Stones Writeup

By
Febna V M
Published on
20 Sep 2020
8 min read
DOMECTF2020

Story

David needs to find a key of stones. Even one stone in the wrong place will destroy everything. Help him to place the stones in order.

Solution

An executable ‘generator’ is given as an attachment. When you run that file a message is shown.

Great..! You have a message Gather your stones together in domectf{} This is your hash…abe06e77a7e14e53cb3c01a04eeb0451237042e2a8293d56f2e6471ab31615f5

From this result it is clear that some hash value is given and you have to enclose your random string in domectf{} which will generate the actual flag.

So the program must be something that will generate a string.

So we have to reverse it.

Using a reverse engineering tool like Ghidra, analyze the executable file and the method of generating the string can be found out.

All expressions have the same structure, so with a bit of editing we can build a table out of them and process characters one by one:

        rules = [[0x3b6, 0x1a8, 0x2dc, 0x1a, 0x364, 0xc, 0x1ac, 0x95],
            [0x33a, 0x1f8, 0xdc, 0x0, 0x270, 0x15e, 0x3a5, 0xcc],
            [0x3b4, 0x2fd, 0x178, 0x294, 0x1b8, 0xb1, 0x5e, 0xdd],
            [0x157, 0xd6, 0x3d9, 0x1a2, 0x313, 0x23f, 0x25f, 0x39d], 
            [0xa, 0x23c, 0x186, 0x1c, 0x56, 0xb1, 0x1f5, 0xde], 
            [0x367, 0x7f, 0x13, 0x34a, 0x2e5, 0x2f, 0x3b7, 0x289],
            [0x13f, 0x2fe, 0x1a2, 0x3a7, 0x104, 0x25, 0x31d, 0x146], 
            [0x1b0, 0x175, 0x2f1, 0x126, 0x1a6, 0x6a, 0x10b, 0x7e],
            [0x6b, 0x366, 0x311, 0x3c1, 0x1b2, 0x182, 0x11d, 0x10a],
            [0x1b0, 0x175, 0x2f1, 0x126, 0x1a6, 0x6a, 0x10b, 0x7e],
            [0x227, 0x28d, 0x39b, 0x37c, 0x1b3, 0xa3, 0x351, 0x124],
            [0x3b3, 0x1d4, 0x15c, 0xd7, 0xbd, 0x163, 0x3e5, 0x236],
            [0x1cd, 0x348, 0x2fd, 0x3c0, 0x1e2, 0x50, 0x37c, 0x258],
            [0x35f, 0xae, 0x242, 0x329, 0x245, 0x139, 0x2cb, 0x374],
            [0x37d, 0x2ec, 0xba, 0x35d, 0x243, 0x61, 0x71, 0x344],
            [0x367, 0x2df, 0x219, 0x282, 0x369, 0x14, 0x176, 0x3c7],
            [0x7f, 0x1f7, 0x3b7, 0x1e4, 0x292, 0x374, 0x75, 0x3c7],
            [0x116, 0x339, 0x3b7, 0x29, 0xc8, 0x1a7, 0x391, 0x134],
            [0x2f5, 0x36b, 0x3b0, 0x341, 0x274, 0xd5, 0x14, 0x278],
            [0x2c1, 0x12a, 0x79, 0x4, 0x9a, 0x149, 0x128, 0xe], 
            [0x101, 0xe2, 0xb7, 0x84, 0x223, 0xf5, 0x374, 0x146],
            [0x29d, 0x25, 0x13e, 0x3b0, 0x8e, 0x33, 0x24, 0x16a],
            [0x3cd, 0xef, 0x88, 0x309, 0xb8, 0x1cc, 0x10a, 0x38b],
            [0x2a, 0x1bd, 0x2a3, 0x20, 0xcb, 0x1c, 0x20f,0x34d], 
            [0x110, 0x41, 0x394, 0x258, 0x2e0, 0xb, 0x116, 0xd], 
            [0x1bc, 0x28c, 0x2d6, 0x324, 0x1c2, 0x11b, 0x1c9,0x128],
            [0x24d, 0x180, 0xa5, 0x38f, 0x364, 0x3f, 0x6c, 0x207],
            [0x20f, 0x342, 0x120, 0x0, 0x1dc, 0x282, 0x227, 0x3b]]


        out = " "

            data = [30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 52, 53, 55, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97 ,98, 99, 100, 101, 102, 103, 104, 105 ,106, 107, 108 ,109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120 ,121, 122,
            ]

        for c in data:
        for x in rules:
                try:
                    v = (c * x[0] + x[1]) % 0x100
                    if (((v * v * x[2] + x[3] + v * x[4]) % (v *  x[5] + x[6] + x[7])) == 0):

                                        out += chr(c)
                                        break

                        Except:
                        pass
        print(out)
    

The characters for the flag are generated one by one when they satisfy a particular condition.

The program generates a string of 26 random characters referred to as stones for making the key. Enclose them within domectf{}. As the flag contains a string of 32 alphanumeric characters enclosed in domectf{}, special characters which will be the first two characters are avoided. Now with the available 24 stones, 457ADKPQRTVXZbcdefjkoqrt we have to make a key consisting of 32 stones.

As per the challenge, even one stone in the wrong place will destroy everything. So we have to make permutations over here using the available stones.

Try out with different combinations of stones making a string of 32 characters, enclose them in domectf{}, check the hash. When the hash value of the string matches with the given hash, then it is your flag.

And the flag is domectf{TcfrADXqDZdtfbQkT5d5bkTcKtQTrAoX}

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.