We are given a binary file named moon and need to recover the flag.

Here’s the challenge info:

We found a strange binary (http://ebctf.nl/files/f6f8071ccc6462ad8ed4b9455f62773f/moon), can you crack the password?

Let’s check out the file:

ea@box:~$ file moon
moon: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x39fd80fd9a066c0042240b23862507b8286d38f5, not stripped
ea@box:~$

Just looking over the strings in the binary gives an idea that it’s actually in Lua. If we run it:

ea@box:~$ ./moon
Enter your password: asd
Wrong!
ea@box:~$

Maybe this simple trick will work:

ea@box:~$ ./moon
Enter your password: ^Z
[1]+  Stopped                 ./moon
ea@box:~$ ps aux | grep moon
ea       23069  0.0  0.0   9500   704 pts/25   T    23:52   0:00 ./moon
ea       23071  0.0  0.0   8044   896 pts/25   S+   23:52   0:00 grep moon
ea@box:~$ gdb -q -p 23069
Attaching to process 23069
Program received signal SIGTSTP, Stopped (user).
Reading symbols from /home/ea/moon...(no debugging symbols found)...done.
(gdb) gcore
Saved corefile core.23069
(gdb) q
A debugging session is active.

Inferior 1 [process 23069] will be detached.

Quit anyway? (y or n) y
Detaching from program: /home/ea/moon, process 23069
ea@box:~$ strings core.23069  | grep "Wrong" -A5 -B5
g = 56321
io.write("Enter your password: ")
io.flush()
password=io.read()
if string.len(password) ~= 32 then
print("Wrong!")
return 0
v = g
alpha = "0123456789abcdef"
for loop =1,32 do
v = v * g
v = v % p
r = v % 16
good = string.sub(alpha,r+1,r+1)
if good ~= string.sub(password,loop,loop) then
print("Wrong!")
return 0
end
print("Well done, the flag is: ebCTF{"..password.."}")
-- f02233aca4839124ee6ffa766883c47e
select
--
\)UJ
setupvalue
traceback
challenge.lua
ne, the flag is: ebCTF{"
Wrong!
(for limit)
(for step)
good
alpha
loop
ea@box:~$

Heh, whaddayaknow, it worked.

Flag is: ebCTF{f02233aca4839124ee6ffa766883c47e}


ebCTF 2013 - For 300 (Heidi)

01 August 2013 by ea

Writeup for Forensics 300 task.

read more