picoCTF 2021 Shop Writeup

Shop is a Reverse Engineering challenge worth 50 points.

It has this description:

Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf[.]net 11371.

This provides a file named source with a SHA256 hash of 143093e11677c3058a7ecf9cd9df21cb29e6ddd918c8a2b24c5d9b656e18043d.

file shows that this is a 32 bit ELF, with debug info and it hasn’t been stripped, but it is a Go binary:

source: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, Go BuildID=r5IKmnk_hVFErwy5ewa3/PyI570w85RI5Xa1aSnrW/RxmeFbAluXa5Hnisdodi/MJQIt60cZyLjm5Wta-r0, with debug_info, not stripped

I don’t have a ton of experience working with Go or reversing Go binaries, so I loaded source into Ghidra and hoped for the best.

Reviewing the Symbol Tree in Ghidra, I found an interesting function named main.get_flag:

Observing main.get_flag in the Ghidra Decompiler, I can see that this function likely reads the flag from the filesystem using ioutil.ReadFile:

Next, I searched for references to main.get_flag by right-clicking on the function’s name in the decompiler and selecting References -> Find References to main.get_flag. This showed a reference at 080d3ec3 that resides within the main.menu function.

I had a hard time making sense of Ghidra’s output, so I connected to the service using netcat and was presented with a simple menu-based store. This made the code make a bit more sense to me.

The next steps involved stepping through various options in the live instance of this code, comparing it to the disassembler. This took me several minutes of tabbing back and forth between my terminal and Ghidra’s decompiler.

Judging from the disassembly and the store selling the Fruitful Flag for more money than is in my wallet, I need to buy this item in order to obtain the flag, but I don’t have enough money.

A common vulnerability in these kinds of puzzles is tricking the software by buying or selling a negative number of items. I tried this theory out and it worked, so I had no reason to continue trying to make sense of the disassembled code:

% nc mercury.picoctf.net 11371
Welcome to the market!
=====================
You have 40 coins
	Item		Price	Count
(0) Quiet Quiches	10	12
(1) Average Apple	15	8
(2) Fruitful Flag	100	1
(3) Sell an Item
(4) Exit
Choose an option: 
1
How many do you want to buy?
-30
You have 490 coins
	Item		Price	Count
(0) Quiet Quiches	10	12
(1) Average Apple	15	38
(2) Fruitful Flag	100	1
(3) Sell an Item
(4) Exit
Choose an option: 
2
How many do you want to buy?
1
Flag is:  [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 98 56 100 55 50 55 49 102 125]

This gives the flag in what appear to be char codes. I decoded the flag using CyberChef:

One thought on “picoCTF 2021 Shop Writeup

  1. Pingback: picoCTF Writeups – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s