CTFtime.org

Beginner's Quest - Floppy2

by fzg / undef'd statement

Tags: misc com msdos 

Rating:

# **Floppy2**

[misc - 0 pt.]

*Looks like you found a way to open the file in the floppy! But that www.com file looks suspicious.. Dive in and take another look?*

-----

### *man 2 outsw*?!

So, we have got a COM file comprising only printable ASCII characters... a bit similar to the [EICAR dummy antivirus test file](https://en.wikipedia.org/wiki/EICAR_test_file), but much longer.

```
% cat -n www.com
1 hD7X-t6ug_hl(]Wh8$^15GG1-hbrX5prPYGW^QFIuxYGFK,1-FGIuqZhHIX%A)I!hSLX4SI!{p*S:eTM'~_?o?V;m;CgAA]Ud)HO;{ l{}9l>jLLP[-`|0gvPY0onQ0geZ0wY5>D0g]h+(X-k&4`P[0/The Foobanizer9000 is no longer on the OffHub DMZ. $

```

Running it on DOSBox, we get no flag...

```
The Foobanizer9000 is no longer on the OffHub DMZ.
```

Since this program is supposed to trigger a change in some networking device's configuration.
some data should be sent *somewhere*... A quick glance at a disassembly shows signs of looping and ~~I/~~O...

*Maybe it's like an UPS? Maybe the flag is being output to a serial port?* Let's edit dosbox.conf.

```
serial1=modem listenport:5000
serial2=modem listenport:5001
```

Now we can open a couple *nc* instances (*-l 500[0|1] -k*), restart DOSBox and run this emergency handler again...

... nothing there. What's next, the line printer terminal?*shrugs*

I ain't got no clue about DOS low-level I/O, *and this is a beginner's task*.

-----

### *GDB .\WWW.COM* ?!

Well... if there's a flag, it might be in memory. Let's compile a debug build of DOSBox and [check out the extra features](https://www.vogons.org/viewtopic.php?t=3944).

Not exactly GDB. Initially I was put off by the idea of having to figure out what breakpoints to set to break on program launch, and before program end, and moved away.

In hindsight, I could have looked up the fixed [load address](https://en.wikipedia.org/wiki/COM_file#MS-DOS_binary_format), and put a break-point there, but laziness happens.

-----

### *cat /proc/self/mem | grep CTF*.

Rubber-ducking it a while later, I decided that it was *very unlikely* that either the program or the DOS would zero the program's memory as exited, and that,
if a flag was decoded, it might still be there.

Triggering DOSBox's monitor (*ALT-pause*) and issuing the *MEMDUMP 0:0 10000* command after running WWW.COM creates a MEMDUMP.BIN in the working directory, which we can then *grep* for a candidate sub-string.

```
% strings MEMDUMP.BIN | rg CTF
!CTF{g00do1dDOS-FTW}
```

There it is :)

Comments