{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-insomni-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"cb81a8dd-d167-5964-8f4d-002b2e5d98ac","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-insomni-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in Insomni’hack CTF 2024 (January 2024) with team 0nePadding.</p>\n<p>We bailed out early and switched to Knight CTF, so we only solved 3 problems — final placement was 120th.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/156c9008451cad414870c10ab8a4f5f0/c61d0/image-20240124133709327.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAIAAADKYVtkAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA70lEQVQY002OuW7DMBQE1ca6+HiI4k2a1m0JtovAcRX36hKkSor8/09EgJosplhgttiEAO5DXOaFEZqnWZHlO0pIRlgMkTNOgGzWW+etH7p+Gsd5mp/vz6SUYFobl4YfZVrlGS92qGVIYREVaFoKAE1ko6tQq9b46djdho+vzwQiO78O431GgRx0kZpyRwyGxCpcTqypUaB1r/wlit7gwORg+vv0/fuTQIEk533bMUyzlzQ/ZDucVgRhqy3FdNts54ML0R+dtk67NjaPt0eCELLWxVPcSvYvrGKAQSmFMd4UABhjnPdCirbrrrfruq5/cg4gvydetH0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/156c9008451cad414870c10ab8a4f5f0/8ac56/image-20240124133709327.webp 240w,\n/static/156c9008451cad414870c10ab8a4f5f0/d3be9/image-20240124133709327.webp 480w,\n/static/156c9008451cad414870c10ab8a4f5f0/e46b2/image-20240124133709327.webp 960w,\n/static/156c9008451cad414870c10ab8a4f5f0/a8d53/image-20240124133709327.webp 1145w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/156c9008451cad414870c10ab8a4f5f0/8ff5a/image-20240124133709327.png 240w,\n/static/156c9008451cad414870c10ab8a4f5f0/e85cb/image-20240124133709327.png 480w,\n/static/156c9008451cad414870c10ab8a4f5f0/d9199/image-20240124133709327.png 960w,\n/static/156c9008451cad414870c10ab8a4f5f0/c61d0/image-20240124133709327.png 1145w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/156c9008451cad414870c10ab8a4f5f0/d9199/image-20240124133709327.png\"\n            alt=\"image-20240124133709327\"\n            title=\"image-20240124133709327\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The overall difficulty seemed high.</p>\n<p>Here is a writeup / review of the challenge.</p>\n<h2 id=\"frown-rev\" style=\"position:relative;\"><a href=\"#frown-rev\" aria-label=\"frown rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>frown (Rev)</h2>\n<blockquote>\n<p>How good is your Tetris? Connect, win, and reveal the flag!</p>\n</blockquote>\n<p>During the contest I solved this via an unintended guess, so here I’ll walk through the intended solution.</p>\n<p>No binary is provided for this challenge; you are only given SSH credentials to connect to the challenge server.</p>\n<p>Connecting via SSH launches a Tetris game.</p>\n<p>Playing for a while, once your score increases by some amount the message <code class=\"language-text\">[Frida INFO] Listening on 127.0.0.1 TCP port 27042</code> appears.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 887px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/903c2d533b4d1d996811494123d06470/eac55/image-20240120235212414.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 51.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABgElEQVQoz32RW2+CQBCFefQC3iqNqGkqyMUbuysoSLwk1iZ96EP//585nV2QQGv7MFnYnfnmnBmNGS5UNB2Itksxx67rQegeIsPH9TXF2yzFzU5xmcbq+0zneRLhPI5wGm/V/W12QGaG0MLpGqHLERLwZAnE3UABt3oeUcdHTCHvZFMumw634PTG5X9rXguNEXAzXWFnBPhcX1XxvlC47y+pwYKUeuoubFJRdwk+ScDoZASQTaqhcZ3sthxVtCOAtJz0fKXuwzvhOBIlkLUol2wxssieNqQoH1VdYUPCXBzNoLSwl0BD2lyoEZSWG7ayykyWg4r8KlRjxUcueV5bytbwFFjOcddx1TujJry3JuurX+oUsNpBFvC2g6y/QqQH+VIIqJrcgc8M3ErAzShX/AjIS5XytHGxUsRPAqIjtxzg3T4g6fsIaTycIKwIXlnKn0DRtJG8xBCzGIm1RDaK8CVuSAdBDqzlO/8rvCftex4OwwDZwEc2XOAwyG0/AvyMb7l4GVwMkLBLAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/903c2d533b4d1d996811494123d06470/8ac56/image-20240120235212414.webp 240w,\n/static/903c2d533b4d1d996811494123d06470/d3be9/image-20240120235212414.webp 480w,\n/static/903c2d533b4d1d996811494123d06470/1938b/image-20240120235212414.webp 887w\"\n              sizes=\"(max-width: 887px) 100vw, 887px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/903c2d533b4d1d996811494123d06470/8ff5a/image-20240120235212414.png 240w,\n/static/903c2d533b4d1d996811494123d06470/e85cb/image-20240120235212414.png 480w,\n/static/903c2d533b4d1d996811494123d06470/eac55/image-20240120235212414.png 887w\"\n            sizes=\"(max-width: 887px) 100vw, 887px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/903c2d533b4d1d996811494123d06470/eac55/image-20240120235212414.png\"\n            alt=\"image-20240120235212414\"\n            title=\"image-20240120235212414\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As the score continues to increase, an encrypted-looking Flag string starts appearing in the console.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 951px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/77203d8c933cc66e1ceaf33a271c113c/9b379/image-20240120235236818.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUklEQVQoz32RWXOCQBCEfVM8gEQxHk+Ccgp7oEZTlf//szq9u0JS0eRhaqB295vu6YGYHiAWOeR4DzE7QLMuYQY1SdHOMv5n9l9PeD7NIJcnyEhDTvjOS+y7nzUQrxnqkhcIaqICyicwcKBTkOPk5w44JXC4g1zw7lxBjHYO8gs6EGEKsS7ReDHqbQVFxWc/Zf9WeA6MYgKpWiwlxLz+W6GZIEYJPtfKqlHj5F/LYtNaqOTA50CzO88ANS0WPbCz3PaWD85yWHE9OUXEDzBn+T6lGcZoqNRYsxbvltvOMgeJsGAgEmr17kLkHg24L7J6hV03wEuQ0pJRmVNZSmBKywZYQqw01ObGcFQfkIxayJcGMigdsCvh7e3Da1TjzEuaXW9qXLbK7dAEwRVIn0qDypVf3nthRTwATUjXqMJtdcT1LcfHmt/LI88T58SGGD8vnn0BKiD6xUUPZmgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/77203d8c933cc66e1ceaf33a271c113c/8ac56/image-20240120235236818.webp 240w,\n/static/77203d8c933cc66e1ceaf33a271c113c/d3be9/image-20240120235236818.webp 480w,\n/static/77203d8c933cc66e1ceaf33a271c113c/d9249/image-20240120235236818.webp 951w\"\n              sizes=\"(max-width: 951px) 100vw, 951px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/77203d8c933cc66e1ceaf33a271c113c/8ff5a/image-20240120235236818.png 240w,\n/static/77203d8c933cc66e1ceaf33a271c113c/e85cb/image-20240120235236818.png 480w,\n/static/77203d8c933cc66e1ceaf33a271c113c/9b379/image-20240120235236818.png 951w\"\n            sizes=\"(max-width: 951px) 100vw, 951px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/77203d8c933cc66e1ceaf33a271c113c/9b379/image-20240120235236818.png\"\n            alt=\"image-20240120235236818\"\n            title=\"image-20240120235236818\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At this point, we try to connect to the Frida server to retrieve the Flag.</p>\n<p>Port 27042, where the Frida server appears to be listening, is of course not accessible from outside.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 606px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/11ba6189a12e6274f33756824463199c/4d4a2/image-20240124141056118.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA0UlEQVQY032R2w6DIBBEeTQKxmBBjbeCN4z//389YmzaPnQeNss4szug0NYOo/fOjeM4DMM0TU3T9H3/jPDeU/nUdd0jwhhTVZXWWkopwha2bUO07/s8z0idczDU4zjWdcV2McuyIECJvyiK01zXNQdGWmuriLZt6bMsS9M0u5HeeDOnGWlZlkmSMIURSiky0+d5riIQqRvyG4IkxGM5CYmHLYTAFWDYI/9CsO0zuYm4IlyKn52fvSAkyfETngtz5LUxtxHwVP4Cc+sIXp7+CvUCdHQjuvxSJcEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/11ba6189a12e6274f33756824463199c/8ac56/image-20240124141056118.webp 240w,\n/static/11ba6189a12e6274f33756824463199c/d3be9/image-20240124141056118.webp 480w,\n/static/11ba6189a12e6274f33756824463199c/18e7e/image-20240124141056118.webp 606w\"\n              sizes=\"(max-width: 606px) 100vw, 606px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/11ba6189a12e6274f33756824463199c/8ff5a/image-20240124141056118.png 240w,\n/static/11ba6189a12e6274f33756824463199c/e85cb/image-20240124141056118.png 480w,\n/static/11ba6189a12e6274f33756824463199c/4d4a2/image-20240124141056118.png 606w\"\n            sizes=\"(max-width: 606px) 100vw, 606px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/11ba6189a12e6274f33756824463199c/4d4a2/image-20240124141056118.png\"\n            alt=\"image-20240124141056118\"\n            title=\"image-20240124141056118\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"port-forward-to-the-frida-server-and-identify-the-process\" style=\"position:relative;\"><a href=\"#port-forward-to-the-frida-server-and-identify-the-process\" aria-label=\"port forward to the frida server and identify the process permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Port-forward to the Frida Server and identify the process</h3>\n<p>Since we have SSH credentials, we can set up SSH tunneling to reach the local Frida server.</p>\n<p>Set up port forwarding with the following command while replaying Tetris:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">ssh</span> -L <span class=\"token number\">27042</span>:127.0.0.1:27042 user@frown.insomnihack.ch -p <span class=\"token number\">24</span></code></pre></div>\n<p>Once the Frida server starts, run <code class=\"language-text\">frida-ps -H localhost</code> to identify the PID and name of the target process:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">pip <span class=\"token function\">install</span> frida frida-tools\nfrida-ps -H localhost</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 273px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2e22d66817627d10eb4bf96fb7d4c725/0217c/image-20240124143605546.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAIAAAC9o5sfAAAACXBIWXMAAAsTAAALEwEAmpwYAAABGklEQVQoz42Q2W6DMBBFkfoSE+/Y2JgSpxQwZCFBCKlCyv//VkchSuhL2/MwmsX3euwIU4xZTK2UrhOmTvKz3s/SnSBXu1FmB+gTQ6im0giSYLzFTyKSE5ixQqf7KXEHmXXKf4l8AJnaTTJrualQisS7sN4iiXC8EiPxhl3QtgrV7rP0/fnw4fNjV3O6bZvSpAl0Qh36cz8Mw/VydbmL44dBlDsXupPSpiiKENqmaZROtU4JoZwLypjWWmn1QCvG2Otm7/3l0sMBEE/TBPYwRgjBbHsn/gl0XmIoNpsNRErpss/aGyCELHFJ1kTOOWstKLMsgxyiMWZt/wtR27ZVVXHOx3Gc5/l2u5Vl+fySP8ToDmSw/PKkpfwP31kSKVy8h7u5AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2e22d66817627d10eb4bf96fb7d4c725/8ac56/image-20240124143605546.webp 240w,\n/static/2e22d66817627d10eb4bf96fb7d4c725/5f7f2/image-20240124143605546.webp 273w\"\n              sizes=\"(max-width: 273px) 100vw, 273px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2e22d66817627d10eb4bf96fb7d4c725/8ff5a/image-20240124143605546.png 240w,\n/static/2e22d66817627d10eb4bf96fb7d4c725/0217c/image-20240124143605546.png 273w\"\n            sizes=\"(max-width: 273px) 100vw, 273px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2e22d66817627d10eb4bf96fb7d4c725/0217c/image-20240124143605546.png\"\n            alt=\"image-20240124143605546\"\n            title=\"image-20240124143605546\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"retrieve-the-application-binary-via-the-frida-server\" style=\"position:relative;\"><a href=\"#retrieve-the-application-binary-via-the-frida-server\" aria-label=\"retrieve the application binary via the frida server permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Retrieve the application binary via the Frida server</h3>\n<p>The official writeup states that the application binary can be retrieved through the Frida server.</p>\n<p>Reference: <a href=\"https://github.com/leonjza/frown/tree/master/solution\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">frown/solution at master · leonjza/frown</a></p>\n<p>First, attach to the Frida server using the identified process name: <code class=\"language-text\">frida -H localhost Gadget</code>.</p>\n<p>Then run <code class=\"language-text\">Process.mainModule</code> to get information about the process’s main module.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 737px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a28a96e034f7d068ad7f392a21bed90a/d125e/image-20240124143837482.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAIAAADtbgqsAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJklEQVQoz4WR226DMBBE85ZSsLHBFy7mkigo//+HPXhFK5pWmQdrbWZ2Z5ZL5duQ1jBsMT1jml3Xdl2ntS6KoizLz39QZVxKbV0LbNuYGIJ3HnHTNG0GhffeWkvh3E6kplBK7eJKm+B961wIYZomHzxjhSF63rnSIsbI6TLzRwyNJ2PM4/GAgVvOvu+xMI4jNSd6sfrLthFcr1fYt9sNHux1XZkwDEOfQc1XPtG6OrCL67oWqzCEBySqgMBlRnWGiDUZRBkzGMgcTizM85xSInz1gouqrc6gPXrCiwUmI5D1uAxZ0kk8LavshvYkl2y8cKULuxHD30s6iWvTpMPbtm3saVkWjLwm/EP8USqULBnN/X7vMpiMz/diMlu7/ypJy5M68Fb8BbMcMYOi4ldyAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a28a96e034f7d068ad7f392a21bed90a/8ac56/image-20240124143837482.webp 240w,\n/static/a28a96e034f7d068ad7f392a21bed90a/d3be9/image-20240124143837482.webp 480w,\n/static/a28a96e034f7d068ad7f392a21bed90a/a99e1/image-20240124143837482.webp 737w\"\n              sizes=\"(max-width: 737px) 100vw, 737px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a28a96e034f7d068ad7f392a21bed90a/8ff5a/image-20240124143837482.png 240w,\n/static/a28a96e034f7d068ad7f392a21bed90a/e85cb/image-20240124143837482.png 480w,\n/static/a28a96e034f7d068ad7f392a21bed90a/d125e/image-20240124143837482.png 737w\"\n            sizes=\"(max-width: 737px) 100vw, 737px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a28a96e034f7d068ad7f392a21bed90a/d125e/image-20240124143837482.png\"\n            alt=\"image-20240124143837482\"\n            title=\"image-20240124143837482\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://frida.re/docs/javascript-api/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">JavaScript API |  A world-class dynamic instrumentation toolkit</a>Frida </p>\n<p>From this we determine that the application is located at <code class=\"language-text\">/usr/local/bin/tetris</code>.</p>\n<p>We can then use Frida to attach to the remote process (Gadget) and download a file in its execution context:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">node</span> -v <span class=\"token comment\">#v16.13.1</span>\n<span class=\"token builtin class-name\">cd</span> solution/frida/agent/\n<span class=\"token function\">npm</span> i\npython3 -m solution getfile <span class=\"token string\">\"/usr/local/bin/tetris\"</span></code></pre></div>\n<p>Below is a slightly customized version of the official solver. Calling <code class=\"language-text\">getfile</code> with a path retrieves the binary Base64-encoded via <code class=\"language-text\">fs.readFileSync(p).toString('base64')</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"typescript\"><pre class=\"language-typescript\"><code class=\"language-typescript\"><span class=\"token keyword\">import</span> fs <span class=\"token keyword\">from</span> <span class=\"token string\">\"fs\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">import</span> http <span class=\"token keyword\">from</span> <span class=\"token string\">\"http\"</span><span class=\"token punctuation\">;</span>\n\nrpc<span class=\"token punctuation\">.</span>exports <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function-variable function\">dir</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>p<span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> fs<span class=\"token punctuation\">.</span><span class=\"token function\">readdirSync</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">binpath</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> Process<span class=\"token punctuation\">.</span>mainModule<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">getfile</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>p<span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> fs<span class=\"token punctuation\">.</span><span class=\"token function\">readFileSync</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token string\">'base64'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">modules</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> Process<span class=\"token punctuation\">.</span><span class=\"token function\">enumerateModules</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">watchoffset</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>a<span class=\"token operator\">:</span> <span class=\"token builtin\">number</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> offset <span class=\"token operator\">=</span> Process<span class=\"token punctuation\">.</span>mainModule<span class=\"token punctuation\">.</span>base<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span><span class=\"token function\">ptr</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">watching func at </span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>a<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">. offset=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>offset<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\"</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">attach</span><span class=\"token punctuation\">(</span>offset<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">onEnter</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">watchfunc: </span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>a<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\"> called. arg[0]=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\"</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">watchlibs</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">attach</span><span class=\"token punctuation\">(</span>Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"dlopen\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">onEnter</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">const</span> path <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">const</span> flags <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token function\">toInt32</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">dlopen() path=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>path<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\", flags=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>flags<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\"</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">attach</span><span class=\"token punctuation\">(</span>Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"dlclose\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">onEnter</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">const</span> handle <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">dlclose() handle=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>handle<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\"</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">blockdlclose</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">replace</span><span class=\"token punctuation\">(</span>Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"dlclose\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeCallback</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>handle<span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'int'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'pointer'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">pinscore</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> tetris_refresh <span class=\"token operator\">=</span> Process<span class=\"token punctuation\">.</span>mainModule<span class=\"token punctuation\">.</span>base<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x00002dc8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">attach</span><span class=\"token punctuation\">(</span>tetris_refresh<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">onEnter</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">const</span> tetris_t <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">const</span> score_t <span class=\"token operator\">=</span> tetris_t<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span>Process<span class=\"token punctuation\">.</span>pointerSize <span class=\"token operator\">*</span> <span class=\"token number\">14</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">const</span> score_ptr <span class=\"token operator\">=</span> score_t<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span> <span class=\"token operator\">*</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">tetris_t=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>tetris_t<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">, score_t=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>score_t<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">, score=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>score_ptr<span class=\"token punctuation\">.</span><span class=\"token function\">readInt</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        score_ptr<span class=\"token punctuation\">.</span><span class=\"token function\">writeInt</span><span class=\"token punctuation\">(</span><span class=\"token number\">9179</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">flagkey</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>key<span class=\"token operator\">:</span> <span class=\"token builtin\">number</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> m <span class=\"token operator\">=</span> Module<span class=\"token punctuation\">.</span><span class=\"token function\">load</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"libttyris.so\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> flag_key_ptr <span class=\"token operator\">=</span> m<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag_key\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> flag_key <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeFunction</span><span class=\"token punctuation\">(</span>flag_key_ptr<span class=\"token punctuation\">,</span> <span class=\"token string\">'void'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'int'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'int'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> flag_len <span class=\"token operator\">=</span> <span class=\"token number\">100</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> flag <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">alloc</span><span class=\"token punctuation\">(</span>flag_len<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">flag_key</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">,</span> flag_len<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> flag_value <span class=\"token operator\">=</span> flag<span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> flag_value<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">watchcurl</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> curl_ptr <span class=\"token operator\">=</span> Process<span class=\"token punctuation\">.</span>mainModule<span class=\"token punctuation\">.</span>base<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x00001d2f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    Interceptor<span class=\"token punctuation\">.</span><span class=\"token function\">attach</span><span class=\"token punctuation\">(</span>curl_ptr<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">onEnter</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">curl->() arg0=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\" arg1=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>args<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>response <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n      <span class=\"token function\">onLeave</span><span class=\"token punctuation\">(</span>retval<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">send</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">curl&lt;-() arg3=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token keyword\">this</span><span class=\"token punctuation\">.</span>response<span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\"</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">usecurl</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>key<span class=\"token operator\">:</span> <span class=\"token builtin\">number</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> curl_ptr <span class=\"token operator\">=</span> Process<span class=\"token punctuation\">.</span>mainModule<span class=\"token punctuation\">.</span>base<span class=\"token punctuation\">.</span><span class=\"token function\">add</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x00001d2f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> curl <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeFunction</span><span class=\"token punctuation\">(</span>curl_ptr<span class=\"token punctuation\">,</span> <span class=\"token string\">'void'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> response <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">alloc</span><span class=\"token punctuation\">(</span><span class=\"token number\">100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> url <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">allocUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"http://frown-service/\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> key_ptr <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">allocUtf8String</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">curl</span><span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">,</span> key_ptr<span class=\"token punctuation\">,</span> response<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> response<span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">sendkey</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>key<span class=\"token operator\">:</span> <span class=\"token builtin\">number</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\"><span class=\"token builtin\">Promise</span></span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>resolve<span class=\"token punctuation\">,</span> reject<span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">const</span> opts<span class=\"token operator\">:</span> http<span class=\"token punctuation\">.</span>RequestOptions <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n        hostname<span class=\"token operator\">:</span> <span class=\"token string\">'frown-service'</span><span class=\"token punctuation\">,</span>\n        port<span class=\"token operator\">:</span> <span class=\"token number\">80</span><span class=\"token punctuation\">,</span>\n        path<span class=\"token operator\">:</span> <span class=\"token string\">'/'</span><span class=\"token punctuation\">,</span>\n        method<span class=\"token operator\">:</span> <span class=\"token string\">'POST'</span><span class=\"token punctuation\">,</span>\n        headers<span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span>\n          <span class=\"token string-property property\">'Content-Type'</span><span class=\"token operator\">:</span> <span class=\"token string\">'text/plain'</span><span class=\"token punctuation\">,</span>\n          <span class=\"token string-property property\">'content-length'</span><span class=\"token operator\">:</span> key<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>length\n        <span class=\"token punctuation\">}</span>\n      <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n      <span class=\"token keyword\">const</span> req <span class=\"token operator\">=</span> http<span class=\"token punctuation\">.</span><span class=\"token function\">request</span><span class=\"token punctuation\">(</span>opts<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>res<span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">let</span> body <span class=\"token operator\">=</span> <span class=\"token string\">''</span><span class=\"token punctuation\">;</span>\n\n        res<span class=\"token punctuation\">.</span><span class=\"token function\">on</span><span class=\"token punctuation\">(</span><span class=\"token string\">'data'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>chunk<span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n          body <span class=\"token operator\">+=</span> chunk<span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        res<span class=\"token punctuation\">.</span><span class=\"token function\">on</span><span class=\"token punctuation\">(</span><span class=\"token string\">'end'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n          <span class=\"token function\">resolve</span><span class=\"token punctuation\">(</span>body<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n      req<span class=\"token punctuation\">.</span><span class=\"token function\">on</span><span class=\"token punctuation\">(</span><span class=\"token string\">'error'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>error<span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">reject</span><span class=\"token punctuation\">(</span>error<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n      req<span class=\"token punctuation\">.</span><span class=\"token function\">write</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      req<span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token function-variable function\">exec</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>c<span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> popen_ptr <span class=\"token operator\">=</span> Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"popen\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> fgets_ptr <span class=\"token operator\">=</span> Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"fgets\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> pclose_ptr <span class=\"token operator\">=</span> Module<span class=\"token punctuation\">.</span><span class=\"token function\">getExportByName</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">null</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"pclose\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> popen <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeFunction</span><span class=\"token punctuation\">(</span>popen_ptr<span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> fgets <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeFunction</span><span class=\"token punctuation\">(</span>fgets_ptr<span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'pointer'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'int'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'pointer'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> pclose <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">NativeFunction</span><span class=\"token punctuation\">(</span>pclose_ptr<span class=\"token punctuation\">,</span> <span class=\"token string\">'int'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'pointer'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> command <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">allocUtf8String</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> mode <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">allocUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> output_size <span class=\"token operator\">=</span> Process<span class=\"token punctuation\">.</span>pointerSize <span class=\"token operator\">*</span> <span class=\"token number\">80</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> output <span class=\"token operator\">=</span> Memory<span class=\"token punctuation\">.</span><span class=\"token function\">alloc</span><span class=\"token punctuation\">(</span>output_size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> pipe <span class=\"token operator\">=</span> <span class=\"token function\">popen</span><span class=\"token punctuation\">(</span>command<span class=\"token punctuation\">,</span> mode<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>output<span class=\"token punctuation\">,</span> output_size<span class=\"token punctuation\">,</span> pipe<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">pclose</span><span class=\"token punctuation\">(</span>pipe<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> output<span class=\"token punctuation\">.</span><span class=\"token function\">readUtf8String</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Running the downloaded binary lets you play the same Tetris game as on the remote server.</p>\n<h3 id=\"analyze-the-binary-to-retrieve-the-flag\" style=\"position:relative;\"><a href=\"#analyze-the-binary-to-retrieve-the-flag\" aria-label=\"analyze the binary to retrieve the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyze the binary to retrieve the Flag</h3>\n<p>Analyzing the downloaded binary in Ghidra revealed that it loads a library called <code class=\"language-text\">libttyris.so</code> and retrieves the <code class=\"language-text\">flag_key</code> function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 478px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9bcd0ee76ef08e19663421058413d266/50978/image-20240126214123246.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 107.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADDUlEQVQ4y41Uh27bMBT0/39fE7sIWrexE0uWSIp7aFyPTBqkjVNUACEP6XiLb3d/v8c8z7Cmg9FniNHhdCp4FiMu7hmj7zClCdIr+OBRr23b2rp17Q6Hr1iWFdYuMObM+wXaTDBewxXD5bFh4aMr79sb4Pv7B8B15SuLg56+wfsB02Rw6hyOvcKzHMh6gZKAc/GfYA3wfr8nWGVQEPwTpZ8JGiGsxaPsIMOEgYwfRYeL7uHSe9kf5e+qh6UUTGpBzvjk2prkv5ndlLzfH149zJTaI9O3nENjIryEIsOmgO+ur2zWbf1D+h8MD4dD83BdLLR+gPMjpNS4CIunccC3k+ZGiioEdFIY48jkR4QYbwPuq4fryupEsqz+9fRygjAWP4XA4zBykwTvZv63wUSLkGNFegN7D/oiuaY8e9bmyCQFX6RUKdD1GnIiUKwpL2wBYGNASPG20wQl4Fd+WBHCjJGltvaJDAcoyhJkW7LkEshzQpkDShqR6W+KAjEoxEL23OSNYU35pTbsme2Z9gOMlZjMtYWTUoH1C5k7fjcELUgEzyXT+/WDbAIeGuDKVYrj8vQzYy6av3uCFGi7woX6u6U9fG6ZCVhwq9u7L1/uWm3mUkN5ZnojIo2X1uM8jei0bGd9m9kE9nSj32UpmNeZJApZFm7CDebSGO/2lLy2lBOU+tHOs9YC/aBw7iwGOTPlCHe1iNeIHApUVJjcRC8nWkIfk4Hg97rx21meKdfo75wosqVs/AUDa2Ty1EL736tJXulLTiu6S0DfG3buBKUHmMSKlABs/wfWQqkM64cYM65dnTQWSgRc6d+ZFbrYDjZZjjEHl13boNCemRWqNtUQW/olv9bmbt8Y0lNcWeTrdcBwZSeNwnE6onM9OnOBzTyaSfNe61NBNJcjEd18TCm01He/J3adh9umCR64mBrTqy+n5XY9PptKu7u7+waopIQQitWRTFViqMz0ieEIHssqzZJRbBPn1jn+PR9334/H1sN6TmWbypYvsxKUWJOP9YjFiceMEyZQwfbC5LOJ/QuduV5bkG+3PQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9bcd0ee76ef08e19663421058413d266/8ac56/image-20240126214123246.webp 240w,\n/static/9bcd0ee76ef08e19663421058413d266/2b263/image-20240126214123246.webp 478w\"\n              sizes=\"(max-width: 478px) 100vw, 478px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9bcd0ee76ef08e19663421058413d266/8ff5a/image-20240126214123246.png 240w,\n/static/9bcd0ee76ef08e19663421058413d266/50978/image-20240126214123246.png 478w\"\n            sizes=\"(max-width: 478px) 100vw, 478px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9bcd0ee76ef08e19663421058413d266/50978/image-20240126214123246.png\"\n            alt=\"image-20240126214123246\"\n            title=\"image-20240126214123246\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At this point the server went down and I couldn’t proceed further, but based on other writeups, downloading <code class=\"language-text\">libttyris.so</code> in the same way and analyzing it would reveal the hardcoded value needed to identify the correct Flag.</p>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>The challenge server went offline while I was reviewing this, making it feel a bit incomplete, but it did give me strong motivation to learn more about Frida.</p>","fields":{"slug":"/ctf-insomni-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2024-01-26","description":"Insomni'hack CTF 2024 Writeup","tags":["Rev (en)","English"],"title":"Insomni'hack CTF 2024 Writeup","socialImage":{"publicURL":"/static/2add8446c70722fb6fed6a3ec5c11615/ctf-insomni-ctf-2024.png"}}}},"pageContext":{"slug":"/ctf-insomni-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}