🚩
HACKBOOK OF A HACKER
  • README
  • CTF Writeups
    • Intigriti Challenges
      • 1223
    • ASIS CTF quals 2022
      • Beginner Ducks
    • CSAW 2022
      • Dockreleakage
      • My Little Website
      • Word Wide Web
    • Cybersecurityrumble CTF 2022
      • Crymeplx
      • Revmeplx
    • HTB University CTF 2023
      • Rev
        • Windowsofopportunity
    • Metared 2022
      • 1x02..ware
      • Backwards
    • Reply CTF 2022
      • Dungeons And Breakfast
    • Teamitaly CTF 2022
      • Flag Proxy
    • MOCA CTF 2024 Quals
      • RaaS [WEB]
  • Smart Contracts Security
    • Code 4 Rena
      • High Risk Findings
        • Anyone Can Pass Any Proposal
        • Arithmetic Rounding
        • Can Vote Multiple Times By Transferring NFT In Same Block As Proposal
        • Never Ending Proposal
        • Reusing Signatures
        • Signature Verification Can Be Bypass With Zero Address
        • Untyped Data Signing
        • Wrong Calculation Of Apr
      • Low Risk Non Critical
        • Dont Check If Some Entity Actually Exists
      • Medium Risk Findings
        • Bypass Signature Validity Check
        • Copy Of Lack Of Verification In Hashes
        • Function May Run Out Of Gas Leading To Loss
        • Incorrect Initialization Of Smart Contracts With Access Control Issue
        • Invalid Signature Lead To Access Control
        • Lack Of Checks If One Entity Get Hacked
        • Lack Of Verification In Hashes
        • Missing Upper Limit
        • Missing Zero Address Checks
        • Possible Dos Because Unbounded Loop Can Run Out Of Gas
        • Too Much Trust To Certain Roles
        • Unreversable Actions
        • Useless Nft
  • T.I.L.
    • 16 09 22
Powered by GitBook
On this page
  1. CTF Writeups
  2. Cybersecurityrumble CTF 2022

Revmeplx

REV | 100 pts - 201 solves

Description: What could possibly be hidden inside a diving logbook? author: Skipper|RedRocket

Running the elf, it asks us for the name of a diver:

$ ./rev 
| >>> REEF RANGERS Dive Panel <<< |
| ------------------------------- |
|    Please provide Diver Name:   |

Not knowing them we can launch strings on the executable and see what we can find:

$ strings ./rev 
[...]
CSR{
_submarines_
_solved_n1c3!}
Jeremy
Simon
Adminiman
Your dive count is: 81
Welcome instructor!
Your dive count is: 410
Your dive count is: 0
To show today's drydock report, please enter passcode:
No diving recore of diver 
 found!
| >>> REEF RANGERS Dive Panel <<< |
| ------------------------------- |
|    Please provide Diver Name:   |
[...]

The flag appears to be there, but it won't work if we try to submit it. however, we also find names of the divers. Opening the executable in Ghidra we immediately notice that it's a cpp executable. The main() function, looks a bit confusing but we notice that there's a call to an interesting door_lock() function following an if statement. After a couple of attempts we discover that the diver triggering that function is Jeremy. Looking more closely at the door_lock() function, we know that it takes param_1 as input and does the following check:

if (param_1 * 2 >> 8 == 0x539) {

Right-shifting a number of n bits also means that it's being divided by 2 to the power of n.

In [1]: (0x539 * (2**8)) / 2
Out[1]: 171136.0

Or

In [2]: (0x539 << 8) / 2
Out[2]: 171136.0

Will get us the magic number.

$ ./rev   
| >>> REEF RANGERS Dive Panel <<< |
| ------------------------------- |
|    Please provide Diver Name:   |
Jeremy
Your dive count is: 0
To show today's drydock report, please enter passcode:
171136.0
CSR{11_submarines_45864441_solved_n1c3!

CSR{11_submarines_45864441_solved_n1c3!

PreviousCrymeplxNextHTB University CTF 2023

Last updated 1 year ago