Description
The executable was designed to send the flag to someone. Are you that someone? Download the binary bin-ins4.zip (password: picoctf).
Download and extract bin-ins4.zip using the password 'picoctf'.
Run the binary and observe its network behaviour.
unzip -P picoctf bin-ins4.zip
chmod +x bin-ins4
Solution
- Step 1Observe the binary's network behaviourRun the binary and observe that it tries to make a network connection to send the flag. It uses the Windows Sockets API (WS2_32.dll) -- specifically the send() function -- to transmit the data.unzip -P picoctf bin-ins4.zipfrida-trace ./bin-ins4 -i 'send' -i 'connect'
- Step 2Hook WS2_32.dll send() with Frida to capture the flagWrite a Frida script that hooks the send() export from WS2_32.dll. When the binary calls send() with the flag data, intercept the buffer argument and print its contents to the console.cat > intercept.js << 'EOF' // Hook WS2_32.dll send() to intercept the flag before transmission const send = Module.getExportByName("WS2_32.dll", "send"); Interceptor.attach(send, { onEnter(args) { // args[1] = buf (pointer to data), args[2] = len const len = args[2].toInt32(); if (len > 0) { const data = args[1].readByteArray(len); const str = new TextDecoder().decode(new Uint8Array(data)); console.log("Intercepted send() data:", str); } } }); EOFfrida -l intercept.js ./bin-ins4
- Step 3Read the flag from the Frida outputThe Frida console will print the flag when the binary calls send() with the flag buffer.
Flag
picoCTF{b1n_1nstrum3nt4t10n_4_...}
The binary uses WS2_32.dll's send() to transmit the flag over the network. A Frida script hooking this export captures the data in-transit before it leaves the process.