📖
CTF Wiki
  • 🚩Arne's CTF Writeups!
  • 2025
    • TUCTF
      • Forensics - Security Rocks
    • San Diego CTF
      • Crypto - RustSA
      • Misc - Triglot
  • 2024
    • Lexington CTF
      • Misc - a little bit of tomcroppery
    • Imaginary CTF
      • Web - Journal
    • Space Heroes CTF
      • Web - Antikythera
    • HTB Cyber Apocalypse
      • Pwn - Sound of Silence
      • Misc - MultiDigilingual
  • 2023
    • NahamConCTF
      • Mobile - Red Light Green Light
    • BucketCTF
      • Rev - Schematic
      • Rev - Random security
    • HTB Cyber Apocalypse
      • Rev - Cave System
      • Rev - Somewhat Linear
      • Pwn - Void
  • 2022
    • DownUnderCTF 2022
      • Cloud - Jimmy Builds a Kite
    • Ã¥ngstromCTF 2022
      • Pwn - really obnoxious problem
      • Pwn - whatsmyname
    • Engineer CTF
      • Misc - Not really random
      • Misc - Broken Pieces
    • KnightCTF 2022
    • HTB CTF: Dirty Money
      • Forensics - Perseverance
  • 2021
    • MetaCTF CyberGames 2021
    • HTB - Cyber Santa
      • RE - Infiltration
    • Securebug CTF Thor 2021
      • Web - Tricks 1
      • Web - Tricks 2
      • RE - Hidden in Plain Sight
    • TFC CTF 2021
      • RE - Crackity
      • Pwn - Jumpy
      • Misc - Weird Friend
    • K3RN3L CTF 2021
      • Crypto - Pascal RSA
    • DamCTF 2021
      • Misc - library-of-babel
      • Pwn - cookie-monster
    • Killer Queen CTF 2021
      • Pwn - Tweety Birb
      • Forensics - Tippy Tappies
      • Pwn - I want to break free
    • BuckeyeCTF 2021
      • Web - pay2win
      • Misc - USB Exfiltration
Powered by GitBook
On this page
  • Description
  • Downloads
  • Solution
  1. 2021
  2. Securebug CTF Thor 2021

RE - Hidden in Plain Sight

Points unknown

Last updated 3 years ago

Description

Can you find the flag hidden In Plain Sight?

Downloads

Solution

We are given a 32-bit PE binary. Running it gives us a console menu.

After some exploration, it seems like the only useful function is '3) Obtaining A Flag'. Let's take a quick look in Ghidra.

It seems like we almost have the flag (in plain sight) but not really. We can only recover a partial flag: SBCTF{rana_Hominis} Now, time to run it in our favourite debugger and set a breakpoint right before the flag check (0x671F7E).

We will input the partial flag we have and start stepping through the instructions. At 0x671FD5 - 0x671FD8 we can tell that there's actually another character before 'r' and the character can be calculated as such, 0x1513 / 0x53 = 0x41 which is the character 'A'.

Now let's restart the program with our new found character. We can confirm that it is correct if the debugger don't jump out of the flag check early.

Indeed the character 'A' was missing, now if we continue to step through the instructions, at 0x672012 we realise that we are short of another character. Stepping through the instructions, we can find out that what the program does is that it subtracts the first missing character (in this case we found out that it is 'A') from the next missing character and checks if its equal to 0x24 (ascii for '$'). So to reverse the equation, we can simplify it as missing character = 0x24 + 0x41 which is 0x65 (ascii for 'e'). Now we have the complete flag!

Flag: SBCTF{Aranea_Hominis}

58MB
Spin.zip
archive