247CTF - The More The Merrier

Posted on In Views: Disqus: Word count in article: 374 Reading time ≈ 1 mins.

The More The Merrier

One byte is great. But what if you need more? Can you find the flag hidden in this binary?

Analysis

The challenge provides a 64-bit ELF executable. Checking its details:

1
2
❯ file the_more_the_merrier
the_more_the_merrier: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0f750d638337391328fa7432dd362189de908c1e, stripped

Upon inspecting the binary's data section or its hex dump, we find the 247CTF flag hidden in the binary:

1
2
3
4
5
6
7
8
9
10
11
00000000000006E0  01 00 02 00 00 00 00 00  32 00 00 00 34 00 00 00  ........2...4...
00000000000006F0  37 00 00 00 43 00 00 00  54 00 00 00 46 00 00 00  7...C...T...F...
0000000000000700  7B 00 00 00 36 00 00 00  64 00 00 00 66 00 00 00  {...6...d...f...
0000000000000710  32 00 00 00 31 00 00 00  35 00 00 00 65 00 00 00  2...1...5...e...
0000000000000720  62 00 00 00 33 00 00 00  63 00 00 00 63 00 00 00  b...3...c...c...
0000000000000730  37 00 00 00 33 00 00 00  34 00 00 00 30 00 00 00  7...3...4...0...
0000000000000740  37 00 00 00 32 00 00 00  36 00 00 00 37 00 00 00  7...2...6...7...
0000000000000750  30 00 00 00 33 00 00 00  31 00 00 00 61 00 00 00  0...3...1...a...
0000000000000760  31 00 00 00 35 00 00 00  62 00 00 00 30 00 00 00  1...5...b...0...
0000000000000770  61 00 00 00 62 00 00 00  33 00 00 00 36 00 00 00  a...b...3...6...
0000000000000780  63 00 00 00 7D 00 00 00  00 00 00 00 4E 6F 74 68  c...}.......Noth

Solution

Each character of the flag is stored as a 4-byte little-endian integer. For example: - 32 00 00 00 -> 0x32 -> '2' - 34 00 00 00 -> 0x34 -> '4' - 37 00 00 00 -> 0x37 -> '7' - 43 00 00 00 -> 0x43 -> 'C'

We can extract the flag by reading the first byte of each 4-byte chunk.

Flag

247CTF{6df215eb3cc73407267031a15b0ab36c}