NahamCTF 2024 writeups for Ring Cycle 2
2024-05-28
Start
Like the first one, the program also need us to input the correct passphrase to get the flag.
❯ ./rhinegold
What is the passphrase of the vault?
> hello world
Wrong passphrase!
Code Content
Load it into IDA, we could quickly get of this, which almost as the first one in main function:
1 printf("What is the passphrase of the vault?\n> ");
2 fgets(s, 47, stdin);
3 s[46] = 0;
4 if ( (unsigned __int8)check(s) )
5 {
6 stream = fopen("rhinegold.txt", "r");
7 if ( !stream )
8 return -1;
9 fseek(stream, 0LL, 2);
10 nmemb = ftell(stream);
11 fseek(stream, 0LL, 0);
12 ptr = calloc(nmemb, 1uLL);
13 if ( !ptr )
14 return -1;
15 fread(ptr, 1uLL, nmemb, stream);
16 fclose(stream);
17 printf((const char *)ptr);
18 v4 = strlen(s);
19 MD5(s, v4, v9);
20 printf("flag{");
21 for ( i = 0; i <= 15; ++i )
22 printf("%02x", (unsigned __int8)v9[i]);
23 puts("}");
24 }
25 else
26 {
27 puts("Wrong passphrase!");
28 }
29 return 0;
So let’s check the check() function.
strcpy(nptr, "TIME");
seed = strtol(nptr, 0LL, 10);
srand(seed);
for ( i = 45LL; i; --i )
{
v1 = rand();
v5 = *(_BYTE *)(a1 + i);
*(_BYTE *)(a1 + i) = *(_BYTE *)(a1 + v1 % 46);
*(_BYTE *)(a1 + v1 % 46) = v5;
}
strcpy(v8, "cioerosgaenessT ns k urelh oLdTie heri nfdfR");
for ( j = 0; j <= 46; ++j )
{
if ( *(_BYTE *)(j + a1) != v8[j] )
return 0LL;
}
return 1LL;
In here, the logic also very clear, according to man 3 strtol, we could get that the seed variable is 0. so we could make the function logic more clear like follow:
srand(0);
for (int i = 45; i ; --i) {
int rand_idx = rand() % 46;
char tmp = a1[i];
a1[i] = a1[rand_idx];
a1[rand_idx] = a1[i];
}
strcpy(target, "cioerosgaenessT ns k urelh oLdTie heri nfdfR");
for (int j = 0; j <= 46; ++j) {
if (a1[j] != target[j])
return 0;
}
return 1;
Solution
This logic is clearer than the first level. The only thing to pay attention to is we need reverse the swap order.
#include <stdio.h>
static char target[47] = "cioerosgaenessT ns k urelh oLdTie heri nfdfR";
int main() {
// cause we need reverse order, so get the rand_idx first.
int idx[45] = {28, 33, 43, 17, 27, 10, 23, 32, 45, 5, 17, 22, 28, 44,45,
27, 39, 27,30, 16,24, 3, 25,34, 39,12, 8, 10,38, 40, 9, 17,
6, 39, 40, 1, 11, 24, 14, 23, 29, 25, 29, 0, 11};
for (int i = 1; i < 46; i++) {
char tmp = target[i];
target[i] = target[idx[i - 1]];
target[idx[i - 1]] = tmp;
}
printf("%s\n", target);
return 0;
}
use the correct passphrase to get the flag:
❯ ./rhinegold
What is the passphrase of the vault?
> This sounds like a Lord of The Rings reference
________________________________________░░░░____________░░░░______________________________________
________________________________░░______________________________░░░░______________________________
____________________________░░______________________________________░░░░__________________________
________________________________________________________________________░░________________________
______________________░░__________________________________________________░░░░____________________
______________________________________________________________________________░░__________________
______________________________________░░░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░░░__________________░░________________
__________________________________░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░________________░░______________
______________________________░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒________________░░____________
__________________________░░▒▒▒▒▓▓▓▓▓▓▓▓▓▓░░______________▓▓▓▓▓▓▓▓▒▒░░░░____________░░░░__________
__________░░____________░░▒▒▓▓▓▓▓▓▓▓____________________________▓▓▓▓▓▓▒▒░░____________░░░░________
______________________░░▒▒▓▓▓▓▓▓____________________________________▓▓▒▒▒▒░░__________░░░░________
______________________▒▒▓▓▓▓▓▓________________________________________▓▓▓▓▒▒░░__________░░░░______
______░░____________▒▒▓▓▓▓▓▓____________________________________________▓▓▒▒░░░░________░░░░▒▒____
__________________░░▒▒▓▓▓▓░░____________________________________________░░▒▒▒▒░░░░______░░░░▒▒____
__________________░░▓▓▓▓▓▓________________________________________________▓▓▒▒░░░░______░░░░▒▒____
____░░____________▒▒▓▓▓▓____________________________________________________▒▒░░░░________░░▒▒▒▒__
____░░__________░░▓▓▓▓▓▓____________________________________________________▒▒▒▒░░░░______░░▒▒▒▒__
____░░__________▒▒▓▓▓▓________________________________________________________▒▒░░░░______░░▒▒▒▒__
________________▒▒▓▓▓▓________________________________________________________▒▒░░░░░░____░░▒▒▒▒__
__░░__________░░▓▓▓▓▒▒________________________________________________________▒▒░░░░░░____░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░░░________▒▒▓▓▓▓____________________________________________________________░░░░__░░░░░░▒▒▒▒▓▓
__░░░░________▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▒▒░░________▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▒▒░░░░______▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▓▓░░░░______░░▓▓▓▓▒▒________________________________________________________░░______░░░░▒▒▒▒▓▓▓▓
____▒▒░░________▒▒▓▓▓▓________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓__
____▒▒░░░░______░░▓▓▓▓________________________________________________________░░____░░░░▒▒▒▒▓▓▓▓__
____▓▓▒▒░░______░░▒▒▓▓▓▓____________________________________________________░░______░░▒▒▒▒▒▒▓▓▓▓__
____▓▓▒▒░░░░______▒▒▒▒▓▓__________________________________________________________░░░░▒▒▒▒▒▒▓▓▓▓__
______▒▒▒▒░░░░____▒▒▒▒▒▒▒▒________________________________________________________░░▒▒▒▒▒▒▒▒▓▓____
______▓▓▒▒░░░░____░░░░▒▒▒▒▓▓____________________________________________░░______░░░░▒▒▒▒▒▒▓▓▓▓____
________▒▒▒▒░░░░____░░▒▒▒▒▒▒▒▒________________________________________░░______░░░░▒▒▒▒▒▒▒▒▓▓______
__________▓▓▒▒░░░░__░░░░░░░░▒▒▓▓____________________________________░░______░░░░▒▒▒▒▒▒▓▓▓▓________
__________▓▓▓▓▒▒░░░░░░░░░░░░░░▒▒▒▒▓▓____________________________░░________░░░░▒▒▒▒▒▒▓▓▓▓▓▓________
____________▓▓▓▓▒▒░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒________________░░░░__________░░░░▒▒▒▒▒▒▓▓▓▓▓▓__________
______________▓▓▓▓▒▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░________________░░░░▒▒▒▒▒▒▓▓▓▓▓▓____________
________________▓▓▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░________________________░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓______________
__________________▓▓▓▓▓▓▒▒▒▒░░░░░░░░░░░░░░░░______________░░░░░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓________________
____________________▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓__________________
______________________██▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓██____________________
__________________________██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓██________________________
____________________________████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████__________________________
________________________________████████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████████______________________________
________________________________░░░░░░░░▓▓██████████████████░░░░░░░░______________________________
flag{a59b300dcc0253601d3faea254c58fdd}