Secure Password Database

Description

Solution

1. Step 1Identify the file type
   Download system.out and check what kind of file it is.
   file system.outCopied!

   strings system.out | grep -i 'picoCTF|flag|password'Copied!
2. Step 2Try to find the flag in binary strings
   Run strings to search for a direct or hex/base64-encoded picoCTF flag.
   strings system.out | grep picoCTFCopied!

   strings system.out | grep -E '[0-9a-fA-F]{40,}'Copied!

   python3 -c "import re, base64; data=open('system.out','rb').read(); print(re.findall(rb'picoCTF\{[^}]+\}', data))"Copied!
3. Step 3Trace the binary with ltrace
   Run the binary under ltrace to capture the arguments to strcmp/memcmp at the moment of the password check. The comparison value is the stored (possibly transformed) password.
   chmod +x system.outCopied!

   ltrace -s 256 ./system.out <<< 'test'Copied!

   # Look for strcmp/memcmp calls — the second argument is the expected valueCopied!
4. Step 4Analyse the transformation with GDB or objdump
   If ltrace doesn't reveal the flag directly, set a breakpoint at the comparison function to read memory, or use objdump to find hardcoded comparison values in the binary.
   objdump -d system.out | grep -A5 'cmp\|strcmp\|memcmp'Copied!

   objdump -s -j .rodata system.out | stringsCopied!

   gdb -q ./system.out -ex 'break strcmp' -ex 'run <<< "AAAA"' -ex 'x/s $rdi' -ex 'x/s $rsi' -ex 'quit'Copied!
5. Step 5Try XOR brute-force decode
   If the flag is XOR-encoded in the binary, try every single-byte key against the raw binary data.
   python3 - <<'EOF' import re data = open('system.out', 'rb').read() for key in range(1, 256): dec = bytes(b ^ key for b in data) m = re.search(rb'picoCTF[{][^}]+[}]', dec) if m: print(f'key=0x{key:02x}: {m.group().decode()}') EOFCopied!

Flag

picoCTF{s3cur3_p4ssw0rd_db_...}

Reverse engineering challenge. Try strings first, then ltrace to capture strcmp arguments, then objdump .rodata, then XOR brute-force decode. The program transforms the password before storing and comparing it.