Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Nuit du Hack 2014 Quals - Big Momma (misc 200)
Sun 06 April 2014 — download

Steve programmed a service to authenticate him for administration purposes, take control...


Smells like a pwn challenge. We suck at pwn challenges. This wasn't a pwn challenge \o/

The file is a x64 binary. According to radare2, it first calls a login function, which reads a file, and the rest seems to be a classic fork() socket server.

The principal function, called by the server, is 0x400e71. It contains interesting strings like:

  • Well done! Here is the flag: %s
  • Please enter your username:

Some loops, some calls to strcmp, and Nope (%d). if you look carefully at what value is used for the %d, you'll see that it's the return value of strcmp.

The strcmp() function compares the two strings s1 and s2. It returns an integer less than, equal to, or greater than zero if s1 is found, respectively, to be less than, to match, or be greater than s2.

This allows us to cleverly bruteforce the login/password without reversing the binary further (modulo dirty tricks, but since it';s a 200 points chall, there shouldn't be any). We were extra-lazy, and didn't bother to write a simple-python script.

Please enter your username: 4dM1N15TR4T0R

Username correct, what is the password? THEpasswordISreallyLONGbutYOUllGETtoTHEendOFitEVENTUALLY

Well done! Here is the flag: YoMamaIsLikeHTML,SmallHeadAndHugeBody