# TAMUctf - RE (Band Aid)

This was a great CTF competition because it had a lot of great beginner challenges. I loved this challenge, even though I did some stupid things that made it take a lot longer than it should.

## The Challenge

I download the executable onto my Windows machine and place it into my shared folder with Kali.

So first, let’s run it.

root@kali:~/Documents/CTF/TAMU# ./e0dd79b3d9b05e80
this code needs a band aid


Okay, not a lot to go off of. I wanted to get an idea of what’s in the program and how it flows, so next up is disassembling it on Ida. I let it detect the file type (x64 ELF), scan the file, and direct me to the main function. I zoom out to see the full view.

So we can see that we have a main fuction that prints the string “ this code needs a band aid “, performs a comparison between the value of the register EBP+constant (which is loaded with 0xD6 + 0x1 = 0xD7) and 0x124B, and then calls function f2(void) if EBP+constant is greater than 0x124B, or jumps to the exits.

Clearly, 0xD7 is not greater than 0x124B, so we have to rewrite the assembly code so that we don’t take the jump by replacing 0x124B with a number smaller than 0xD7. I chose 0xD6.

You can patch a program in several ways. You can do this by going to Edit -> Patch Program -> Change byte… I found the 4B 12 (since it was in Little Endian format), and replaced it with D6 00

Then you can commit your changes at Edit -> Patch Program -> Apply patches to input file.

Let’s run it!

root@kali:~/Documents/CTF/TAMU# ./e0dd79b3d9b05e80
this code needs a band aid
result
L/R8ejlvVP4+JvgvsSI+JaLn6YCArf5fTAIfUwMNCrJ8HkRkQLEB5RH5COF1+9mSQoGY8wG23AtDyM0OEgm+zFCTibFOgieixjrv5OHAIB+akOahMWoyt/qAGnK9ZsLsv20apyzlH0llafbfQ0MkurU/c8O3Xj3m0VL1GOjHk14=
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDY1Q0WmpZbkdpTVl0RWQ3Ky9ZdEZnR0UzZQpnVGtXQml3aFdDbjQxTFBTWXN1cSs0T1FwbkJNWVI1WXRMYjk0V083aTZ2R2FPT05zc0hOZFlBZG5SRE04aUxTCnYvclQwdU90Z1N3ZFpOaUxDN242Z0gvODhSakZRRUxqbUpXUXpnc1g4Q1VxZFpvNEpyTWZCU213d0RZQTVCbTAKYjc2Z3ptcWgreUxYYSt1bk9RSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==


Those equal signs on the end definitely look like Base64 encoding. Let’s decrypt. The first string didn’t encrypt to anything but gibberish, but the next two were interesting.

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCcT4ZjYnGiMYtEd7+/YtFgGE3egTkWBiwhWCn41LPSYsuq+4OQ
8RjFQELjmJWQzgsX8CUqdZo4JrMfBSmwwDYA5Bm0b76gzmqh+yLXa+unOQIDAQAB
AoGAacaS/Zw3o3d9c/bJJj07zJiF0WWG+PVyVZowxPdDPMKoamtLa86FvdoWzBZ2
6L6zfMK1MW6pH5XPcU5H8AMSYDDaQqxEmXJtk889LIMZUQECQQC44XV4jtL0r1dq
ccPrNR+LJxR112BO0HW/7nEQ0AKTmHHga/neuz32pquMSQ3lhutS5ndjssvbwtrn
3VuXJEBZAkEA2HCQ4lMv0r9cpvoiBMTtp9XKgHyNUngwtMR86zTM/+WnvXSZ9CfO
Yxr2UowgZ19O5zBd1kTdYBsLlUh/k2zB4QJAYkLyPHEsjf/jZh+xEYHakgrjRP6D
Ab43P8Ld3VkeQnV/NKqiIhNlRgyu76Zz/I0uhVT793ciBX2pRkndYQmMApQju3uX
BX8aNfhrZRVga+KYwQJAXcTJza783EyY5blSeb/ZRFc6cvqDD9QH4WET5oM4f1gZ
kfR7N/jpG8oOlfIywj5E+ZhrZI9DcTfB5gAiEDqkBg==
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
v/rT0uOtgSwdZNiLC7n6gH/88RjFQELjmJWQzgsX8CUqdZo4JrMfBSmwwDYA5Bm0
b76gzmqh+yLXa+unOQIDAQAB
-----END PUBLIC KEY-----


We’re getting somewhere! Now cue me spending a day casually ignoring the first part of the cipher that didn’t translate and looking through the assembly code furiously to figure out what to use the RSA keys on. Sigh.

Anyway, it finally hits me that what I’m supposed to decrypt was staring me in the face this whole time. I save the result of the base64 decryption to a file named ‘ciphertext’, run it through the OpenSSL RSA decrypter, and I’m done…?

root@kali:~/Documents/CTF/TAMU# openssl rsautl -decrypt -inkey privatekey < encrypted > decrypted
RSA operation error


Cue me spending another half a day trying to figure out how to get the padding right. I’m learning guys, but the process is painful. I spend half a day looking through StackOverflow for someone’s solution for this error. Not once does it occur to me to just look at the man files. Never assume StackOverflow has answered everything, rookie mistake. At last it occurred to me that I should look up the manual page.

-pkcs, -oaep, -ssl, -raw
the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, special padding used in SSL v2 backwards compatible handshakes, or no padding, respectively. For signatures, only -pkcs and -raw can be used.


Ah.

root@kali:~/Documents/CTF/TAMU# openssl rsautl -decrypt -inkey privatekey < encrypted > decrypted -raw
root@kali:~/Documents/CTF/TAMU# cat decrypted
gigem{pirate_iter_v2_660c6b7aed3b905b}