My writeups for now will be mainly on the CTFs on the RingZer0 Team Online CTF, but I will also do writeups for CTFs I join. If you have not heard of RingZer0, head to their site and create your account.
The challenge can be found here, and we can download a binary file from the question.
What does the binary do?
First, let’s run the given binary.
No flag is given. Where is the flag? Probably it is created in the program but not been printed out.
Disassemble the binary
Now, let’s open the program in GDB.
Disassembling the binary, the first 2 functions called are malloc and memset. We can see malloc is called to initialize an array of size 24, while memset is afterwards called to initialize the array with zeroes.
From this, it is very likely that a string of size 24 is being created here.
After malloc and memset, other than calling puts on the strings “Loading…” and “Where is the flag?”, we see that the program just does a bunch of string operations to the string.
So, let’s follow the instructions and try to work out the flag!
Nah, ain’t nobody got time for that. Why don’t we just get the address of the string and print the flag out at the end of the program?
Get the address of the string
Set a breakpoint before malloc is called, then run the program and print the value of eax, to get the address of the array.
Here, we find that the address of the array is 0x0804b008
Get the flag!
Let’s choose somewhere near the end of the program to set a breakpoint, so that we can get the contents of the flag.
0x08048544 looks fine, there seems to be no more operations to the string at this point.
We create a breakpoint at 0x08048544, continue the program where we left off earlier, then examine the contents as a string inside the address we previously obtained.
And we get the flag, FLAG-4092849uio2jfklsj4kl