Remote Web

This was an easy task. We are asked to connect through ssh onto a box and find a forgotten port on What we found, once we logged into the box, was that almost every program in /bin was deleted/inaccesible except nc. Luckly with nc we can still do a port scan with something like: **nc -zv 1-65535 ** and after some time a port was signed as open: 54231.

team@volgactf2015:/$ nc 54321

Flag is {NoBeerATm@y1st}


This binary had some anti-dbg measures but they were easly bypassable just by breaking on the check that it makes on stat_loc.__uptr and set $rax to 0. Then the binary will do some calculation using the GMP library on our argv[1] char by char. At then end a huge number come up and it will be convert into a binary string. This binary string will be passed as argument to the 0x400b5d subroutine that will perform a transformation against a prefixed binary string:


This function it will return a new binary string that is made by checking char by char the two previous strings . If the two chars are equal a “1” will be added else “0”.

Then the resulting string will be converted back to ASCII format and if it’s equal to “From a seed a mighty trunk may grow.” then we win.

So to solve this we started from the bottom and found the binary string of that string which is:


Then we made a script that will reverse it following the rules used in the 0x400b5d function and got this binary number:


Now this number is the one that we have to get from those calculations with GMP library. To find the good string that will make this we made a tiny script that will find it for us:

And that string will be the flag to submit.