Category: Binary

Points: 100

Description:

Eindbazen team member asby has by far been putting the most energy and time in creating the SHA2017 CTF. To honor his dedication and all his effort we created this challenge as an ode to him.

You can choose to reverse engineer this challenge or you can "asby" it. Good luck with the option you choose.

asby.tgz - 7422948a4034252d45cee02753b3d13b

This challenge didn’t require much reversing. I opened up the binary in IDA Pro only long enough for me to realize that the binary checks the supplied flag one character at a time and it will report if each character is correct. Then, I checked the home page of the CTF and noticed that the flag format is very predictable.

All flags will have the layout of flag{MD5} and are case insensitive.

Both of these facts combined makes the flag very easy to bruteforce. Since MD5 hashes are base-16 hex, we know each character only has 16 possibilites. So I wrote a quick python script to brute force the flag, one character at a time.

import subprocess

def getp():
    p=subprocess.Popen(['asby.exe'],stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
    return p

def tryflag(p, possible_flag):
    command = possible_flag + '\r\n'
    p.stdin.write(command)
    for i in range(len(possible_flag)):
        response=p.stdout.readline()
        if 'WRONG!' in response:
            return False
    return True

p = getp()
assert(tryflag(p, 'flag{'))
assert(tryflag(p, 'flag{0'))

flag = 'flag{'

for x in range(32):
    for y in range(16):
        c = '%x' % y
        if tryflag(p, flag + c):
        	print(flag)
            flag += c
            break

flag += '}'
print(flag)

And the output from the script:

flag{
flag{0
flag{02
flag{024
flag{024b
flag{024ba
flag{024baa
flag{024baa8
flag{024baa8a
flag{024baa8ac
flag{024baa8ac0
flag{024baa8ac03
flag{024baa8ac03e
flag{024baa8ac03ef
flag{024baa8ac03ef2
flag{024baa8ac03ef22
flag{024baa8ac03ef22f
flag{024baa8ac03ef22fd
flag{024baa8ac03ef22fdd
flag{024baa8ac03ef22fdde
flag{024baa8ac03ef22fdde6
flag{024baa8ac03ef22fdde61
flag{024baa8ac03ef22fdde61c
flag{024baa8ac03ef22fdde61c0
flag{024baa8ac03ef22fdde61c0f
flag{024baa8ac03ef22fdde61c0f1
flag{024baa8ac03ef22fdde61c0f11
flag{024baa8ac03ef22fdde61c0f110
flag{024baa8ac03ef22fdde61c0f1106
flag{024baa8ac03ef22fdde61c0f11069
flag{024baa8ac03ef22fdde61c0f11069f
flag{024baa8ac03ef22fdde61c0f11069f2
flag{024baa8ac03ef22fdde61c0f11069f2f}

Flag

flag{024baa8ac03ef22fdde61c0f11069f2f}