COMPILED

Link: Compiled

Introduction

This challenge calls for a basic understanding of C and reverse engineering. It tests your skills in extracting information from binaries, and based on the room description, the strings command is insufficient to get your flag.

Task 1: Welcome

You are expected to download the task file which is a compiled binary. Once you download it, you can make it executable using the chmod +x command as such;

(Note: I changed the name of my binary but you can use the original name)

Now, run this binary.

You can see that it prompts you for a password and failure to enter the correct password leads to the message Try again!. This password is the flag required to complete the room.
Running the strings command on this binary returns a whole lot of text but our area of interest is the section shown below.

You can see that there is text between the words Password: and Correct!. I tried to enter each of these texts and a combination of them as the password but they all lead to the same message: Try again!
You need to now decompile the binary to get the original C code which will help you better understand what manipulations need to be done to get the actual password. A great tool for this is Ghidra. You can use the online version which can be found at: Decompiler Explorer. For this challenge, I will be using the offline version. Go ahead and power up Ghidra if you are using the same. If you are using the online version, all you need to do is click on Browse and upload the compiled binary. It will get decompiled as shown below.

The binary is decompiled as shown. If you are having challenges with uploading the binary, you need to create a folder under Active projects and then upload the binary there.

Ghish2

On analyzing the code, you can see that there is two variables: the integer iVar1 and the character local_28 which is a container that can hold 32 bytes. fwrite prints out the password prompt. scanf takes in the user input and stores it in the variable local_28. In lines 15-17, you can see that the only way you can get a Correct! response as opposed to Try again! is if a string comparison between local_28 and the word _init brings back the value true, i.e, whatever is stored in local_28 is _init. Therefore, in order to input the correct passsword, you need to understand line 9.
In line 9, scanf takes in an argument from the user in the form DoYouEven%sCTF and stores it in local_28. However, the placement of the %s in DoYouEven%sCTF influences how the input will be accepted. You can test this out by writing simple C program including this line to see what output you will get. The C code below prints out local_28

#include <stdio.h>

int main(){
char local_28[32];
printf("Password:");
scanf("DoYouEven%sCTF", local_28);
printf("Input: %s\n", local_28);
return 0;
}

You can copy and paste this code to a .c file using nano or vim, compile the program using gcc and then run it. Compiling the program using gcc follows the syntax; gcc -o comp comp.c where comp.c is the c code and comp is the compiled c program.
When you run the code and input random letters as the password, the input is empty.

However, when you type in DoYouEven%sCTF as the password, you get your input as;

So, essentially, what is stored in local_28 ignores everything before the %s. The input that will be displayed is what starts after DoYouEven
As discussed earlier, you only get a Correct! response if what is stored in local_28 matches _init, meaning that the input in local_28 needs to be _init. You can achieve this by typing DoYouEven_init in the code we wrote and it will show that the input is _init as shown below.

-This means our password is DoYouEven_init and inputting this in the room’s decompiled code gives;

This is the answer to the room’s question.