BoxCutter

Personal Rating: Medium

This was a binary exploitation / reversing challenge.

I ran strings cutter and objdump -s -d cutter on the program, but the flag was not stored as a string directly.

I checked the program in ghidra and the string search did not find the flag either. The main function shew something interesting, but I do not understand how the flag is created.

I opened the program in gdp with gef and used disas main to look at the function. I also used steps to look at the function calls. But the program exits upon starting the main function.

I ran the program in ghidra again, set a breakpoint at main before with b main and then used si to look at the registers while the function is running.

HTB{tr4c1ng_th3_c4ll5}

You could have used strace as well, as the flag will appear in the stack:

[user@pc rev_boxcutter]$ strace ./cutter 
execve("./cutter", ["./cutter"], 0x7ffc77ba3f50 /* 58 vars */) = 0
brk(NULL)                               = 0x636b1c40b000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=191515, ...}) = 0
mmap(NULL, 191515, PROT_READ, MAP_PRIVATE, 3, 0) = 0x700946dfc000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220^\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
fstat(3, {st_mode=S_IFREG|0755, st_size=1948952, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x700946dfa000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x700946c18000
mmap(0x700946c3c000, 1421312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x24000) = 0x700946c3c000
mmap(0x700946d97000, 348160, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17f000) = 0x700946d97000
mmap(0x700946dec000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x700946dec000
mmap(0x700946df2000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x700946df2000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x700946c15000
arch_prctl(ARCH_SET_FS, 0x700946c15740) = 0
set_tid_address(0x700946c15a10)         = 49887
set_robust_list(0x700946c15a20, 24)     = 0
rseq(0x700946c16060, 0x20, 0, 0x53053053) = 0
mprotect(0x700946dec000, 16384, PROT_READ) = 0
mprotect(0x636b1c090000, 4096, PROT_READ) = 0
mprotect(0x700946e5e000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x700946dfc000, 191515)          = 0
openat(AT_FDCWD, "HTB{tr4c1ng_th3_c4ll5}", O_RDONLY) = -1 ENOENT (No such file or directory)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
getrandom("\x14\xba\x82\x20\x69\x7f\xa6\x3b", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x636b1c40b000
brk(0x636b1c42c000)                     = 0x636b1c42c000
write(1, "[X] Error: Box Not Found\n", 25[X] Error: Box Not Found
) = 25
exit_group(0)                           = ?
+++ exited with 0 +++