Writeup Log

misdirection

EventDaily AlpacaHack
DifficultyMedium
URLhttps://alpacahack.com/daily/challenges/misdirection

## solve

以下のバイナリが与えられる。

bash 
❯ file misdirection
misdirection: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f0dd2f7ac32b05db5e2af5875191f3fe72a4c1ce, for GNU/Linux 3.2.0, not stripped

strings で見てみると、}detpecca_si_galf_siht_yhw_dnatsrednu_s'teL_!stargnoC{acaplAlpaca{This_is_NOT_a_flag_This_must_be_rejected_by_program!} という関連しそうなものが見えている。

bash 
❯ strings misdirection
/lib64/ld-linux-x86-64.so.2
puts
strlen
__libc_start_main
__cxa_finalize
printf
__isoc99_scanf
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
<uCH
}detpecca_si_galf_siht_yhw_dnatsrednu_s'teL_!stargnoC{acaplAlpaca{This_is_NOT_a_flag_This_must_be_rejected_by_program!}
Input >
%95s
Correct! The flag is %s
Incorrect...
9*3$"
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
main.c
flag
some_proc
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
_fini
strlen@GLIBC_2.2.5
printf@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
__isoc99_scanf@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

デコンパイルしたものを見てみると、Alpaca{This_is_NOT_a_flag_This_must_be_rejected_by_program!} は以下の箇所にあり、違いそう。

c 
undefined8 main(void)

{
  size_t sVar1;
  ulong uVar2;
  char *pcVar3;
  char *pcVar4;
  bool bVar5;
  byte bVar6;
  char local_78 [108];
  int local_c;
  
  bVar6 = 0;
  printf("Input > ");
  __isoc99_scanf(&DAT_001020a2,local_78);
  sVar1 = strlen(local_78);
  local_c = (int)sVar1;
  if (local_c == 0x3c) {
    some_proc(local_78,sVar1 & 0xffffffff);
    uVar2 = (ulong)(local_c + 1U);
    bVar5 = local_c + 1U == 0;
    pcVar3 = local_78;
    pcVar4 = "Alpaca{This_is_NOT_a_flag_This_must_be_rejected_by_program!}";
    do {
      if (uVar2 == 0) break;
      uVar2 = uVar2 - 1;
      bVar5 = *pcVar3 == *pcVar4;
      pcVar3 = pcVar3 + (ulong)bVar6 * -2 + 1;
      pcVar4 = pcVar4 + (ulong)bVar6 * -2 + 1;
    } while (bVar5);
    if (bVar5) {
      printf("Correct! The flag is %s\n",local_78);
      return 0;
    }
  }
  puts("Incorrect...");
  return 1;
}

となると、}detpecca_si_galf_siht_yhw_dnatsrednu_s'teL_!stargnoC{acaplA が怪しく、これを逆順にすると Alpaca{Congrats!_Let's_understand_why_this_flag_is_accepted} となるので、これを入力してみる。

bash 
❯ ./misdirection
Input > Alpaca{Congrats!_Let's_understand_why_this_flag_is_accepted}
Correct! The flag is Alpaca{Congrats!_Let's_understand_why_this_flag_is_accepted}

## flag

  • Alpaca{Congrats!_Let's_understand_why_this_flag_is_accepted}