Shop
is a Reverse Engineering challenge worth 50 points.
It has this description:
Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf[.]net 11371.
This provides a file named source
with a SHA256 hash of 143093e11677c3058a7ecf9cd9df21cb29e6ddd918c8a2b24c5d9b656e18043d
.
file
shows that this is a 32 bit ELF, with debug info and it hasn’t been stripped, but it is a Go binary:
source: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, Go BuildID=r5IKmnk_hVFErwy5ewa3/PyI570w85RI5Xa1aSnrW/RxmeFbAluXa5Hnisdodi/MJQIt60cZyLjm5Wta-r0, with debug_info, not stripped
I don’t have a ton of experience working with Go or reversing Go binaries, so I loaded source
into Ghidra and hoped for the best.
Reviewing the Symbol Tree
in Ghidra, I found an interesting function named main.get_flag
:

Observing main.get_flag
in the Ghidra Decompiler, I can see that this function likely reads the flag from the filesystem using ioutil.ReadFile
:

Next, I searched for references to main.get_flag
by right-clicking on the function’s name in the decompiler and selecting References -> Find References to main.get_flag. This showed a reference at 080d3ec3
that resides within the main.menu
function.
I had a hard time making sense of Ghidra’s output, so I connected to the service using netcat
and was presented with a simple menu-based store. This made the code make a bit more sense to me.
The next steps involved stepping through various options in the live instance of this code, comparing it to the disassembler. This took me several minutes of tabbing back and forth between my terminal and Ghidra’s decompiler.
Judging from the disassembly and the store selling the Fruitful Flag
for more money than is in my wallet, I need to buy this item in order to obtain the flag, but I don’t have enough money.
A common vulnerability in these kinds of puzzles is tricking the software by buying or selling a negative number of items. I tried this theory out and it worked, so I had no reason to continue trying to make sense of the disassembled code:
% nc mercury.picoctf.net 11371 Welcome to the market! ===================== You have 40 coins Item Price Count (0) Quiet Quiches 10 12 (1) Average Apple 15 8 (2) Fruitful Flag 100 1 (3) Sell an Item (4) Exit Choose an option: 1 How many do you want to buy? -30 You have 490 coins Item Price Count (0) Quiet Quiches 10 12 (1) Average Apple 15 38 (2) Fruitful Flag 100 1 (3) Sell an Item (4) Exit Choose an option: 2 How many do you want to buy? 1 Flag is: [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 98 56 100 55 50 55 49 102 125]
This gives the flag in what appear to be char codes. I decoded the flag using CyberChef:

Pingback: picoCTF Writeups – DMFR SECURITY