This was an easy task. We are asked to connect through ssh onto a box and find a forgotten port on 10.0.1.18. What we found, once we logged into the box, was that almost every program in /bin was deleted/inaccesible except nc. Luckly with nc we can still do a port scan with something like: **nc -zv 10.0.1.18 1-65535 ** and after some time a port was signed as open: 54231.
[email protected]:/$ nc 10.0.1.18 54321 GET / Nice! Flag is [email protected]} [email protected]:/$
This binary had some anti-dbg measures but they were easly bypassable just by breaking on the check that it makes on stat_loc.__uptr and set $rax to 0. Then the binary will do some calculation using the GMP library on our argv char by char. At then end a huge number come up and it will be convert into a binary string. This binary string will be passed as argument to the 0x400b5d subroutine that will perform a transformation against a prefixed binary string:
This function it will return a new binary string that is made by checking char by char the two previous strings . If the two chars are equal a “1” will be added else “0”.
Then the resulting string will be converted back to ASCII format and if it’s equal to “From a seed a mighty trunk may grow.” then we win.
So to solve this we started from the bottom and found the binary string of that string which is:
Then we made a script that will reverse it following the rules used in the 0x400b5d function and got this binary number:
Now this number is the one that we have to get from those calculations with GMP library. To find the good string that will make this we made a tiny script that will find it for us:
And that string will be the flag to submit.