Post

Ph0wn CTF 2023 - Teaser

Posted
By Nolliv22 2 min read

Description

Posted on the Discord server.

🔥 Teaser

We’re a bit disappointed.

We’ve put something special on Ph0wn’s website since ~June and nobody has noticed yet! 🧐

Come on! Get ready hackers!

https://ph0wn.org/

Solution

1. Find the “something special”

From the message we know something has been put on the website since June.

I knew that ph0wn CTF had a Github page so I checked if there was a repository related to their website:

Ph0wn Github

There is indeed a repository for the website. Then I checked the commit history to see if there was anything suspicious around June.

I found a commit with a very suspicious message:

Commit

The commit added a picture visually identical to the previous one but has 9.32 KB more data:

Commit diff

There must be something hidden in the new picture, so I downloaded it and tried to find the hidden file inside the picture.

2. Extract the hidden file

I used Aperi’Solve to apply multiple steganography tools on the picture.

On the Binwalk section, we can see that there is an executable at the end of the file which should be the hidden file:

Binwalk

3. Binary analysis

The executable is an ARM 64-bit executable:

1
2

$ file 281D0
281D0: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=8c3971d6f371f35f21e07be9aea36133b62f3bfc, for GNU/Linux 3.7.0, not stripped

Using Ghidra, we can see that the executable prints an obfuscated string:

1
2
3
4
5
6
7
8
9
10
11
12

void main(void)

{
  undefined auStack_b0 [168];
  void *local_8;
  
  memcpy(auStack_b0,&DAT_001009e8,0xa8);
  local_8 = (void *)deobfuscate(auStack_b0,0xa8,0x23);
  printf("%s",local_8);
  free(local_8);
  return;
}

We could deobfuscate it but since the program already prints the deobfuscated message, we just need to run it.

To run the ARM binary on a x86_64 Linux system, I followed this guide RUNNING ARM BINARIES ON X86 WITH QEMU-USER and got this output:

1
2
3
4

$ qemu-aarch64 -L /usr/aarch64-linux-gnu ./281D0
----- PDU---1/1 ------
001100098121436587F900000B3CC176589F769F43A0ECBB0E9A87EFA0343D046296E9A0FA1CB476BFEFA186028E86DDDD1BD4BDDC92B6EEE1343DED3EB768ADEA2605
Length: 66

4. PDU

After some research, the PDU from the message seems to mean Protocol data unit.

I search for any Github project related to PDU on Google and I found that it can be decoded:

Google

Then I search for a PDU decoder and the first result was about SMS PDU Decoder/Converter.

I used this tool to decode the message:

Decoder

and here is the flag: ph0wn{we-R-waiting-4-U}.

Writeups, Ph0wn CTF 2023
Misc
This post is licensed under CC BY 4.0 by the author.