(Note: we did not solve this challenge in time, but I still decided to do a writeup because it’s such a cool challenge!)
This challenge consisted of a server binary which was written in C++. The use of C++ was pretty limited though, in fact after reversing it seemed that only the C++ exception mechanism was used. Of course this made us pretty suspicious, and we looked into interaction of C++ exceptions with the C setjmp/longjmp functions early on. The true ‘bug’ turned out to be much stranger, however…
AL’s revenge was basically a crypto/math challenge with some file format puzzling at the start. The given file is an XZ archive which contains a program in LLVM bytecode. Since the unix ‘file’ utility knows about both these fileformats this wasn’t really hard to figure out. After that, the trick is to compile the LLVM bytecode to an ELF binary using the ‘llvmc’ tool, after which you can use your favorite disassembler/decompiler to reverse engineer the binary.
After having reversed the program and converting the important code to python it gets interesting!
This challenge is a remote exploitation challenge in a text-based adventure game. The game binary is quite complicated for a C program, using a bunch of structs and unions to store the game data. The bug which can be exploited is not one of the standard memory corruption bugs, but is instead an error in the way the game logic deals with these structures.
Here’s how we found the bug, and how we exploited it.
We have a file and the assignment to “get the password”. Ok, let’s see what kind of file it is:
$ file 7139a4ea239dcac655f7c38ca6a77b61.bin 7139a4ea239dcac655f7c38ca6a77b61.bin: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
Looks like a packet forensics challenge!