Home PicoCTF 2018 Forensics 350: core
Writeup
Cancel

Forensics 350: core

Challenge

This program was about to print the flag when it died. Maybe the flag is still in this core file that it dumped?

Also available at /problems/core_0_28700fe29cea151d6a3350f244f342b2 on the shell server.

Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(master) [hxr@mk:~/Personal/projects/ctf-writeups-galaxians/PicoCTF_2018/writeupfiles]148$ gdb print_flag core
warning: exec file is newer than core file.
[New LWP 59693]
Core was generated by `/opt/hacksports/staging/core_0_4983223896836212/problem_files/print_flag'.
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
#0  print_flag () at ./print_flag.c:90
90      ./print_flag.c: Datei oder Verzeichnis nicht gefunden.
(gdb) disas
Dump of assembler code for function print_flag:
=> 0x080487c1 <+0>:     push   ebp
   0x080487c2 <+1>:     mov    ebp,esp
   0x080487c4 <+3>:     sub    esp,0x18
   0x080487c7 <+6>:     mov    DWORD PTR [ebp-0xc],0x539
   0x080487ce <+13>:    mov    eax,DWORD PTR [ebp-0xc]
   0x080487d1 <+16>:    mov    eax,DWORD PTR [eax*4+0x804a080]
   0x080487d8 <+23>:    sub    esp,0x8
   0x080487db <+26>:    push   eax                               ; arg2: *eax
   0x080487dc <+27>:    push   0x804894c                         ; arg1: (x/s 0x804894c)
   0x080487e1 <+32>:    call   0x8048410 <printf@plt>            ; printf
   0x080487e6 <+37>:    add    esp,0x10
   0x080487e9 <+40>:    nop
   0x080487ea <+41>:    leave
   0x080487eb <+42>:    ret
End of assembler dump.
(gdb) x/s 0x804894c
0x804894c:      "your flag is: picoCTF{\%s}\n"
(gdb) x/s *(0x539*4 + 0x804a080)
0x80610f0:      "abb6a3b2603654804ed357322c760510"

We work backwards here, it will call printf with two arguments (the two

pushes before the call). Printing out the second push we see the format string. The first push just pushes eax, so whatever is in eax is being passed to the format string.

We cannot print out eax because it isn’t set yet (and trying to step/continue causes an immediate crash,) so we need to calculate what value will be in eax.

The relevant lines are:

1
2
3
mov    DWORD PTR [ebp-0xc],0x539
mov    eax,DWORD PTR [ebp-0xc]
mov    eax,DWORD PTR [eax*4+0x804a080]

Which can be translated as

1
2
3
var1 = 0x539
eax = var1
eax = eax * 4 + 0x804a080

So whatever value is in the address 0x539 * 4 + 0x804a080 will be the string that’s printed out. We can do this with x/s *(0x539 * 4 + 0x804a080)

Flag

picoCTF{abb6a3b2603654804ed357322c760510}