BuckeyeCTF 2023 - replace-me
Description
Category: Misc
Author: rene
I knew I shouldn’t have gotten a cheap phone :/
Attachments:
Resolution
1. Android bootimg
First, we determine the file type with file:
1
2
$ file dist
dist: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.hardware=mako lpj=67677 user_debug=31)
It seems to be the boot partition of an Android phone.
2. Extract the Kernel and the Ramdisk
I followed this guide1 to extract all the content.
We verify that dist is a correct boot image (contains kernel+ramdisk):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ abootimg -i dist
Android Boot Image Info:
* file name = dist
* image size = 6506496 bytes (6.21 MB)
page size = 2048 bytes
* Boot Name = ""
* kernel size = 6009416 bytes (5.73 MB)
ramdisk size = 491824 bytes (0.47 MB)
* load addresses:
kernel: 0x80208000
ramdisk: 0x81800000
tags: 0x80200100
* cmdline = console=ttyHSL0,115200,n8 androidboot.hardware=mako lpj=67677 user_debug=31
* id = 0xf633aef3 0x28435904 0xd274b946 0x75d5562f 0x2aea479c 0x00000000 0x00000000 0x00000000
Now we have verified it, we can extract the kernel and the ramdisk:
1
2
3
4
$ abootimg -x dist
writing boot image config in bootimg.cfg
extracting kernel in zImage
extracting ramdisk in initrd.img
We extract the content of initrd.img:
1
2
3
$ mkdir initrd
$ cd initrd
$ cat ../initrd.img | gunzip | cpio -vid
3. Searching for the flag
Now we have extracted every possible files, it’s time to find the flag.
I tried to find the flag with grep but I found nothing:
1
2
$ grep -rna bctf
{NOTHING}
Then, I browsed files to seek non-text file and found the flag in a image (initrd/res/images/charger/battery_fail.png):
bctf{gr33n_r0b0t_ph0N3}.
Additional resources
This post is licensed under
CC BY 4.0
by the author.