 6f 64 20 74 69 6d 65 2e 0a 43 61     n' good time..Ca
 804883c:       6e 20 79 6f 75 20 66 69 67 75 72 65 20 6f 75 74     n you figure out
 804884c:       20 6d 79 20 74 72 69 63 6b 3f 00 00                  my trick?..

08048858 <sekrutBuffer>:
 8048858:       29 06 16 4f 2b 35 30 1e 51 1b 5b 14 4b 08 5d 2b     )..O+50.Q.[.K.]+
 8048868:       5c 10 06 06 18 45 51 00 5d 00 4e 6f 20 6c 69 6e     \....EQ.].No lin
 8048878:       65 20 72 65 61 64 2e 2e 2e 00 00 00 6d 61 6c 6c     e read......mall
 8048888:       6f 63 28 29 20 72 65 74 75 72 6e 65 64 20 4e 55     oc() returned NU
 8048898:       4c 4c 2e 20 4f 75 74 20 6f 66 20 4d 65 6d 6f 72     LL. Out of Memor
 80488a8:       79 0a 00 59 6f 75 20 61 72 65 20 77 69 6e 6e 65     y..You are winne
 80488b8:       72 21 00 54 68 61 74 27 73 20 61 6c 6c 20 66 6f     r!.That's all fo
 80488c8:       6c 6b 73 2e 00                                      lks..

We see a very suspicious “sekrutBuffer”. We extracted the bytes from this buffer and trying XORing with ‘picoCTF’ in case that shows anything useful:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ python
Python 2.7.12 (default, Dec  4 2017, 14:50:18)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> bytes = [0x29, 0x06, 0x16, 0x4f, 0x2b, 0x35, 0x30, 0x1e, 0x51, 0x1b, 0x5b, 0x14, 0x4b, 0x08, 0x5d, 0x2b, 0x5c, 0x10, 0x06, 0x06, 0x18, 0x45, 0x51, 0x00, 0x5d]
>>> pico = map(ord, 'picoCTF{}')
>>> for x, y in zip(bytes, pico):
...     print(chr(x^y))
...
Y
o
u

h
a
v
e
,

Which looks like the phrase we see provided in the message. We try XORing that phrase against the bytes of the sekrutBuffer and:

1
2
3
4
5
6
7
8
bytes = [0x29, 0x06, 0x16, 0x4f, 0x2b, 0x35, 0x30, 0x1e, 0x51, 0x1b, 0x5b, 0x14, 0x4b, 0x08, 0x5d, 0x2b, 0x5c, 0x10, 0x06, 0x06, 0x18, 0x45, 0x51, 0x00, 0x5d]
pico = map(ord, "You have now entered the Duck Web, and you're in for a honkin' good time.")

buf = ''
for x, y in zip(bytes, pico):
    buf += chr(x ^ y)

print(''.join(buf))

Outputs our flag

Flag

picoCTF{qu4ckm3_9bcb819e}