CTF Series — Post #1

Roei Kriger
5 min readApr 22, 2023

--

Image by David Mark from Pixabay

Throughout this series, I will share with you my solutions to CTF challenges that I dealt with.

CTF — What is it?
CTF, is the initials for Capture the Flag, is a challenge that involves looking for a designated ‘flag’, the flag can be a password, username and password combination, generating a ‘genkey’, or many other possibilities.

CTFs can be approached in various ways, and even if the creator intended a specific solution, there may be alternative methods to succeed.

Throughout my posts, I’ll be walking you through the strategies and steps I took to solve the challenges and how to reach for the key.
Keep in mind that my approach isn’t the only “right” solution, but I hope that my insights and methods will inspire you to learn something new and start exploring the world of CTFs.

This post’s CTF challenge is sourced from Crackmes.com, specifically from the Windows section of the site.
Author: crackinglessons.com
Challenge Name: CrackME #2 — register me in your name

Solution

After downloading the file and extracting its contents (using the password “crackmes.one”) I see there is no README, we only have one exe (executable) file named: “CrackMe2”.

The next step I usually do is looking at the strings of the file. By doing that I can get some helpful insights into what I’m dealing with.
Two interesting strings I found are: “IsDebuggerPresent”, “keyfile.txt”.
IsDebuggerPresent is a check the file is probably doing to detect debuggers, if it is found — the program will usually terminate itself to prevent further debugging.

I opened the file with PeStudio, the file is a C++ program, 32 bit.
Moreover, it seems like the program could be malicious, based on VT results that we get:

PeStudio screen

Time to run the program. Since the program might be malicious I will run it on a virtual machine, better safe than sorry.
When running the program we see a window opens up, asking us to crack it.
If so, at the moment seems like our flag isn’t finding a password on this challenge.
The software is not registered, and we need to change that.

The program after we execute it and click: OK

I’ll open the exe file in IDA disassembler to watch the disassembled code.
From looking a bit on the main function, I came across a suspicious instruction:

A suspicious push?

Could it be that a file was created on the folder where the executable is placed?
No. I can’t find any clue regarding the suspicious text file.

I will check if a “keyfile” was created on my machine, maybe in another path or folder.
To do so, I ran the program again, but this time, I will open up ProcMon (Process Monitor) to monitor the executable.

I applied a filter on the file name to isolate actions that were specifically related to the file we research.

Adding our 1st filter

Moreover, I applied a filter on the operation which we are interested in, CreateFile:

2nd filter added

After running the program and observing the results, it appears that the program (CrackMe2) did not find a file named ‘keyfile.’ I can not find more information about this text file in ProcMon.
All clues are indicating that the text file wasn’t created on my machine (To verify this you can remove the first filter on the file name and review the results).

keyfile.txt not found on ProcMon

Back to our IDA, I will switch to pseudo code mode (Press ‘Tab’).

It appears that a CreateFileA function is called, and the result is saved in the “FileA” variable.
If you’re unfamiliar with what the CreateFileA function returns, you can easily look it up on Microsoft’s website. You’ll discover that a handle is returned.

https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea

The program attempts to retrieve the handle of a text file named “keyfile” but we saw that this file wasn’t created.
So its time for us to ‘help’ the programmers a bit.
In the same folder where the executable file is located, I will create a text file named “keyfile”, since we saw on ProcMon that the executable searched for the file in that specific path:

The text file that I created

We will run the program now and see if any change happened.

The program is registered!

The program is now registered, just like we wanted.

I hope this post was helpful to you and provided valuable insights into the process of solving CTF challenges. Best of luck as you continue your quest for uncovering more flags!

--

--

Roei Kriger
Roei Kriger

No responses yet