Flare-On 8 Challenge 3 - antioch

2021-10-19 2021-10-19 318 words 2 minutes

Contents

We are given a docker image to start with.

Upon creating docker container with the image, a binary named AntiochOS can extracted.

Binary Analysis

Looking through the binary in IDA, we can find the function that handles the approach command.

The function calculates the CRC32 of the first input (name). If it matches any of the hashes in the array, it moves on to ask for the second input.

The second input is also passed into the CRC32 function, and it needs to the same as the second value in the struct. If so, the function will return the id(3rd value in struct).

The id is the order in which the files should be extracted. Looking into the metadata of each layer, we can see that each of the layer’s author produces a CRC32 hash that can be found in the hash array in the binary.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ab1321cc->Dragon of Angnor
018a5232->Roger the Shrubber
307a73b5->Dinky
a424afe4->Dennis the Peasant
bbac124d->Sir Ector
4f6066d8->A Famous Historian
7b665db3->Tim the Enchanter
56cbc85f->Sir Gawain
674404e2->Trojan Rabbit
f707e4c3->Sir Robin
d702596f->Green Knight
7d33089b->Sir Bedevere
256047ca->Squire Concorde
13468704->Sir Not-Appearing-in-this-Film
550901da->Legendary Black Beast of Argh
d640531c->Lady of the Lake
3fc91ed3->Zoot
86a10848->Miss Islington
2c2f024d->Chicken of Bristol
72b88a33->Rabbit of Caerbannog
d8549214->Black Knight
10a29e2d->Prince Herbert
94f6471b->Brother Maynard
e657d4e1->King Arthur
eced85d0->Sir Bors
2ba1e1d4->Squire Patsy
b59395a9->Bridge Keeper
eda1cf75->Inspector End Of Film
5efdd04b->Sir Lancelot
80dfe3a6->Sir Gallahad

Solving

By following the order of extraction, we should now have a set of (a-z).dat file. The order is important here as the later layers will overwrite some of the dat files. By following the extraction order closely, we can ensure that the files are overwritten in order, leaving us the relevant ones to solve the challenge.

Running the consult command with the set of extracted dat files returns the flag.

Flag

[email protected]