keyboard_arrow_up

title: Writeup ESAIP CTF 2023 - Positive Path
date: May 30, 2023
tags: ESAIP_CTF_2023 writeups reverse


Writeup ESAIP CTF 2023 - Positive Path

Description:

I guess this time you need to discover everything by yourself.

Good luck.

Author: Ooggle

Files:

positive_path


🔍 Recon

Let's do the basics:

$ file positive_path
positive_path: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c7935c8c3fadad24e95d34d2c0a1db307a29d940, for GNU/Linux 3.2.0, stripped

Okay so let's have a better look of the binary in Ghidra.


📟 Reversing the binary

The main function can be easily found by search for string references, we can find ECTF{%s} used in a function. The function look like that:
main_function

So, the program read 26 characters from stdin, then it itterate through all thoses characters and check if their value is either 'U', 'D', 'L' or 'R'. sound like up, down, left and right. 2 variables (local_7c and local_80) are modified when previous characters are identified, we can assume they are our position x and y?

I need to clean up a little bit the decompilation to see if we can have a better understanding of the code.
cleaning

Now let's dissect one of the four long ifs: 

if (char == 'D') {
    if ((pos_y == 2) || (local_78[(long)pos_x + (long)(pos_y + 1) * 0x11] == 'X')) break;
    //...
}

First, the program break if we want to go down and we are at position y 2, so there is only 3 levels to our game grid.

Then it check if the new position we are trying to go to contains a 'X' and it break if it's the case. So we want to avoid the X.

Notice the * 0x11? It tells us that the grid has a width of 17. So our complete grid is a multidimentional array of 3 by 17. I then retype the local_78 variable as char[3][17] and rename it grid.

clean

Well now it's MUCH better, we know we need to go to 16,2 for the flag to show, so I just need to extract the grid variable content to see where are located the x.

" X   XXXXX   XXX"
" X X     X X  XX"
"   XXXXX   XX   "

Okay it look like a little maze, we just have to follow the path to arrive at destination.


🚩 Getting the flag

To go to destination, we just need to write letters to move our player.

The following input should go to the destination by avoiding every 'X':
DDRRUURRDRRRRDRRUURRDRDRR

flag

Here we go!

flag: ECTF{DDRRUURRDRRRRDRRUURRDRDRR}


Writeup ESAIP CTF 2023 - Super Oiram Party keyboard_arrow_right