In this challenge we got a binary called whatson. Unfortunately not able to run it, it’s always complaining with
Unable to open/validate interpreter
Google helps us with this phrase and leads us to “sherlocked” https://github.com/elfmaster/sherlocked, basically a script-lock tool that contains the script in an encrypted version.
The way to solve this was: first getting what interpreter it tries to run and then (obviously) getting the flag.
Disassembling a bit and looking into the main function we see it’s trying to open ‘./python2.7’ as the interpreter. Looking into sherlocked’s stub.c we find out what actually happens there (better than any decompiler ;) ) https://github.com/elfmaster/sherlocked/blob/master/stub.c
The MD5 check later with a (to me unknown) MD5-hash of a python2.7 interpreter was easy to bypass: Just patch the binary, it’s not doing any checks on itself. I solved it by patching bail_out() at 0x4010ca with a simple “ret”. Then it was just easy to use any python binary (or actually cat if you want to see the source) like:
ccm@ctf:~$ cp `which python2.7` python2.7 ccm@ctf:~$ ./whatson Greetings from elfmaster 31C3_there_is_nothing_like_first_hand_evidence ccm@ctf:~$
The python code is:
ccm@ctf:~$ cp `which cat` python2.7 ccm@ctf:~$ ./whatson #!/usr/bin/env python2 import binascii bindata = "cccebccca08b979a8d9aa0968ca091908b97969198a09396949aa099968d8c8ba0979e919ba09a89969b9a919c9a" flag = "" for x in binascii.unhexlify(bindata): flag += chr(ord(x)^0xff) print "Greetings from elfmaster" print flag