CTFtime.org

Eulers License

by +++---+++--- / DrinkAndDrive

Tags: max primenumber reverseengineering 

Rating:

Alright, I have to add this writeup because there won't be a solution here anyway and I spent the entire ctf trying to solve this (drunk). Anyway, the first steps are pretty straightforward once you figure it out. Basically you are given a file that contains a shell executable that can be ran on linux for the server and windows for the client - as mentioned in the challenge's description. The file's code is grouped into two parts correlating to each OS, and upon investigating further we can see that for the given operating system we are running the file in, there will be a tmp file that runs the actual executable through the console. Let's take a look at the code meant to run in powershell.
https://imgur.com/a/qcJPFqA

When we run this through powershell this is what we get.
https://imgur.com/Cik4rpj
If we try typing a string that's length is not equal to 10 we don't get any output and the powershell just closes ( I only added the input at the end for my sake)

So after figuring out that the actual executable is stored elsewhere upon generation, I added some code to the powershell to print out the random path and then ran the executable through a disassembler.
https://imgur.com/2jqmPvP

I used IDA's crazzzy decompiler to give me a simple rundown of how the password checking works. There seems to be a very lengthy set of characters that gets decoded using the input received after the password verifier. If the password is correct then we use that password as the flag, as seen in the print function. We take a look into the "validstring" function that I renamed and this is what I scratched my head for about 2 hours.

https://imgur.com/tZL8yq3

My struggle was not understanding the C code through this decompiled hot stuff. But essentially what it boils down to is it checks if our input is a prime number and if so, checks to see if the number starts with "21", and ends with "47".. I can't believe I tried writing a brute force prime checker when it's literally just the max int number.

https://imgur.com/wAlj56e

Yay it worked, alas I couldn't submit the flag in time so I have no idea if 2147483647 is the correct flag. It just works when running it through the client side.

https://imgur.com/DGLcnyD

Comments

IceWreckApril 18, 2022, 9:06 p.m.

The other part was a sql injection. When the binary ran on Linux it ran a flask webserver. Looking at the source, you had to hit the endpoint they provided to get half of the flag which was _python_is_easy_to_reverse}.