Category: Reversing Points: 100 Description:

Bernie Sanders 2018
consul.bin

Investigation

This is a 100 level challenge, so let’s start off with something basic. (Much of the standard output removed for brevity.)

strings consul.bin
[...]
Poor Bernie.
;*3$"
&,!';72)4%
"%2.)%
?XbaTeWb
C\fT2
g[Tg
aXkg
ceXf\WXag2
X]Xb
XYgYfjY
6Yfb]Y"
T]`SdS`
OTbS`
bVOb
U]]R
[...]
florida.c
[...]
dont_call_me
[...]
sub_9F36
[...]
real_help
sub_41F2
[...]
main
sub_198A
[...]
sub_43E8
fake_help
help
[...]

Nothing super obvious, but we see a few different functions to make note of.

I’m a pretty terrible reverse engineer, it’s never been a strong suit. Instead of doing the logical thing that others did, (because I didn’t know I could), I used an idea that Aaron had touched on, that perhaps the bytes were shifted, like a caesar shift. He had written a python script to go through the file each byte at a time and shift it by a preset number that he had found while debugging. I wanted something better.

Solution

(If you can call it a solution, whatever I found the flag) A quick script that takes the filename as input and a string that you’re looking for, then shifts each byte in the file, looking for that input. In this case we are looking for “flag” but it could vary in other CTFs and reusable tools are great, even if they are terrible tools.

b0tchsec/CTF-Fanny-Pack/tools/caesar_brute.py

Don’t try this at home, kids. Learn how to do it better, so you can get better, so you can do better next time. Check out how others did it (more appropriately) on CTFTime

Flag

Our script found the flag using a 0x40 shift.

flag{write_in_bernie!}