Official write-up by Cyber League

Cyber League Season 1, Major 1: FreeBie Official Write-up

N0H4TS

3 min readMay 30, 2022

By Cyber League (Div0-N0H4TS)

Challenge Details

Name: FreeBie
Category: Binary

Challenge Description

During your training, you found a fellow spaceman-in-training. Hiding in a dark corner, he seem to be alive yet aloof. Hugging his knee close to the chest with his head tuck down, he mumbered “find the password… find the pass.. find th pass.. fithpass..”

A binary file was given to the participants

Process of solving the Challenge

Initial analysis

From the initial file analysis we can see the it is an ELF.

When we analyse the strings in this file, there is a lot of python related strings, which heavily indicates it is a python compiled exe.

Pyinstaller is commonly used to make python compiled exe.

Reversing Pyinstaller Exe

Reference guide

Carve the pydata section

objcopy --dump-section pydata=pydata.dump FreeAirpodGen_test

Download the pyinstxtractor script to obtain python byte codes.
Note: Ensure current python version matches the python version that was used to compile the binary.

Expecting python 3.6
Python version used for compilation is outputted in script

python3 pyinstxtractor.py pydata.dump

The following screenshot is an example of an error when the python version mismatch when using pyinstxtractor script.

The screenshot indicate the desired output when the python version matches.

Making virtual environment for python (Optional)

Download miniconda script.

https://docs.conda.io/en/latest/miniconda.html#linux-installers

Run it to install.

bash Miniconda3-latest-Linux-x86_64.sh

Make the virtual environment.

conda create -n py3.6 python=3.6

Activate it.

conda activate py3.6

Reversing carved pydata section

Extract the python byte code.

python3 pyinstxtractor.py pydata.dump

Install python bytecode decompiler

pip install uncompyle6

Decompile the .pyc file in the generated folder outputted by pyinstxtractor.py

uncompyle6 FreeAirpodGen_test.pyc

The following code snippet is the output.

import hashlib class AirPodClass: 
    def __init__(self): 
        pass
  
    def format_input(self,inputstr): 
        return inputstr.format(AirPodObj=self, self=self, airpod=self, AirPod=self) 
  def main(): 
    # Get user input
    print("Get your free airpod code here! Buf for VIPs only")
    print("Please enter your VIP password")
    st = input()    # Check user input    if st == "password":
        print("\U0001F640 " + "\U0001F649 " + "\U0001F631")
        print("No Way thats gonna work!")    if st == "admin":
        print("Monkey Fart! " + "\U0001F412"+"\U0001F4A8")
        print("Our admin thinks this is funny...")    if hashlib.sha256(st.encode()).hexdigest() == "02317af5040dfbf07670ec23673a98f9f8e83c82a185a6ebf7c0b3bf9fec5a5f":
        print("Congratulations! Your new Airpod will arrive shortly \nCYBERLEAGUE{WHAT_d03s_" + st + "_meeeN}")    elif st != "":
        AirPodObj = AirPodClass() 
        print("User Input: " + AirPodObj.format_input(st))
        print("Wrong! This first class security is done by our new AirPod class!")    else:
        print("\U0001F507")main()

Getting the Flag

As can be seen from above, the code checks the input against a hash:

02317af5040dfbf07670ec23673a98f9f8e83c82a185a6ebf7c0b3bf9fec5a5f

Crack the hash with crackstation.

Input it into the program to get the flag.

CYBERLEAGUE{WHAT_d03s_tequiero_meeeN}