Skip to content

8 of Hearts: Metasploit 2020 December CTF

On port 4545 of the Metasploit 2020 December CTF target machine, two files were available for download: 8_of_hearts.elf and 8_of_hearts.enc. The .elf file was a Linux ELF executable program, and the .enc file was presumably an encoded PNG flag file.

If you ran it, and entered some input, you'd be chided for not entering "buffalo". If you entered "buffalo", you'd be told "MOAR buffalo!":

In retrospect, we now know everything we need to know in order to solve it. But since I was thick, I decided to disassemble the code and try to understand what I needed to do.
Using Radare2, I looked at the assembly for the main() function.

I don't read assembly well enough to understand the routine, but one step jumped out at me -

xor eax, 0x41

Which was a solid clue that the .enc file was simply xor'ed with the value 0x41. I manually xor'ed the first few digits of the .enc file and, sure enough, it revealed a valid PNG header. In order to xor the entire file, I installed the xortool package and used the xortool-xor tool to decode the file:

That was enough to get the flag. However, was it the right way? I suspected not. My captain pointed out that ghidra would disassemble and generate C code, which I'm more fluent in. And looking at the C code, the answer revealed itself:

And when I say "revealed itself" I mean "made sense after 15 minutes of peering and swearing." But it boils down to, this test is a simple buffer overflow. We see two buffers declared, local_7f8 and local_408. We see fgets used to read stdin into local_7f8. And then we see - with no other data being read - that local_408 is being tested for the presence of the string 'buffalo'. So quite simply, 'MOAR buffalo' means repeat buffalo enough times that it fills the 1008 character array local_7f8 and spills over into the local_408 array.

So had I simply done as asked and provided MOAR buffalo I'd have been all set:


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.