Elf Glaki went rouge! At 2:56 PM EST, he locked up all our flags! Luckily you're not an idiot and you can fix this in 3 minutes. Stop this Angry Elf ASAP!
nc ctf.csd.lol 1147 (uhh kinda broken but works, will fix soon)
angry elf
Category
Points
Author
Reverse engineering
50
q
qvipin
Solves (76)
| 1 |  minipif | 12/14 3:20 pm |
| 2 |  andreicat | 12/14 3:21 pm |
| 3 |  _vow_ | 12/14 3:25 pm |
| 4 |  mr_mph | 12/14 3:28 pm |
| 5 |  raul_26 | 12/14 3:29 pm |
| 6 |  heartstoller | 12/14 3:42 pm |
| 7 |  dharneesh5555 | 12/14 3:49 pm |
| 8 |  godlyavenger | 12/14 4:13 pm |
| 9 |  infernosalex | 12/14 5:16 pm |
| 10 |  tudor | 12/14 6:00 pm |
| 11 |  battersea | 12/14 7:58 pm |
| 12 |  pligonstein | 12/15 6:11 am |
| 13 |  sleuth123 | 12/15 7:32 am |
| 14 |  saturn9 | 12/15 7:53 am |
| 15 |  branoodle | 12/15 12:39 pm |
| 16 |  whoful | 12/15 1:23 pm |
| 17 |  zarnex__ | 12/15 1:23 pm |
| 18 |  boomanten10 | 12/15 3:03 pm |
| 19 |  Shrelic | 12/15 8:55 pm |
| 20 | test123450604 | 12/16 4:36 am |
| 21 |  _avyra | 12/16 6:38 am |
| 22 |  rex_i_a | 12/16 3:40 pm |
| 23 |  unpwnbl | 12/16 5:16 pm |
| 24 | f00var | 12/16 10:14 pm |
| 25 |  silence_ | 12/17 4:00 am |
| 26 |  puwanai.s | 12/17 4:08 am |
| 27 |  zzunaidd023 | 12/17 4:50 am |
| 28 |  colonneil | 12/17 10:53 am |
| 29 |  nouxia | 12/17 12:17 pm |
| 30 |  _4n3s | 12/17 4:09 pm |
| 31 |  elijah5399 | 12/17 11:03 pm |
| 32 | vuxnx_91621 | 12/17 11:49 pm |
| 33 |  andreww4364 | 12/18 1:16 am |
| 34 |  theb4tmite | 12/18 4:24 am |
| 35 | kush001607 | 12/18 5:10 am |
| 36 |  .hackboredzz | 12/18 9:40 am |
| 37 |  trixai | 12/18 10:29 am |
| 38 |  booklover997 | 12/18 12:01 pm |
| 39 |  damian.28 | 12/18 2:15 pm |
| 40 | fzhshzh_163 | 12/18 8:04 pm |
| 41 |  athaw | 12/18 9:14 pm |
| 42 | zytbxl | 12/18 9:58 pm |
| 43 | johndoe6826 | 12/18 10:00 pm |
| 44 | benny_46903_75418 | 12/19 3:27 am |
| 45 |  mrmakare | 12/19 5:30 am |
| 46 |  ots3299 | 12/19 10:20 am |
| 47 |  rocky2020. | 12/19 10:59 am |
| 48 |  georgechkhaidze | 12/19 9:48 pm |
| 49 |  mage9298 | 12/20 10:05 am |
| 50 |  masquerade8077 | 12/20 11:24 am |
| 51 |  ryuun1corn | 12/21 3:49 am |
| 52 |  hqky.2kruoi | 12/21 7:10 am |
| 53 | kar_b | 12/21 11:36 pm |
| 54 | mtwiss_32447 | 12/22 11:44 am |
| 55 |  .mindsystem | 12/22 3:59 pm |
| 56 | awdyan_ | 12/22 5:20 pm |
| 57 |  manu7738 | 12/23 6:02 am |
| 58 |  captainbl | 12/23 7:50 am |
| 59 | spectre06872 | 12/23 7:59 am |
| 60 |  obet | 12/23 8:19 am |
| 61 |  re_tired | 12/24 11:49 am |
| 62 |  awwliveyet | 12/25 12:24 pm |
| 63 | monstermanyana_47633 | 12/25 3:03 pm |
| 64 |  darkity | 12/25 3:33 pm |
| 65 |  zabatmoncef | 12/25 3:41 pm |
| 66 |  tildenjackson | 12/25 6:16 pm |
| 67 |  yugi200 | 12/26 4:45 am |
| 68 |  mattewastaken | 12/26 12:14 pm |
| 69 |  isee9917 | 12/26 11:41 pm |
| 70 | fakeaviationist | 12/27 3:38 am |
| 71 |  .jstr_ | 12/27 4:05 am |
| 72 |  qwerty2119581 | 12/28 8:18 am |
| 73 |  hotiker | 12/28 11:05 am |
| 74 |  fazect | 12/29 6:48 am |
| 75 | wilsonwei_cs | 12/29 8:20 am |
| 76 | nian_30889 | 12/30 8:39 am |
Submit flag
Discuss this challenge with others in #🎄丨advent-of-ctf on our Discord server.
Write-up
.jstr_ (Jester)'s write-up was selected as the best write-up submitted for this challenge.
View this write-up on GitHubThe first thing we do is to run it through dogbolt to see the source code of the program.
The main part of the program is:
__int64 __fastcall validate_passcode(__int64 a1)
{
int j; // [rsp+14h] [rbp-1Ch]
int i; // [rsp+14h] [rbp-1Ch]
int v4; // [rsp+18h] [rbp-18h]
char v5[11]; // [rsp+1Dh] [rbp-13h]
unsigned __int64 v6; // [rsp+28h] [rbp-8h]
v6 = __readfsqword(0x28u);
v4 = 0;
while ( v4 != 2 )
{
if ( v4 )
{
for ( i = 0; i <= 10; ++i )
{
if ( v5[i] != obfuscated_key[i] )
return 0LL;
}
v4 = 2;
}
else
{
for ( j = 0; j <= 10; ++j )
v5[j] = *(_BYTE *)(j + a1) ^ 0x7F;
v4 = 1;
}
}
return 1LL;
}
// 1253: conditional instruction was optimized away because %var_18.4<3u
// 125D: conditional instruction was optimized away because %var_18.4<3u
// 126D: conditional instruction was optimized away because %var_18.4<2u
// 1279: conditional instruction was optimized away because %var_18.4==1
// 4010: using guessed type _BYTE obfuscated_key[11];
// 1229: using guessed type char var_13[11];
//----- (0000000000001321) ----------------------------------------------------
int __fastcall main(int argc, const char **argv, const char **envp)
{
FILE *stream; // [rsp+8h] [rbp-A8h]
char s[16]; // [rsp+10h] [rbp-A0h] BYREF
char v6[136]; // [rsp+20h] [rbp-90h] BYREF
unsigned __int64 v7; // [rsp+A8h] [rbp-8h]
v7 = __readfsqword(0x28u);
printf("Enter passcode: ");
__isoc99_scanf("%15s", s);
if ( strlen(s) == 11 )
{
if ( (unsigned int)validate_passcode((__int64)s) )
{
puts("Access Granted!");
stream = fopen("flag.txt", "r");
if ( stream )
{
if ( fgets(v6, 128, stream) )
printf("Here is your flag: %s\n", v6);
fclose(stream);
}
else
{
puts("Error: Could not read flag file.");
}
}
else
{
puts("Access Denied!");
}
return 0;
}
else
{
puts("Invalid passcode length!");
return 1;
}
}
So, to find a key to the app, we need a key that is 11 characters long. Since the code Obfuscates the input passcode using a bitwise XOR operation with 0x7F and compares the result to a the obfuscated key. So, to find the key, we have to reverse the obfuscation.
To do this, we can:
Go on CyberChef. Input the numbers that are separated with commas. (15,13,22,17,24,19,26,12,79,70,92) Add From Decimal and put Comma as the delimeter. Add XOR and put 0x7F aa the key.
The output we get is pringles09#. Now input the decrypted text into the NetCat to get the answer:
jstr$ nc ctf.csd.lol 1147
pringles09#
Enter passcode: Access Granted!
Here is your flag: csd{4N9ry_3lf5_5h0uLdNT_83_M3553D_w1tH}
Flag: csd{4N9ry_3lf5_5h0uLdNT_83_M3553D_w1tH}
Need help with a challenge? Is a challenge broken? DM @ModMail in our Discord server.