Task:
We are provided with PE32 executable for MS Windows (console) Intel 80386 32-bit according to the file utility. Let's run it. Program prints a nice ASCII-art robot and asks for a first password.
There is no clue how to predict password, so let's disassemble this binary. You can find that there is a string "You passed level1!" which will be probably printed after we input correct password1. You can find string usage and find out that it is printed after strcmp compares your input and password1. Let's place a breakpoint to see the first password.
We have the first password r0b0RUlez!. When we pass it, program asks for a second password. We have to find it too. Since first password is obtained using scanf function, second password will probably use the same function. So let's go to the functions that the binary imports and find among them scanf function and see it's usage. There are exactly two call to this function. First one gets first password, second one - second password. In order to reach second, you should pass breakpoint interrupt to the application, which will handle it and check your second password. If code near second scanf is not executed check out options in Debugger -> Debugger options -> Edit Exceptions -> EXCEPTION_BREAKPOINT, right click-> edit. It should stop application and should be passed to the application. In that case application will reach needed code path. You may be prompted whether debugger should pass exception to the program, press Yes button.
After second scanf call your input and some string are passed to a function which xores string byte by byte with 0x2 and compares it with your input.
The laziest way is to put a breakpoint and watch for a flag to appear byte by byte in al register while changing you value in dl equal to al. Second part is w3lld0ne.
The flag is r0b0RUlez!_w3lld0ne
Oh boy, those crazy robots can't catch a break! Now they're even stealing our liquid gold from one of our beer tents! And on top of that they lock it behind some authentication system. Quick! Access it before they consume all of our precious beverage!
Download: https://ctf.fluxfingers.net/static/downloads/roboauth/RoboAuth.exe
Flag: password1_password2
We are provided with PE32 executable for MS Windows (console) Intel 80386 32-bit according to the file utility. Let's run it. Program prints a nice ASCII-art robot and asks for a first password.
The laziest way is to put a breakpoint and watch for a flag to appear byte by byte in al register while changing you value in dl equal to al. Second part is w3lld0ne.
The flag is r0b0RUlez!_w3lld0ne
No comments:
Post a Comment