reverse(casual-conversation, software-tracer): added solution

cybermouflons · Jul 14, 2024 · 9c341cd · 9c341cd
1 parent e194b2b
commit 9c341cd
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/reverse/casual-conversation/solution/README.md b/reverse/casual-conversation/solution/README.md
@@ -0,0 +1,21 @@
+ casual-conversation
+
+
+**Category**: reverse
+
+**Author**: christoss
+
+## Description
+
+GNU makes a pretty good debugger. Go ahead use that to find my secure message.
+
+## Solution
+
+The description prompts the user to look into the GNU debugger, or GDB. This is a tool that can be used to dynamically debug software. Read memory, modify memory, follow the execution of the code and a lot more.
+
+Running the program, it appears that the flag is placed at address `0x13370000` and then after 5 seconds removed. GDB can be used to stop the execution of the program at the right point to read the memory and retrieve the flag.
+
+1. Run the program in gdb. `gdb ./casual-conversation`
+2. GDB is a command line based debugger. The command `run` can be used to start the program.
+3. When the program is running wait until the flag is placed at the memory address, and press `Control+c` to stop the execution of the program
+4. Finally read the flag from the address indicated by using the examine command (`x`) to read a string (`s`) at address 0x13370000. `x/s 0x13370000`
diff --git a/reverse/software-tracer/solution/README.md b/reverse/software-tracer/solution/README.md
@@ -0,0 +1,40 @@
+# Solution
+
+1. Use the `ltrace` command to trace all library function call
+2. If an arbitrary string is provded in place of the flag you will notice a debug screen that gets created using `sprintf` but not actually printed onto the screen.
+
+```
+strlen("GTBQ{test_flag}")                                                        = 16
+sprintf("DEBUG: Invalid Input Length. 15 "..., "DEBUG: Invalid Input Length. %d "..., 15, 59) = 54
+puts("That's not the flag! It's not ev"...That's not the flag! It's not even the right length!)   
+```
+
+3. The debug string looks to be cut short and looks to be indicating the length of the flag. Reading through the documentation of the command (`ltrace -h`) reveals the option `-s` which allows you to specify the maximum string length to print to the screen.
+
+```
+    -s STRSIZE          specify the maximum string size to print.
+```
+
+4. Using the flag shows the full string in `sprintf` telling us the flag is 59 characters long.
+
+```
+strlen("GTBQ{test_flag}")                                                         = 15
+sprintf("DEBUG: Invalid Input Length. 15 provided, 59 expected.", "DEBUG: Invalid Input Length. %d provided, %d expected.", 15, 59) = 54
+puts("That's not the flag! It's not even the right length!"That's not the flag! It's not even the right length!
+)                      = 53
+```
+
+5. Providing a string, 59 characters long and rerunning the program with ltrace and the string size flag reveals the full flag, in the `strncmp` funciton call which checks the validity of our input.
+
+```
+➜  reverse/software-tracer/setup on  master [?] ltrace -s 100 ./software-tracer aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+.
+.
+.
+strlen("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")                           = 59
+strncmp("GTBQ{ltr4c3_unv31l5_th3_h1dd3n_w4y5_1n_th3_50ftw4r3_m4z3!!}", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 59) = -26
+puts("Wrong"Wrong
+)                                                                                   = 6
++++ exited (status 1) +++
+```
+