Story line

Johannesburg - Hideout

Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building’s entrance.

Challenge: Konski-Hiakawa Law of Droids (reversing)

In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{…} to submit it. Note, API Level 25 is what you’re looking for.

After solving

Congratulations, you successfully sneaked past the guards, and now you are inside the main building in the secret lair. Look over there, a safe case! Wait, what, it is open, no way! It’s only a photo inside, what a disappointment… But wait, don’t get hasty now, it seems like it’s an airport in the picture, it’s Heathrow, and there is something scribbled on the back, it’s coordinates to a secret warehouse at Heathrow, it seems like London is calling!

Attachment

attachment.zip (file too large)

Recon

The attachment contains four files: bzImage, bzImage.elf, bzImage.elf.i64 and gCTF.apk.

Solving

To start off, I don’t think I solved it in the intended way as this challenge took me only a few minutes.

As always, I started off by listing the strings in the binary files using the following command.

strings --print-file-name * | grep CTF

This listed a lot of strings, which is expected when there is an app with CTF in the name. So I did the same command, but this time only on the other files:

strings --print-file-name bzImage* | grep CTF

This returned three lines:

bzImage: CTF!
bzImage.elf: gCTF:KEY:
bzImage.elf: C300-CTFDDAC128MAG

gCTF:KEY looks interesting, so I used grep to get the content around it and then piped it into bat (cat would work as well, but bat looks nicer) to see the non-printable characters.

grep -B 2 -A 2 -a gCTF bzImage.elf | bat -A

␀free_calls␀alloc_calls␀validate␀store_user␀poison␀red_zone␀sanity_checks␀total_objects␀slabs␀
destroy_by_rcu␀cache_dma␀hwcache_align␀reclaim_account␀slabs_cpu_partial␀objects_partial␀objec
ts␀cpu_slabs␀partial␀aliases␀ctor␀cpu_partial␀min_partial␀objs_per_slab␀object_size␀align␀slab
_size␀nr_succeeded=%lu·nr_failed=%lu·mode=%s·reason=%s␊
␀succeeded␀failed␀enum·migrate_mode␀reason␀mm/migrate.c␀MIGRATE_ASYNC␀MIGRATE_SYNC_LIGHT␀MIGRA
TE_SYNC␀memory_failure␀memory_hotplug␀syscall_or_cpuset␀mempolicy_mbind␀cma␀mm_migrate_pages␀m
igrate␀mm/page_isolation.c␀\u{1}3VFS:·Close:·file·count·is·0␊
␀fs/open.c␀SusanSue␀/sdcard/Download/Raven.txt␀gCTF:KEY:␀SB:575756␀\u{1}6VFS:·file-max·limit·%
lu·reached␊
␀fs/file_table.c␀filp␀files_lglock␀VFS:·Busy·inodes·after·unmount·of·%s.·Self-destruct·in·5·se
conds.··Have·a·nice·day...␊
␀fs/super.c␀\u{1}3VFS:Filesystem·freeze·failed␊

This output shows that the value of gCTF:KEY is SB:575756. I added the CTF{} brackets and submitted it.

Solution

The flag is correct! It’s CTF{SB:575756}.