Into the rabbit hole

By Yaakov Cohen

Into the rabbit hole

We downloaded and extracted infected.zip and got an elf file infected.

Running strings on it gave:

 

We decoded it and saw it was probably base64 strings.

With a little reversing we understood that the program takes input from the user and compares it to one of strings we found, it repeats this 8 times. We can keep doing static analysis or we can try the easy (dynamic) way. We debugged it and put some breakpoints and read the register value. It worked, but here is an elegant and even easier way (credit to team Bagel):

 

We put "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 8 times until it finished running.

Next we took only the lines that had strncpy in them:

 

We combined all the parts of the flag and decoded it:

 

We got the flag: BSidesTLV{We_gonna_run_run_run_to_the_cities_of_the_future,_take_what_we_can_and_bring_it_back_home._So_take_me_down_to_the_cities_of_the_future,_everybody's_happy_and_I_feel_at_home.}

Success