Challenge Description
1
2
3
I received a strange letter in the mail, when I unfolded the document inside,
I discovered this matrix bar code.
Can you figure out what it contains?
SOLUTION
A. Decompress letter.zip file
Use unzip
to decompress the challenge directory
1
2
3
4
5
6
7
┌[Parrot-Security]─[~/ctflearn.com/Finish The Flag]
└╼sys41x4$unzip letter.zip
Archive: letter.zip
creating: finish_the_flag/
inflating: finish_the_flag/qr.png
inflating: finish_the_flag/readme.txt
extracting: finish_the_flag/qr.asm.enc
In finish_the_flag/qr.png
we can see a QR Code for the challenge File
B. Getting Binary File from the QR Code
A simple python script can be used to dump the Content of QR
to a binary file as
QR -> Analyze QR Data -> Base64 Decode -> Dump to File
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Script 1
# [Requirements]
# # Tested in Parrot Security OS v5.x
# pybazar
# pillow
from base64 import b64decode
from PIL import Image
from pyzbar import pyzbar
img = Image.open('qr.png')
output = pyzbar.decode(img)
with open('qr', 'wb') as f:
f.write(b64decode(output[0][0]))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Script 2
# [Requirements]
# [Tested in Ubuntu 20.x]
# numpy
# pyboof
# Java/OpenJDK
import os
import numpy as np
import pyboof as pb
from base64 import b64decode
class QR_Extractor:
def __init__(self):
self.detector = pb.FactoryFiducial(np.uint8).qrcode()
def extract(self, img_path):
if not os.path.isfile(img_path):
print('File not found:', img_path)
return None
image = pb.load_single_band(img_path, np.uint8)
self.detector.detect(image)
qr_codes = []
for qr in self.detector.detections:
qr_codes.append({
'text': qr.message,
'points': qr.bounds.convert_tuple()
})
return qr_codes
qr_scanner = QR_Extractor()
output = qr_scanner.extract('qr.png')
# Write data to File
with open('qr', 'wb') as f:
f.write(b64decode(output[0]['text'].encode()))
Analyse qr
Binary using GDB + pwngdb
- Analyse The Binary in GDB
1
$ gdb ./qr
2 . Start at the entry point
1
pwndbg> start
3 . Disassemble function loop
to get the logic occuring in the loop
function
1
2
3
4
5
6
7
8
9
pwndbg> disassemble loop
Dump of assembler code for function loop:
0x08048098 <+0>: cmp al,0x7
0x0804809a <+2>: je 0x80480b9 <done>
0x0804809c <+4>: mov edx,DWORD PTR [eax+0x80490e4]
0x080480a2 <+10>: inc eax
0x080480a3 <+11>: jmp 0x80480a8 <bite_of_flag>
End of assembler dump.
- We can see that there is another function reference named
bite_of_flag
in0x080480a3
4 . Disassemble bite_of_flag
function
1
2
3
4
5
6
7
8
9
10
11
pwndbg> disassemble bite_of_flag
Dump of assembler code for function bite_of_flag:
0x080480a8 <+0>: push ebp
0x080480a9 <+1>: mov ebp,esp
0x080480ab <+3>: push eax
0x080480ac <+4>: xor dl,0x17
0x080480af <+7>: mov BYTE PTR [ebp+0x0],dl
► 0x080480b2 <+10>: pop eax
0x080480b3 <+11>: pop ebp
0x080480b4 <+12>: jmp 0x8048098 <loop>
End of assembler dump.
5 . Getting the FLAG
- Create a breakpoint at
0x080480b2
1
2
pwndbg> b *0x080480b2
Breakpoint 2 at 0x80480b2
Continue the program
it will stop at the breakpoint0x80480b2
to get the flag characters afterCTFlearn{
character by character inebp
register
andCTFlearn{
string will be inecx
registerWhich led us to have the flag as
CTFlearn{QR_v30}
FLAG : CTFlearn{QR_v30}
This is how, I solved this challenge.
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.