Skip to content

ebCTF bin100 write up

Hi people!

The OHM2013 has been a great experience. I’ve met lot of interesting people, and tons of nice talks. Meanwhile the OHM2013 was undergoing, the people from Eindbazen set up a nice Capture The Flag.

In this post I will cover the first binary challenge of the Eindbazen CTF located at http://ebctf.nl/.

Binary Identification:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ md5sum bin100
ead4a1a7b381e3c16455a09fb413ad40  bin100

Binary Basic Information:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ file bin100
bin100: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=b07165d860e4c153770483d43e42a54f92f5ac93, not stripped
user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ 

Binary Strings:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ strings bin100
[...]
 -------
|       |
|   O   |
|       |
 -------
 -------
|     O |
|       |
| O     |
 -------
 -------
|     O |
|   O   |
| O     |
 -------
 -------
| O   O |
|       |
| O   O |
 -------
 -------
| O   O |
|   O   |
| O   O |
 -------
 -------
| O   O |
| O   O |
| O   O |
 -------
 -------
| O   O |
| O O O |
| O   O |
 -------
[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.
[*] You will first need to throw a three, press enter to throw a dice!
[*] You rolled a three! Good!
hZCnFH#i
\.&[?8i
fY0Q|9
?y^/%
[*] You rolled a 
 That is not a three :/
[*] Game over!
[*] Next you will need to throw a one, press enter to throw a dice!
[*] You rolled a one! Very nice!
 That is not a one :/
[*] Next you will need to throw another three, press enter to throw a dice!
[*] You rolled a three! Awesome!
[*] Throw another three for me now, press enter to throw a dice!
[*] You rolled another three! Almost there now!
[*] The last character you need to roll is a seven....  (o_O)  Press enter to throw a dice!
[*] You rolled a seven, with a six sided dice! How awesome are you?!
 That is not a seven :/
ebCTF
[*] You rolled 3-1-3-3-7, what does that make you? ELEET! \o/
[*] Nice job, here is the flag: 
[!] It seems you did something wrong :( No flag for you.
;*2$"
zPLR

Executing the binary:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ chmod +x ./bin100 && ./bin100 

[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!

 -------
| O   O |
|       |
| O   O |
 -------

[*] You rolled a 4 That is not a three :/
[*] Game over!

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ ./bin100 

[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!
a
 -------
| O   O |
| O   O |
| O   O |
 -------

[*] You rolled a 6 That is not a three :/
[*] Game over!

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ ./bin100 

[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!

 -------
|     O |
|   O   |
| O     |
 -------

[*] You rolled a three! Good!

[*] Next you will need to throw a one, press enter to throw a dice!

 -------
|       |
|   O   |
|       |
 -------

[*] You rolled a one! Very nice!

[*] Next you will need to throw another three, press enter to throw a dice!

 -------
|     O |
|       |
| O     |
 -------

[*] You rolled a 2 That is not a three :/
[*] Game over!

To the get the flag, The dice needs to be thrown several times with the following results:

  • 1st throw: number 3
  • 2nd throw: number 1
  • 3rd throw: number 3
  • 4th throw: number 3
  • 5th throw: number 7

By firing up gdb (powered by PEDA) and disassembling the main function of the program:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ gdb -q ./bin100
Reading symbols from /home/user/ohm2013/ebCTF/bin/bin100/bin100...(no debugging symbols found)...done.
gdb-peda$ pdisass main
   0x08048ee1 <+661>:	mov    DWORD PTR [esp+0x50],eax
   0x08048ee5 <+665>:	cmp    DWORD PTR [esp+0x50],0x1
   0x08048eea <+670>:	jne    0x8048f00 
   0x08048eec <+672>:	lea    eax,[esp+0x30]
   0x08048ef0 <+676>:	mov    DWORD PTR [esp+0x4],eax
   0x08048ef4 <+680>:	mov    DWORD PTR [esp],0x804b780
   0x08048efb <+687>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f00 <+692>:	cmp    DWORD PTR [esp+0x50],0x2
   0x08048f05 <+697>:	jne    0x8048f1b 
   0x08048f07 <+699>:	lea    eax,[esp+0x2c]
   0x08048f0b <+703>:	mov    DWORD PTR [esp+0x4],eax
   0x08048f0f <+707>:	mov    DWORD PTR [esp],0x804b780
   0x08048f16 <+714>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f1b <+719>:	cmp    DWORD PTR [esp+0x50],0x3
   0x08048f20 <+724>:	jne    0x8048f36 
   0x08048f22 <+726>:	lea    eax,[esp+0x28]
   0x08048f26 <+730>:	mov    DWORD PTR [esp+0x4],eax
   0x08048f2a <+734>:	mov    DWORD PTR [esp],0x804b780
   0x08048f31 <+741>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f36 <+746>:	cmp    DWORD PTR [esp+0x50],0x4
   0x08048f3b <+751>:	jne    0x8048f51 
   0x08048f3d <+753>:	lea    eax,[esp+0x24]
   0x08048f41 <+757>:	mov    DWORD PTR [esp+0x4],eax
   0x08048f45 <+761>:	mov    DWORD PTR [esp],0x804b780
   0x08048f4c <+768>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f51 <+773>:	cmp    DWORD PTR [esp+0x50],0x5
   0x08048f56 <+778>:	jne    0x8048f6c 
   0x08048f58 <+780>:	lea    eax,[esp+0x20]
   0x08048f5c <+784>:	mov    DWORD PTR [esp+0x4],eax
   0x08048f60 <+788>:	mov    DWORD PTR [esp],0x804b780
   0x08048f67 <+795>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f6c <+800>:	cmp    DWORD PTR [esp+0x50],0x6
   0x08048f71 <+805>:	jne    0x8048f87 
   0x08048f73 <+807>:	lea    eax,[esp+0x1c]
   0x08048f77 <+811>:	mov    DWORD PTR [esp+0x4],eax
   0x08048f7b <+815>:	mov    DWORD PTR [esp],0x804b780
   0x08048f82 <+822>:	call   0x8048ae0 _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E@plt
   0x08048f87 <+827>:	cmp    DWORD PTR [esp+0x50],0x3
   0x08048f8c <+832>:	jne    0x8048fdc 

The above structure is repeated 5 times across the whole “main” function to compare to 0x3,0x1,0x3,0x3,0x7. Focusing on one of those structures and examining the disassembled code, It can be advice that:

  1. the value contained in the $eax register is pushed on the stack at 0x08048ee1
  2. the pushed value is compared to 0x1 at 0x08048ee5

This is repeated several times to compare the number generated by the “rolling dice” to 0x1,0x2,0x3,0x4,0x5 and 0x6.

   0x08048ee1 <+661>:	mov    DWORD PTR [esp+0x50],eax
   0x08048ee5 <+665>:	cmp    DWORD PTR [esp+0x50],0x1
   0x08048eea <+670>:	jne    0x8048f00 
   0x08048eec <+672>:	lea    eax,[esp+0x30]
[...]
   0x08048f00 <+692>:	cmp    DWORD PTR [esp+0x50],0x2
   0x08048f05 <+697>:	jne    0x8048f1b 
   0x08048f07 <+699>:	lea    eax,[esp+0x2c]
[...]
   0x08048f1b <+719>:	cmp    DWORD PTR [esp+0x50],0x3
   0x08048f20 <+724>:	jne    0x8048f36 
   0x08048f22 <+726>:	lea    eax,[esp+0x28]
[...]
   0x08048f36 <+746>:	cmp    DWORD PTR [esp+0x50],0x4
   0x08048f3b <+751>:	jne    0x8048f51 
   0x08048f3d <+753>:	lea    eax,[esp+0x24]
[...]
   0x08048f51 <+773>:	cmp    DWORD PTR [esp+0x50],0x5
   0x08048f56 <+778>:	jne    0x8048f6c 
   0x08048f58 <+780>:	lea    eax,[esp+0x20]
[...] 
   0x08048f6c <+800>:	cmp    DWORD PTR [esp+0x50],0x6
   0x08048f71 <+805>:	jne    0x8048f87 
   0x08048f73 <+807>:	lea    eax,[esp+0x1c]
[...]
   0x08048f87 <+827>:	cmp    DWORD PTR [esp+0x50],0x3
   0x08048f8c <+832>:	jne    0x8048fdc 

If the value of the register $eax at 0x08048ee1 is modified to contain the value 1, the program will continue to roll the dice again asking for the number 3

gdb-peda$ break *0x08048ee1
Breakpoint 1 at 0x8048ee1
gdb-peda$ r
Starting program: /home/user/ohm2013/ebCTF/bin/bin100/bin100 
warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?

[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!
[----------------------------------registers-----------------------------------]
EAX: 0x1 
EBX: 0xf7e8d000 --> 0x19fd7c 
ECX: 0x53681034 
EDX: 0x0 
ESI: 0x0 
EDI: 0x0 
EBP: 0xffffd2f8 --> 0x0 
ESP: 0xffffd280 --> 0x0 
EIP: 0x8048ee1 (:	mov    %eax,0x50(%esp))
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048eda :	mov    %ecx,%edx
   0x8048edc :	sub    %eax,%edx
   0x8048ede :	lea    0x1(%edx),%eax
=> 0x8048ee1 :	mov    %eax,0x50(%esp)
   0x8048ee5 :	cmpl   $0x1,0x50(%esp)
   0x8048eea :	jne    0x8048f00 
   0x8048eec :	lea    0x30(%esp),%eax
   0x8048ef0 :	mov    %eax,0x4(%esp)
[------------------------------------stack-------------------------------------]
0000| 0xffffd280 --> 0x0 
0004| 0xffffd284 --> 0xffffd2b4 --> 0xf7fba97c --> 0x0 
0008| 0xffffd288 --> 0xffffd2c7 --> 0xffd2f808 
0012| 0xffffd28c --> 0x8049d89 (<_Z41__static_initialization_and_destruction_0ii+61>:	leave)
0016| 0xffffd290 --> 0x8048a80 (<_ZNSt8ios_base4InitD1Ev@plt>:	jmp    *0x804b690)
0020| 0xffffd294 --> 0x804b810 --> 0x0 
0024| 0xffffd298 --> 0x804c1c4 (" -------\n| O   O |\n| O O O |\n| O   O |\n -------\n\n")
0028| 0xffffd29c --> 0x804c17c (" -------\n| O   O |\n| O   O |\n| O   O |\n -------\n\n")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x08048ee1 in main ()
gdb-peda$ set $eax = 0x3
gdb-peda$ continue
Continuing.
 -------
|     O |
|   O   |
| O     |
 -------

[*] You rolled a three! Good!

[*] Next you will need to throw a one, press enter to throw a dice!

That’s it. A three is rolled 🙂

The comparison to 0x01 starts at 0x080490ee

   0x80490ee :	mov    %eax,0x50(%esp)
   0x80490f2 :	cmpl   $0x1,0x50(%esp)
   0x80490f7 :	jne    0x804910d 
   0x80490f9 :	lea    0x30(%esp),%eax
   0x80490fd :	mov    %eax,0x4(%esp)

The comparison to 0x3 starts at 0x080492fc

   0x80492fc :	mov    %eax,0x50(%esp)
   0x8049300 :	cmpl   $0x1,0x50(%esp)
   0x8049305 :	jne    0x804931b 
   0x8049307 :	lea    0x30(%esp),%eax
   0x804930b :	mov    %eax,0x4(%esp)

The comparison to 0x3 starts at 0x080494ff

   0x80494ff :	mov    %eax,0x50(%esp)
   0x8049503 :	cmpl   $0x1,0x50(%esp)
   0x8049508 :	jne    0x804951e 
   0x804950a :	lea    0x30(%esp),%eax
   0x804950e :	mov    %eax,0x4(%esp)

The comparison to 0x7 starts at 0x08049744

   0x8049744 :	mov    %eax,0x50(%esp)
   0x8049748 :	cmpl   $0x1,0x50(%esp)
   0x804974d :	jne    0x8049763 
   0x804974f :	lea    0x30(%esp),%eax
   0x8049753 :	mov    %eax,0x4(%esp)

The challenge can be easily solved by using a gdb script:

break *0x08048ee1
        commands
        set $eax = 0x3
        continue
end

break *0x080490ee
        commands
        set $eax = 0x1
        continue
end

break *0x080492fc
        commands
        set $eax = 0x3
        continue
end

break *0x080494ff
        commands
        set $eax = 0x3
        continue
end

break *0x08049744
        commands
        set $eax = 0x7
        continue
end

Script execution:

user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $ gdb -q -x bin100.gdb ./bin100
Reading symbols from /home/user/ohm2013/ebCTF/bin/bin100/bin100...(no debugging symbols found)...done.
Breakpoint 1 at 0x8048ee1
Breakpoint 2 at 0x80490ee
Breakpoint 3 at 0x80492fc
Breakpoint 4 at 0x80494ff
Breakpoint 5 at 0x8049744
gdb-peda$ run
Starting program: /home/user/ohm2013/ebCTF/bin/bin100/bin100 
warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?

[*] ebCTF 2013 - BIN100 - Dice Game
    To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!

 -------
|     O |
|   O   |
| O     |
 -------

[*] You rolled a three! Good!

[*] Next you will need to throw a one, press enter to throw a dice!


Breakpoint 2, 0x080490ee in main ()
 -------
|       |
|   O   |
|       |
 -------

[*] You rolled a one! Very nice!

[*] Next you will need to throw another three, press enter to throw a dice!


Breakpoint 3, 0x080492fc in main ()
 -------
|     O |
|   O   |
| O     |
 -------

[*] You rolled a three! Awesome!

[*] Throw another three for me now, press enter to throw a dice!


Breakpoint 4, 0x080494ff in main ()
 -------
|     O |
|   O   |
| O     |
 -------

[*] You rolled another three! Almost there now!

[*] The last character you need to roll is a seven....  (o_O)  Press enter to throw a dice!


Breakpoint 5, 0x08049744 in main ()
 -------
| O   O |
| O O O |
| O   O |
 -------

[*] You rolled a seven, with a six sided dice! How awesome are you?!

[*] You rolled 3-1-3-3-7, what does that make you? ELEET! \o/
[*] Nice job, here is the flag: ebCTF{9a9689dbd47a1fd3fc0bf17d60edf545}

[Inferior 1 (process 17103) exited normally]
Warning: not running or target is remote
gdb-peda$ quit
user@test08.libcrack.so:~/ohm2013/ebCTF/bin/bin100 $

Challenge solved!

Published indebugginghackinglinux