What is an ogre’s favourite network arrangement? … onion routing

  • Author: Sun G
  • Attachment: layers


0x1 basic information

Starting the binary, the goal seems simple: enter the correct answers, and something will happen, hopefully we get the flag. Digging deeper using GDB, we see, that the challenge uses strcmp in order to check, if the answer we provided is correct. I have looked at the source code using Ghidra as well, but seemed like the strings are somewhat obfuscated, so I tried going another way, which turned out to be a great idea.

0x2 solution

Since we are running this program on our own machine, noone is stopping us from modifying the containts of the registers. This lets us save a ton of work. Let the program deobfuscate the correct answer for itself, then right before the call to strcmp we can just steal it.

The challenge name suggests, that we are going to have to do this a couple of times, so I went ahead and automated it using gdb scripts. To not present you a one-click solution, the gdb script is removed from this writeup, however with the above described method, one should be able to replicate my solution.

The acquired flag is:


← Back to SecChallenge22

all tags