Social Engineering Experts CTF 2022: Baby Reeee
TL;DR
- The binary helpfully stores the entire encoded flag in the
.datasection. - Each flag byte is padded to 4 bytes.
- Decryption is a simple per-byte transform: XOR with index, then subtract
69. - Dump the data section, strip padding, reverse the operation, print the flag.
Video Walkthrough
Description
You've never seen a flagchecker this helpful.
Solution
from pwn import *
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF('./chall', checksec=False)
context.log_level = 'debug'
# Encoded flag from .data section (offset found in GDB)
raw_flag = str(elf.data[0x20f0:(0x20f0 + (52 * 4))].hex())
# Each byte of flag stored in 4 byte, so remove 3 bytes of padding
enc_flag = unhex(raw_flag.replace('000000', ''))
dec_flag = ''
for i, enc_char in enumerate(enc_flag):
# XOR current encrypted char with loop counter, then subtract 69
dec_char = chr(int.from_bytes(xor(enc_char, i), 'little') - 69)
debug(dec_char)
dec_flag += dec_char
info(dec_flag) # Print flag
Flag: SEE{0n3_5m411_573p_81d215e8b81ae10f1c08168207fba396}