We have found the file, which contains a part of gai. But where is it? Hints You don't need any special reverse skills to solve this. It will be enough to use strings to reveal how the flag can be found.
In this task, we received an image of a small disk. After mounting it, we found an usual Unix folder (/bin and so on). Even without the hint, we searched for unusual things in it:
find . -type f -exec bash -c "strings {} | grep -E volga\|Volga && echo {}" \;
hacker.volga.ctf
./bin/busybox2
hacker.volga.ctf
./core
strings: ./usr/bin/sudo: Permission denied
strings: ./usr/sbin/visudo: Permission denied
Well, it's unlikely that untampered system would have such strings, so we quickly looked into busybox2 executable.
When ran, it didn't do much - it returned into prompt immediately. However, after a couple of seconds, our system
restarted... After a close look, we noticed the executable contained string /sbin/reboot. We patched it, so it will call
/bin/ls instead (a crude patch, but it worked).
The code itself was not very hard - it was:
- xoring stuff
- taking two
rand()s without anysrand()before and interpreting the results as a date - sending something to
hacker.volga.ctf(host unavailable) - forking, and rebooting in one child
Well, we did not waste our time reversing the code any further - we simply stepped through the code in debugger and break when the connection was made to the aforementioned site. It turns out, that the flag was in memory at that time.