Angstrom CTF 2021 - Reverse Engineering Challenge Walkthroughs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the reverse engineering challenges on the angstrom 2021 ctf so i'm not too sure how many challenges i'll get through but you can skip between the challenges using the timestamps in the description or at the bottom of the video the chapters and any scripts that we create throughout this will be uploaded onto the github as well so the links also in the description so i hope you enjoy the video if you do drop a like subscribe and we'll get started with this free flags challenge so the description says clan was browsing armstrong ctf.com when suddenly a pop-up appeared saying get your free flags here along with a download can you fill out the survey for free flags so we're giving a link to the binary we don't have any source code like we did in the binary challenges and then we're told we can connect to the netcat server or use the shell server once we've got it working so we can download this file i've already downloaded a copy of it into the local directory so if we have a look here it's a 64-bit lsb pi executable and although it's not a binary exploitation challenge we might want to have a look at the security protections are enabled anyway and we'll see that everything is enabled so let's try and run the program see what happens we get this congratulation message and we're asked what number am i thinking of so let's try and put in a number something that might be like leet and we get wrong so if we try and run that with ltrace sometimes if there's a string compare being done here we'd be able to enter in an input and we would see what it's actually being compared to but we don't in this case let's have a look at the strings as well just in case we have the expected input sitting in here somewhere so we see there's a flag.txt here this is the input here it's asking what number am i thinking of but we don't have any other string here which is indicating what we need to enter so let's go and let's create a new gear project and we'll be able to go and have a look at the assembly and the decompiled code as well and get a better idea what's going on so go here and create a new project free flags and then we want to import the file and then if we double click that to open and we'll get another check just hit yes and okay to analyze all the default analysis checks and then because this isn't stripped we'll be able to go straight into our functions here and find the main function you can see we also have this print flag function as well so if this was a case of the flag being in the program this might be a function of interest but we know that it's going to be reading from a flag.txt so whenever we're running against this against the server yeah we need to um we need to work out what's going on the main function and we can see that it asks us what number am i thinking of and it's comparing the input that we provide this local 11c against this value here which we can have a look at the hex we're just going to highlight it on the decompo on this right in the disassembled code on the left we can highlight that and see that actually equals elites so three one three three seven so if we go back and run the program again this time pass in three one three three seven this time we get another question what two numbers am i thinking of so we could try some input just to see what happens we get wrong again so we need to go and have a look what's happening in the code so it reads in two numbers offers 120 and one two four and then it's doing a comparison say if we add these two numbers together do they equal 1142 and if we multiply the two numbers does it equal 302 937 so to work this out i just went to let's look for we want to find out what are the factors and then we can go and see which one is going to be best for us so let's just go to the first link here and the number we want to look for is i believe three hundred and three hundred two thousand nine hundred and thirty seven so we'll go 302 937 calculate and then we have some different possibilities so we could go through we could try some of these out essentially we need to find which two of these when added together are going to equal was it 1152 1442. so we could just go and try there's not too many to try we could actually just go and try them in the program or we could add these together let's go let's go over to the program again and we'll do three one three three seven and then what are the two numbers let's say the first one is two four one and the second one is one two five seven and we get that's wrong because those two added together isn't going to equal 1152 so it's likely to be then off a last possibility there so let's go 31337 and then we'll try 419 times 723 and this time we get then what animal am i thinking of so let's go back to our code and you can see it takes an input offers as a string and then the string compare is being done here with banana so we could actually if we were running this in l trace this should give us in fact let me do that let's do l trace dot slash free flags and the first one is three one three three seven and then four one nine seven two three and then if we get to our final one let's just make up let's say okay monkey and you'll see there it's compared monkey to banana and i said that's wrong so if we go back and do it correctly this time three one three three seven and then four one nine seven two three and then banana you see that it's tried to open the flag but it couldn't find the flag so we've now got a correct input so if we go and enter in the same values onto the server then it should print out our flag for us so i created a script already to automate this pawn tool script so if we open up exploit.py and essentially here we just wait until it asks us what number am i thinking of we give it three one three three seven we give it the two numbers that's thinking of after that then we give it the the banana string and then we get back our flag so if i try and run this if we run it locally we get that could not find flag file but if we now just pass in remote let me minimize this to make it a little clearer if we just pass in remote and let's go back to get the server address and port number paste that in and it sends it off and this time we actually get back our flag so now we can just take a copy of that and submit it and we got the first challenge the second challenge is called jailbreak and the description says clan was arguing with kmh about whether including 20 pie jails on ctf is really a good idea a kmh got fed up and locked climbing a jail with a python can you help clam escape so we're given a file here to download and we're told that we can use this address and port once we've got it working locally so i've already got the file downloaded let's go and take a look at it and we as usual check the file type we'll see it's 64-bit lsb pi executable so pi is enabled and it's stripped which means pi means each time the binary loads is going to have a different address so if we're setting up breakpoints we're going to need to use the offset from the base and then stripped just means that debugging symbols have been stripped from it it's gonna be a little bit harder to statically analyze and reverse engineer but it shouldn't cause us too many problems we can try and run strings on it as well although with it being stripped we're not going to see too much we've got a string what would you like to do and that's about all so let's try and run the program see what happens and we get welcome to clams daring jailbreak please keep your hands and feets inside the jail at all times what would you like to do so we can enter some commands and we just get you're speaking nonsense cut that out let's exit this and run it again with ltrace and try and see what kind of string comparison it's doing there just asking what would you like to do and she calling in our input with f gets just say hello and it's comparing hello to look around to sleep to knock on the wall to pry the bars open pick the snake up and throw the snake kmh so these are different options that we can run through let's try and look around look around we get a message back okay mh stairs are you wondering how to make the jail cell more contrived we can sleep and this gives us a message uh saying we get bitten by the snake and then it exits so let's run it again just get the commands back up the next one was knock on the wall if we do that again we get a message shouldn't have blatantly ripped off pico's challenges we can pry the bars open and this exits as well saying that kmh decided to patch the universe interpret to make the bars immovable so what else do we have we can pick the snake up and that's it oh yeah we picked the snake up and then it just loops back round and we can throw the snake at kmh and then it just comes back saying what would you like to do or he runs in fear what would you like to do okay so there are all our different options um notice that although this says it's a pie jail there's no python source code and you know it seems to be a python related story but doesn't seem to have any python code obviously this is an executable file and python doesn't generate into an executable it's a script in language so we're going to open this up in geardrop to have a look at the source code so we'll create a new project here this is a little bit of a slow process so i'll speed some of this up and now we get to our project we have our decompiler on the right our disassembled code here and then we have access we can see all the different sections here of the program we can go and have a look at our functions although in this case we're not going to have a main function because it's been stripped you can see these have all been kind of randomly named so we could just go through and have a look at them see what each does we could have a look for the strings in the program and try and find any that we see whenever we run the program however although whenever we run the program we get this message and we did see a string in whenever we round strings we don't actually have anything here to to go by so that's fine what we can do is just have a look for the entry function and then we'll select the entry function and have a look at the first function that's called and then we'll see quite a lot of code here this is clearly the conditional statement that we've been getting asking us for different commands you see there is a lot of code here and it's quite obfuscated so we need to go through and try and work out what's going on now note that my in my first attempt at solving this rather than try to decipher exactly what was going on with all these conditional statements and what we needed what conditions we needed to meet i essentially looked at this function so you can see that on all these different conditions this function is being called with a different parameter so if we go in and have a look at the function and we can see that there's some kind of xor operation happening here in a loop so the function that's being passed in the in param1 unsigned in is uh being used here to define an area of the dot data section so if we're going to have a look at the data section it has a lot of different hex values in here and this is the um this is one of the strings that we got so we can see that it's take it's reading in based on whatever parameter it's given it's gonna just it's gonna define a section of this dot data section to read from and it's also using this parameter in the loop as well so it looks like it's looping through some data that it finds here and on each loop it's going to set the param one so in this case in uh in this example let me go back this was given okay 0x19 we've got 0x1a so depending on what this is given it's then going to multiply this by hex 11 so 17 16 times one plus one and the value is going to be used here i've r3 is used down here again when setting the value of param so we we're xor in this b var1 which is being grabbed from the data section so we're looping around grabbing i guess a byte and or a value a character and we're xoring it with the param one and then we update the loop we update param1 to equal the xor value from read from the data section xord with the parameter and then multiplied by the parameter plus um i've are three which was the previous i don't know updated here i've r3 is ram times 17 or hex 11. so it's going to go through it's going to do that each time and then the result is is brought back so my initial thinking behind this was well if we can recreate this loop or if we can set this up whenever we're debugging the so that we can pass in these different parameters then we might not ever need to work out exactly how these functions are structured and how this code is structured if we can just call this function and pass in these different values then we'll be able to allow the xor in to be done against whatever's in the data section and my thinking was well maybe there's a password there's more commands in there which will allow us to escape the python jail so before i demonstrate how i solved it let's um let's see how i kind of went about it to begin with so if we go back to this function this function although we don't have the address because pi is enabled we can grab the offset of it and use that whenever we're let's open up gdb pawn debug so we can't set the break point here straight away because the pr until the program's running because pi is enabled and also if we have a look at the functions here we're only going to get our libc functions you can see based on the addresses these are all just offsets at the moment but if we start to run the program and then control and see to get out of that now if we have a look at our functions we're going to see a lot more there and also now we can set up our breakpoint so we can we can have a look if we do pi base we'll find out this is this is the base the binary loaded up so this base plus any of these addresses will give us an offset so in this case the start of this function is one five a zero so you could do pi base zero 0x15a0 and that'll give you the address of this function and we can do that in phone tools and stuff as well but we can also use brake rva so if we do break rva help this will allow us just directly set up a breakpoint at the pi base and we can again give it an offset so i'll just go back here and change this to break rva and now every time this function is called it's going to it's going to break so we could give give it a parameter here or i'll just hit enter in this case and see that here we go this is the instruction that's being called at the moment which is the beginning of this function you can see in the background hopefully you can see that but in the background we have the move xd or ax edi which is happening at the moment and the the parameter that's being passed into the rdi is the number so if we go back here what's being called at the moment then is this the function is being called here it's being passed in a 2 or it's being called somewhere else and being given a 2 maybe here so if we go and modify the value that's being given let's change it to for example and the way i chose which values to start off off out here was without looking at the code too much we can see here we have this value ivor 7 equals five three nine so we're going to have a look at that that's that's one three three seven leads so it's pretty clear this is going to be have something to do with the conditions we want to meet you can also see here that it's opening up a file and it's reading in from the file and is going to put that value out so it's very likely this is where we're opening the flag file we're reading it in and then we're putting it out to the screen in which case this this is going to be of interest to us we know that we need to meet a couple of conditions to get in here so we're going to need at some point i've r7 to equal leads we're going to need i bar 3 not to be 0 here we're going to need ivor 7 not to be 0 so if we're going to have a look ivor 7 is initialized to 0 and we could go through and have a look and see uh where is it assigned so here it's compared to leads and it was we made sure it wasn't zero before that if we go through we also have it being assigned a value here but this is all inside this code block so so first i've or seven needs to not not equal zero in order to even get into this section so that's not really going to count for us and then we also have it again here it's being used directly below that but again that's inside the same code block so we have i bar being set to one here in a different part of the code and that's the only other place that's assigned a value so at some point we're going to need to go and have a look and find out why uh what conditions we need to meet in order for that to be set to one but for now let's just continue with with us we currently have the function being called with two in but we can go and swap that two out now with a value so let's say we know we want want this to equally and whenever it does equally it's going to call that function with 0x17 in there so let's go back to gdb and let's set our rdi 2 equals 0x17 and then we can continue um we're going to be waiting for the string compare to happen notice that the rdi has been overwritten there so i'm just gonna change that and continue until we get out our string and there we've got our string bananarama so that wasn't a string that we saw coming up before so it might be something as well that we might want to try and just go and run the program and oops enter in but we don't get anything back so we could try that again if we go back into this it's now it's going to the two again so that's also an indication to us that the program is this is the first comparison it's being done so it's being compared to two it looks like it's then going to compare it to six it's going to compare it to nine and it's they're going to be our various options then the given to us look around sleep knock on the wall so we might want to go and rename some of these functions as well to some of these functions or some of these variables to to to show what they represent but for now let's um i basically went through this and i went and compared this to each of the different values so here we have the 1 9 we have the zero x1a running those i believe it this is where we're opening up the flag file so we have our flag.txt and then the r parameter um let's have a look at some of these we have the xerox 13 and 0x14 let's check out one of those so i'm just going to set this to 13. i should be able to set a breakpoint up at a better place here really but i'm not going to do this too many times and this is press the red button if we check the other one it'll be press the green button and essentially i went through and mapped all of these out i was kind of hoping when we got to points like this that now that we've found a new command we might be able to just run jailbreak and then say press the green button or press the red button but we don't get anything we didn't get anything from doing those steps so at that point i was forced to actually go and take a look at the this code and try and work out what conditions need to be true so we know what first we need to get i've are seven not to be zero it's assigned zero at the beginning and it's only assigned a value down at the one so we need to get this condition to be met so we could go and set up a break point here to try and identify when we get to that for now we can just trace this back so in order to get i-7 equal to 1 we need this condition to be false we need b var1 to be false because if it's true it's going to go to call this function and then it's going to jump down to 1 3 c 8 wherever wherever that is so we need this to be false we need i var three to be true be zero which is the string comparisons we need the string comparison here to be true and the string comparison is the result of calling that function with zero x b so if we go through and look at these we have our look around which is two we have sleep which is six we have knock on the wall which is nine and we have pry the bars open which is zero xb so we need to pry the bars open in order to get this to be zero and then we need b var1 to be false in order to get i var7 to be true so we could go ahead and we could set up a breakpoint here let's set up a breakpoint and confirm that we'll get to us not a string comparison here we want to we know that this will hold true as long as we get the string comparison true so let's set a break point up around the b var1 and see what this is set to so we'll set a breakpoint at one two d9 at this test and let me actually i'll delete the breakpoints we have at the moment break rva0x can't quite see that 12d9 and now if we run the program and if we were to try and put in we need to pry the bars open we know that's zero xb which we need to match there so if we were to try and put something else let's say pick the snake up then it's not going to hit the break point we need to try to prod the price sorry pry the the bars open and then we'll hit the break point is getting to test r13 and let's actually set up a break point as well our i bar equals one is one two e seven so we could break over a one two e seven and then we can just continue and we'll see that it escapes because we didn't we didn't hit that break point so we need to go and try and find out why our b var1 is currently true because that's calling this function 0xc 0xc contains i believe that'll contain the message that we would the error message that we've just given back or the you start prying the prism bars open so we're being told that the the prison bars can't be opened so obviously we need to make sure that this equals false and then we will be able to open the prison bars so again we can have a look at before one and see where it's assigned so it's declared at the beginning it's assigned a value of true and here there's a comparison done another comparison so here's where it's assigned false 10144e and in order to get to this code we need to get to this part of the elf state the else statement so it's going to check if c bar 2 equals backslash 0 or c bar 8 back equals backslash 0 it's not going to get down to the code we want to get to so we want to make sure both c bar 2 is not equal to backslash zero and the same with c eight c bar two is going to be assigned here so it's going to called the here it's called a pick up the snake zero x f and this is calling throw the snake which is zero x e which i just have noted down from doing the xors earlier so that's going to take care of c var2 but if we have a look at c var eight we can go through and find this c bar eight is assigned a value once we get to this code segment that's not too much good for us it's checked down here and it's also assigned down here as c var2 if we go back to the top we'll see that it is assigned by zero at the beginning so we do need to the only other place then we can get we can make sure that that is assigned a value is if we get this code to execute and this is part of this else statement so we have whereas our if for this we have if so it's this is our menu option where we had our pick up the snake in this case and remember we have our other options here we have look around we have sleep we have knock on the wall pry the bars open here we get to pick up the snake so if we choose to pick up the snake is then going to check the throat is going to check to throw this if throw the snakes been called otherwise if we don't do that it's going to try to throw the snake so if it does get down to the section it means we've tried to throw the snake and if we try to throw the snake it's going to check if c bar eight doesn't equal backslash zero which it will equal backslash zero because we've not had any method of reassigning it so far which means this code wouldn't be executed it would execute the the bottom code to reassign that uh hopefully that makes sense i think this this um i went through this with a lot more break points whenever i actually solve the challenge which probably um probably helps but essentially we need to we need to um pick up the snake we need to throw the snake and then that will get us into this code block and set b var one to false once b bar one is false we know that we need to call zero x b in order to assign ivar one so we need to pick up the snake we need to throw the snake to get b var1 to equal false and then we need to pry the bars open to get ivor seven to equal one and then whenever the loop goes round again it will finally be into this code segment so let's uh let's set condition around here i've seven so one one nine seven let's go back and set up another break point i'm gonna close this down and just start it up again we'll run and we'll set break rva0x 1197 let's actually go and set up some more break points as well so we have our ivor seven that's the condition we want to meet we want to make sure it's not zero we also wanted to make sure b var1 was equal to false so where was the b var one assigned again let me find b bar one b one is assigned false right here so whenever this this is called one four four e that's gonna be assigned to false we'll we'll set it up the set right there and that's one four five nine so let's try and run through some of these if we hit continue now we want to try and pick up the snake let's actually try the other way around first of all let's try and throw [Music] the snake at kmh so we've hit a break point that is our comparison so it's checking [Music] if ivar 7 is equal to 0 right here so if we go back and have a look at that r12 it is equal to zero we want to make sure it's not equal to zero so we hit continue and we get your speaking nonsense cut that out so we're not actually able to throw the snake at kmh at all anyway until we've picked up the snake let's say continue again you're speaking nonsense yeah okay so let's try and pick up the snake and now we get to our break point again we still don't have r12 it's still zero so that condition is not gonna be met and now we can try and throw the snake at kmh we get to our break point again again r12 is still going to be zero but now if we continue and we actually we so we don't hit our breakpoint for a signing be r1 as false let's try anyway and pry the bars open and we get back to our break point here which is testing to see if that equals zero and in this case okay so we tried to pry the bars open we got the we got the exit there so the issue was that we run we run we tried to throw the snake i guess before we pick the snake up let's just try that one more time throw the snake at kmh and continue and then we'll try to pick the snake up continue through the snake kmh continue okay i don't know what i did wrong last time maybe i didn't get the order right there so yeah this time we get the xor so that's the condition we expected to be true so it doesn't matter if we try to throw the snake before picking up as long as we at some point pick the snake up and then throw it in that order and in which case we've just hit this break point b bar one is now equal to false which means that whenever we we uh entered the zero xb which is pry the bars open it's going to get down to this check and say if before one is true which it isn't because we've just assigned it to false so it's going to then jump down and set i bar seven equal to one which means the next time this loops round well not the next time but after we've done pry the bars open this condition should finally allow us to get into the code segment that we're interested in so are we at a breakpoint continue here again this time we want to pry the bars open and we've stopped at a breakpoint here we have r 12 is still equal equal to zero let's continue and you start prying the prism bars open a wide gap opens for you to slip through what would you like to do so in this case let's try and just enter can i just enter another let's enter another command to get back to our loop and this time r12 is equal to 0x1 which is exactly what we wanted so let's actually rather than continuing let's go next and it is going into the comparison actually compared there would look around so let's go back into our code and you'll see that if i've r7 is not equal 0 which it isn't anymore it then calls this function with 2 and 2 is equal to look around and then it's going to see it's going to set i bar 3 to equal the value so because we didn't end to look around there that's not going to be true which means whenever we get to this section it's not then i'm going to go through and check if i bar 7 equals 0x539 so what i'm going to do is i'm going to go set up a break point right here as well 1 1 cc in fact let me delete breakpoints and we'll do break rva 0x one one c was it one one c three one one cc we'll set up a break break point there and then i'm gonna run the program again we're gonna need to enter in our usual commands so let's first of all pick up the snake i'm just copying and pasting this now we're going to throw the snake and then we're going to pry the bars open and now we know we also need to look around and now notice that we've got a string that we haven't seen before you look around you see kmh's already made the jail contrived there's a red button and a green button with a sign that says press buttons to get flag so this is where we can start entering our new commands the press the red button and press the green button so let's press the red button we hit that and now we get to our break point our breakpoint is doing this comparison it's comparing r12 to 539 which we know is actually equal to elite in decimal so you can see that there and it's comparing r12 r12 is currently equal to one okay so not much use we'll hit continue what would you like to do nothing change let's press the green button and you'll see we've got back to our comparison it's comparing to its elite and this time we've got two in there so let's continue again press the green button nothing changed okay so we're just in this loop and let's try and press the green button again and you can see now our r12 is equal to five so whenever we're pressing these buttons this r12 is increasing so let's go and have a look at the code and see what's going on and we could set up some breakpoints here because i've already got um in my notes i already have what all these values equal when xored because i went through and did that manually whenever i was solving it i know that 13 is press the red button and 14 is press the green button so we could set up some breakpoints around here or we can just have a look through and see what the code is doing and essentially we'll see that ivor 7 has been assigned to ivor 7 times 2 here and in this case i've r7 has been assigned to ivor 7 times 2 plus 1. so we know that i've whenever we get into this loop to begin with i bar 7 is equal to 1 we need ivor seven to equal five three nine and hex which is er elite one three three seven and we can do that by pressing the green button and pressing the red button the green button is 14 and the red button is 13 so every time we press 13 it's going to double our value every time we press 14 it's going to double and add one so we know i've our is going to start off as one once we've pressed the right values and then we can go through here let's go and open up a calculator and we can do this in reverse if we start off with one three three seven because this isn't going to evenly divide by two in this case we would be subtracting one and then dividing by two so that's the green button so we could say here green this is how i kind of did this earlier and then because this is an even number we would divide by two so then it's going to be the red button we need to put that before the green and again an even number so we would divide by 2 and again it's going to be the red button before that's going to be the green because we can now see we have to minus 1 and then divide by two and essentially go through and do that process i already calculated that out earlier on so we'll just go ahead and test it out so we have our breakpoint set up with this comparison so i've already got these written down we'll go back and test it out let's continue here and first we want to pick up the snake as usual next we want to throw the snake and we can see that he runs in fear we now want to pry the bars open and a wide gap opens we can slip through now we want to look around look around see that the jail's already contrived there's red button and a green button and now we want to stop pressing the button so we're going to start by pressing the red button and we'll see we've got to our comparison now it's comparing r12 which is currently equal to 1. it's comparing it to 539 which is leaked and so we'll continue the second time we're going to press the green button so we were multiplying it there we were doing 1 times 1 now we've got 2 now we're going to two times two plus one and you can see this has got the the last value there so it's comparing it to leads and again we'll hit continue we now want to do the red the red button so we're gonna end up with 10 see it's 5 from the last time but we're going to do the red button again which will be giving us 20 you can see here showing up in hex but we can always just check with p r 12 if we want to print it as a integer and now we want to do the green button so we're going to do the green button three times continue continue the third time and now we're gonna do the red button twice and continue again and then finally we'll do the green button let's see what this is actually equaling at the moment so we've got r12 there r12 is 334 but we just did the red button which hasn't shown up yet as well so that's six six eight and we're about to do six six eight times two plus one which is going to give us lee oh so we need to continue again we'll enter that in and now it's not showing up yet we're going to need to continue and enter something else in here we don't actually know exactly what we're entering in so i'm going to say test and you'll see we've got to our comparison it's compared r12 to leak let's have a look p r12 and we'll see it is it's currently equal to elite so now if we go into next from here it's now going to perform some jumps we want to get down have a look at this string compare and you'll see it's compared the tests that we entered to bananarama which didn't match in this case so if we continue we get you're speaking nonsense cut that out let's try that again banana rama and we'll hit continue and you'll see that for some reason a flag popped out the wall you walk closer to read it and then we've got the fake flag because i have the flag already fake flags in our directory so we've got that sold manually let's jump over to the pontool script which is set up this is just using the prone tools template which i have on github and have covered in most of the videos where essentially we can just open up quite easily with gdb and passing our break points and things here you can see that i had a breakpoint set up for testing and then if we pass in gdb then it will it'll just uh launch a program it'll set up a breakpoint at this offset from the pi base and then stop every time we get to that to that address we've got the context level set to info here let me change this to debug so we get a bit more information and essentially we just we go through here we want to set let's close that down we want to set b bar one equal to false so we do that by picking up the snake thrown at kmh we want to set i bar seven to one and we do that by prying the bars open we want to get into our the code blocks we have to look around after that if you remember we had to was the number two and then we need to make ivar seven equals leet so i just have here what the red button the green button do and we're just doing looping through in the order that we need in order to make that equal leet and then we send in this bananarama password as the as the password basically to get the flag receive a couple of lines of junk and then the next line that we get is going to be our flag so if we try and run that python exploits you see we've got a lot of debugging seeing every time it sends and receives something and then at the end we get our flag back so that's cool now because we're using this script and we have this method that we can just pass in remote and gdb commands into we can let me set this to info get rid of some of the noise and then we can just go straight to the server get the address that we're interested in the address and and then we can run the same command again python exploit but pass in the server and report and you'll see oh i was wondering what's going on there uh we just need to pass in remote as a keyword and then it will run it against the remote server on that port and take a little bit longer to get back but eventually we get back our flag and that's been the jailbreak challenge maybe get hopefully get some warranties done although i want to take a look at the web section as well so you can get some challenges done there

Info

Channel: CryptoCat

Views: 1,781

Rating: undefined out of 5

Keywords: angstrom, ångstromCTF, angstrom ctf, ctf, capture the flag, reverse engineering, reversing, re, reverse, assembly, debugging, ltrace, ghidra, gdb, pwndbg, pwn, pwntools, cybersecurity, hacking, exploit, infosec, kali, cyberchef, writeup, walkthrough, python, programming, pen-testing, hackathon, learn, jailbreak, free flags, flag, ida, malware, security, wargames, h4x0r, breakpoints, xor, disassembly, ångstrom, 2021, 1337, rev, static analysis, dynamic analysis, debugger, debug, analyse, objdump, parrotos, Angstrom CTF 2021, hack, CTF

Id: MhkVkOpj5OI

Channel Id: undefined

Length: 43min 58sec (2638 seconds)

Published: Fri Apr 09 2021