Shop is a Reverse Engineering challenge worth 50 points.
It has this description:
Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf[.]net 11371.
This provides a file named
source with a SHA256 hash of
file shows that this is a 32 bit ELF, with debug info and it hasn’t been stripped, but it is a Go binary:
source: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, Go BuildID=r5IKmnk_hVFErwy5ewa3/PyI570w85RI5Xa1aSnrW/RxmeFbAluXa5Hnisdodi/MJQIt60cZyLjm5Wta-r0, with debug_info, not stripped
I don’t have a ton of experience working with Go or reversing Go binaries, so I loaded
source into Ghidra and hoped for the best.
Symbol Tree in Ghidra, I found an interesting function named
main.get_flag in the Ghidra Decompiler, I can see that this function likely reads the flag from the filesystem using
Next, I searched for references to
main.get_flag by right-clicking on the function’s name in the decompiler and selecting References -> Find References to main.get_flag. This showed a reference at
080d3ec3 that resides within the
I had a hard time making sense of Ghidra’s output, so I connected to the service using
netcat and was presented with a simple menu-based store. This made the code make a bit more sense to me.
The next steps involved stepping through various options in the live instance of this code, comparing it to the disassembler. This took me several minutes of tabbing back and forth between my terminal and Ghidra’s decompiler.
Judging from the disassembly and the store selling the
Fruitful Flag for more money than is in my wallet, I need to buy this item in order to obtain the flag, but I don’t have enough money.
A common vulnerability in these kinds of puzzles is tricking the software by buying or selling a negative number of items. I tried this theory out and it worked, so I had no reason to continue trying to make sense of the disassembled code:
% nc mercury.picoctf.net 11371 Welcome to the market! ===================== You have 40 coins Item Price Count (0) Quiet Quiches 10 12 (1) Average Apple 15 8 (2) Fruitful Flag 100 1 (3) Sell an Item (4) Exit Choose an option: 1 How many do you want to buy? -30 You have 490 coins Item Price Count (0) Quiet Quiches 10 12 (1) Average Apple 15 38 (2) Fruitful Flag 100 1 (3) Sell an Item (4) Exit Choose an option: 2 How many do you want to buy? 1 Flag is: [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 98 56 100 55 50 55 49 102 125]
This gives the flag in what appear to be char codes. I decoded the flag using CyberChef: