eplots/ctf-resources
eplots/ctf-resources
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ctf-resources/htb/hacktheboo2024/rev/[Very Easy] Graverobber/README.md

2.6 KiB
Raw Permalink Blame History

Graverobber

4th 10 24 / Document No. D24.102.X168

Prepared By: clubby789

Challenge Author: clubby789

Difficulty: Very Easy

Classification: Official

Synopsis

Graverobber is a Very Easy reversing challenge. Players will use strace to identify binary functionality, then scripting to uncover the flag.

Skills Learned

- strace
- basic scripting

Solution

If we run the provided binary, we're given an error message.

We took a wrong turning!

Tracing

We can use strace to try and guess what the binary is doing.

$ strace ./robber
/* SNIP */
newfstatat(AT_FDCWD, "H/", 0x7ffcbd70cf50, 0) = -1 ENOENT (No such file or directory)
write(1, "We took a wrong turning!\n", 25We took a wrong turning!
) = 25
exit_group(1)                           = ?
+++ exited with 1 +++

We're trying to use newfstatat (a specialized version of the stat syscall used for file metadata) on some directory H. If we create it and run again:

newfstatat(AT_FDCWD, "H/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
newfstatat(AT_FDCWD, "H/T/", 0x7fff03f91e00, 0) = -1 ENOENT (No such file or directory)
write(1, "We took a wrong turning!\n", 25We took a wrong turning!

Looks like it will open several directories in sequence. We'll write a script to automate creating them.

Scripting

We'll begin by deleting and creating a directory to work in.

import os
import shutil
from pwn import *

try:
    shutil.rmtree("directories")
    os.mkdir("directories")
except Exception:
    pass
os.chdir("directories")

We'll then loop, running the binary under strace (using -e to filter to only the newfstatat calls):

while True:
    with context.local(log_level='ERROR'):
        p = process(["strace", "-e", "newfstatat", "../robber"])
        out = p.recvall().decode()
        p.close()

We'll then look at the last call to see the last path expected, and use that to create a directory. We'll also break if the error message isn't printed as we've likely found the whole path.

        if 'wrong turning' not in out: break
        stats = [line for line in out.split("\n") if "newfstatat" in line]
        # Get last line, and get the content of the string
        path = stats[-1].split('"')[1]
        # Remove separators and print path
        print(path.replace("/", ""))
        # Recursively make the directory
        os.makedirs(path)

On running this script, we'll get the flag.