Boston Key Party 2015 - Wellington

Recover the flag by intercepting and recording the dynamic library calls of a Linux binary.

Introduction

Wellington was a reverse engineering challenge at Boston Key Party 2015.

Wellington

If you had the code, you'd see that the program is calling `decrypt("[QeZag^VQZShWQgeWVQSe]ZW^^Q[`efWSV", X). Unfortunately, you don't have it, HAHAHAHAHAHA. Ho, and by the way, the flag ends with a dot.

Identification

The given file "troll_log.4643d195d55746aa180abf7144909677" is an ELF 64-bit binary.
After inspecting its content with an hexadecimal editor we can assert that this is a compiled Perl Prolog script.

The application is calling the read function to prompt the password. We can assume it's using strcmp to compare the user input with the good password.

Library call tracing

Static analysis of the file would take a lot of time. The quickest way to solve the challenge is probably to trace system calls.
We can use ltrace to intercept the dynamic library calls.

ltrace -s 64 ./troll_log.4643d195d55746aa180abf7144909677

The previous command will output a bunch of system calls until it reaches the read function. Then we can type a dummy password like "X." and press enter. Then the application will continue until exit.

If you pay attention to the output of the ltrace you probably already see the flag.
Indeed, the strcmp function is called a more than 200 times against the flag and several strings.

strcmp("LOSE", "i_should_have_used_askhell_instead") = -29
strcmp("SIGABRT", "i_should_have_used_askhell_instead") = -22
strcmp("SIGALRM", "i_should_have_used_askhell_instead") = -22