Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

BoxCutter

You've received a supply of valuable food and medicine from a generous sponsor. There's just one problem - the box is made of solid steel! Luckily, there's a dumb automated defense robot which you may be able to trick into opening the box for you - it's programmed to only attack things with the correct label.

Files: cutter

Writeup by: Stig Rune Grønnestad

Recon

┌──(stig㉿STIG-DESKTOP)-[/mnt/c/dev/ctf-htb-cyber-apocalypse-2024/reversing/box_cutter/rev_boxcutter/rev_boxcutter]
└─$ file cutter
cutter: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f76eb244685ad0c3b817caa99093531754fc84c8, for GNU/Linux 3.2.0, not stripped

We have a 64-bit ELF binary. Let's run it and see what it does.

└─$ ./cutter
[X] Error: Box Not Found

main function:

undefined8 main(void)
{
  undefined8 local_28;
  undefined7 local_20;
  undefined uStack_19;
  undefined7 uStack_18;
  int local_10;
  uint local_c;
  
  local_28 = 0x540345434c75637f;
  local_20 = 0x45f4368505906;
  uStack_19 = 0x68;
  uStack_18 = 0x374a025b5b0354;

  for (local_c = 0; local_c < 0x17; local_c = local_c + 1) {
    *(byte *)((long)&local_28 + (long)(int)local_c) =
         *(byte *)((long)&local_28 + (long)(int)local_c) ^ 0x37;
  }

  local_10 = open((char *)&local_28,0);

  if (local_10 < 1) {
    puts("[X] Error: Box Not Found");
  }
  else {
    puts("[*] Box Opened Successfully");
    close(local_10);
  }

  return 0;
}

Basically we need to find the correct label for the box. If the file is opened successfully, the box is opened.

Solver

The instructive part of this lesson is to treat the locals defined in main as a continuous array of bytes (like they are laid out on the stack), and xor each byte with 0x37. This will give us the correct label for the box.

Solver

└─$ python3 solver.py
[+] Modified filename: HTB{tr4c1ng_th3_c4ll5}

Flag

HTB{tr4c1ng_th3_c4ll5}