Gian Klug

HackVent 2023 - [HV23.14] Crypto Dump

Posted on Jan 1, 2024
Tags: HackVent Writeup

Difficulty: Medium

Categories: Reverse Engineering, Cryptography, Forensic

Author: LogicalOverflow

To keep today’s flag save, Santa encrypted it, but now the elf cannot figure out how to decrypt it. The tool just crashes all the time. Can you still recover the flag?

After reverse engineering the binary and identifying the encrypted flag is in r13 and the key in r15 we can load it into gdb together with the coredump:

$ gdb -q flagsave coredump

pwndbg> info registers
rax            0x0                 0
rbx            0x2b                43
rcx            0x9f5be40e          2673599502
rdx            0x3                 3
rsi            0x8                 8
rdi            0x8                 8
rbp            0x7ffeef3dd718      0x7ffeef3dd718
rsp            0x7ffeef3dd660      0x7ffeef3dd660
r8             0x3c                60
r9             0x7fc80c16f520      140497173017888
r10            0x3c                60
r11            0x40cbb7            4246455
r12            0x7fc80c170030      140497173020720
r13            0x7fc80c16f040      140497173016640
r14            0x40c0fb            4243707
r15            0x7ffeef3dd670      140732912227952
rip            0x40113a            0x40113a <main+250>
eflags         0x10246             [ PF ZF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x4136d8            4273880
gs_base        0x0                 0
pwndbg> x/44xb 0x7fc80c16f040
0x7fc80c16f040: 0xaf 0x71 0x38 0xad 0x96 0x08 0xc9 0x14
0x7fc80c16f048: 0xbe 0xbd 0xfe 0x19 0xbe 0x9f 0x28 0x25
0x7fc80c16f050: 0xbd 0x98 0xa7 0x0f 0xfd 0x3a 0x45 0x58
0x7fc80c16f058: 0x18 0x8f 0x8d 0x8e 0xf8 0xbb 0x15 0x66
0x7fc80c16f060: 0x73 0x5f 0x0b 0x61 0x81 0x35 0xbe 0xb5
0x7fc80c16f068: 0x0d 0x80 0xc9 0x00
pwndbg> x/40xb 0x7ffeef3dd670
0x7ffeef3dd670: 0x9b 0xaf 0x7d 0x5c 0xac 0x41 0x41 0xc8
0x7ffeef3dd678: 0xcb 0x8c 0xfa 0x3f 0xd2 0x70 0xfc 0x4b
0x7ffeef3dd680: 0xee 0xa0 0xcd 0x54 0x0a 0x54 0x25 0x0a
0x7ffeef3dd688: 0xd8 0x8f 0x8f 0x94 0xcb 0x40 0x0f 0x91
0x7ffeef3dd690: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Then, converting these results into a python script:

from binascii import unhexlify

flag ="af7138ad9608c914bebdfe19be9f2825bd98a70ffd3a4558188f8d8ef8bb156"
flag += "6735f0b618135beb50d80c900"

with open("flag.txt", "wb") as f:
    f.write(unhexlify(flag))

key ="9baf7d5cac4141c8cb8cfa3fd270fc4beea0cd540a54250ad88f8f94cb400f91"
with open("key", "wb") as f:
    f.write(unhexlify(key))

Finally, we can run the flagsave binary with the d argument to decrypt:

$ ./flagsave flag.txt d

We can then read out to get the flag: HV23{17's_4ll_ri6h7_7h3r3}