# BoxCutter
This was a binary exploitation / reversing challenge.
I ran `strings cutter` and `objdump -s -d cutter` on the program, but the flag was not stored as a string directly.
I checked the program in ghidra and the string search did not find the flag either. The main function shew something interesting, but I do not understand how the flag is created.
I opened the program in gdp with gef and used disas main to look at the function. I also used steps to look at the function calls. But the program exits upon starting the main function.
I ran the program in ghidra again, set a breakpoint at main before with b main and then used si to look at the registers while the function is running.
`HTB{tr4c1ng_th3_c4ll5}`
You could have used strace as well, as the flag will appear in the stack:
```nasm
[user@pc rev_boxcutter]$ strace ./cutter
execve("./cutter", ["./cutter"], 0x7ffc77ba3f50 /* 58 vars */) = 0
brk(NULL) = 0x636b1c40b000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=191515, ...}) = 0
mmap(NULL, 191515, PROT_READ, MAP_PRIVATE, 3, 0) = 0x700946dfc000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220^\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
fstat(3, {st_mode=S_IFREG|0755, st_size=1948952, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x700946dfa000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x700946c18000
mmap(0x700946c3c000, 1421312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x24000) = 0x700946c3c000
mmap(0x700946d97000, 348160, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17f000) = 0x700946d97000
mmap(0x700946dec000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x700946dec000
mmap(0x700946df2000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x700946df2000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x700946c15000
arch_prctl(ARCH_SET_FS, 0x700946c15740) = 0
set_tid_address(0x700946c15a10) = 49887
set_robust_list(0x700946c15a20, 24) = 0
rseq(0x700946c16060, 0x20, 0, 0x53053053) = 0
mprotect(0x700946dec000, 16384, PROT_READ) = 0
mprotect(0x636b1c090000, 4096, PROT_READ) = 0
mprotect(0x700946e5e000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x700946dfc000, 191515) = 0
openat(AT_FDCWD, "HTB{tr4c1ng_th3_c4ll5}", O_RDONLY) = -1 ENOENT (No such file or directory)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
getrandom("\x14\xba\x82\x20\x69\x7f\xa6\x3b", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x636b1c40b000
brk(0x636b1c42c000) = 0x636b1c42c000
write(1, "[X] Error: Box Not Found\n", 25[X] Error: Box Not Found
) = 25
exit_group(0) = ?
+++ exited with 0 +++
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://shibudocs.gitbook.io/htb-writeups/cyber-apocalypse-2024-hacker-royale/boxcutter.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.