rootybooty

spbctf

Task: ELF64 'malware' that reboots the host (reboot syscall gated on getuid) unless run as root, hiding an RC4-style decryptor. Solution: statically reverse the cipher, recognize the magic-number division reveals modulus 129 (not 256) over a 129-entry S-box, and reimplement the modified RC4 in Python to decrypt the flag offline.

pie rc4 custom_cipher anti_analysis modified_modulus reboot_tripwire

static_analysispython_reimplementationrc4_reverse_engineeringmodified_modulus_ciphermagic_number_division_recognition

$ ls tags/ techniques/

pie rc4 custom_cipher anti_analysis modified_modulus reboot_tripwire

static_analysispython_reimplementationrc4_reverse_engineeringmodified_modulus_ciphermagic_number_division_recognition

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[reverse][Pro]Reverse Me— taipanbyte
[pwn][Pro]popa-ot-ropa (Mic Check 10)— pwn_spbctf
[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[reverse][Pro]recurse (RE3_recurse)— rev_kids20
[reverse][Pro]0xF20B— rev_kids20