Passphrase - Cyberapocalypse 2021 CTF

This is a writeup for the Passphrase challenge, part of the Hack the box's Cyberapocalypse CTF 2021, category Reverse.

Prompt​

You found one of their space suits forgotten in a room. You wear it, but before you go away, a guard stops you and asks some questions.

Recon​

We get a binary executable passphrase. Running file on it, we see that it's not stripped, so we might get some symbols and good things out of it.

file passphrasepassphrase: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=60f6b6064d2e34a2b6a24dda9feb943b0b8c360f, not stripped

Running strings on it we don't see much, but we notice that we will probably have to deal with strcmp, which is good.

Solution​

So, let's just run the executable using ltrace, and see where that leads us.

ltrace ./passphrase[omitted for brevity]usleep(30000)                                                                                                           = <void>strlen("\nTell me the secret passphrase: "...)                                                                          = 32sleep(1)                                                                                                                = 0fgets(

So far, so good - it asks us for input using fgets. Let's supply it something random.

fgets(asd"asd\n", 40, 0x7fbc87c48a00)                                                                                      = 0x7ffe594faca0strlen("asd\n")                                                                                                         = 4strcmp("3xtr4t3rR3stR14L5_VS_hum4n5", "asd")                                                                            = -46printf("\033[31m")                                                                                                      = 5strlen("\nIntruder alert! \360\237\232\250\n")                                                                          = 22putchar(10, 0x7ffe594f85e0, 0x558a2ee00c17, 23)                                                                         = 10usleep(30000)                                                                                                           = <void>[omitted for brevity]

Well, this was easy! It directly tells us that it compares the input string to 3xtr4t3rR3stR14L5_VS_hum4n5.To make sure, we run the binary again, and supply it that passphrase.

./passphrase Halt! ⛔You do not look familiar..Tell me the secret passphrase: 3xtr4t3rR3stR14L5_VS_hum4n5✔Sorry for suspecting you, please transfer this important message to the chief: CHTB{3xtr4t3rR3stR14L5_VS_hum4n5}

Easy, we got our flag, and it's

CHTB{3xtr4t3rR3stR14L5_VS_hum4n5}
Tags: