2015, CTF, Cybercamp

English [Cybercamp 2015] [Reverse 1] Write Up

Leave a comment

Description

We have been given a .class file:

Download

The goal is to return the SHA256 of the plaintext.

Resolution

A .class file contains Java Bytecode compiled and cannot be easily understood.
We have to use a Java decompiler to get a .java file which can be read.
In this case, we have chosen CFR (you can also use an online decompiler)

This is the decompiled code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import java.io.PrintStream;
 
public class Nivel1 {
    String username;
    String levelFlag = "xGV2ZWwgMSB3YXMgc28gZWFzeS4uLiBzZWUgeW91IG5leHQgbGV2ZWwgOykuIERIQwo!";
 
    public Nivel1(String string) {
        this.username = string;
        if (string.contains((CharSequence)"-authorized")) {
            String[] arrstring = string.split("-");
            this.levelFlag = "" + Character.toUpperCase(arrstring[1].charAt(2)) + this.levelFlag.substring(1, this.levelFlag.length() - 1) + (char)(Integer.parseInt(String.format("%04x", (short)arrstring[1].charAt(arrstring[1].length() - 1)), 15) ^ 99);
        } else {
            for (int i = 0; i < string.length() / 2; ++i) {
                this.levelFlag = this.levelFlag.replace(string.charAt(i), string.charAt(string.length() - 1));
            }
        }
    }
 
    public String getLevelFlag() {
        return this.levelFlag;
    }
 
    public static void main(String[] arrstring) {
        Nivel1 nivel1 = new Nivel1(System.getenv("USER"));
        System.out.println("dropped flag: " + nivel1.getLevelFlag());
    }
}

First of all is to check the main() function:
Nivel1 nivel1 = new Nivel1(System.getenv("USER"));
The parameter for the Nivel1 have to be in the USER environment variable.

Secondly, in the Nivel1 function:
public Nivel1(String string) {
this.username = string;
if (string.contains((CharSequence)"-authorized")) {
The USER variable have to contain “-authorized”.

Let’s set the variable USER into our system, in a terminal:

1
export USER=-authorized

Just for being sure:

1
printenv USER

-authorized

The flag should be dropped by executing the class file:

1
java Nivel1

dropped flag: TGV2ZWwgMSB3YXMgc28gZWFzeS4uLiBzZWUgeW91IG5leHQgbGV2ZWwgOykuIERIQwo=

Yes! .. But it seems to be some base64 encoded text, so we decode it.

1
echo TGV2ZWwgMSB3YXMgc28gZWFzeS4uLiBzZWUgeW91IG5leHQgbGV2ZWwgOykuIERIQwo= | base64 --decode

Level 1 was so easy... see you next level ;). DHC

SHA256(Level 1 was so easy… see you next level ;). DHC) = ed7198bfc7a19af2959808edede9b2b3c2242337932ef050935ebac5714ce557

Flag is ed7198bfc7a19af2959808edede9b2b3c2242337932ef050935ebac5714ce557

Leave a Reply

Your email address will not be published. Required fields are marked *