HTB University CTF 2023 — RiseFromTheDead (hard)

Overview

A binary and its core dump. The program memory-maps 4096 bytes of input and applies a shuffle algorithm driven by /dev/urandom. We need to reverse the shuffle using the random indices preserved in the core dump.

Analysis

The shuf function:

• Iterates through a linked list containing indices and characters
• Updates an output array with shuffled values
• Marks nodes as processed

The random bytes that determined the shuffle are stored in memory between data segments — they’re still in the core dump.

Solution

1. Open the core in GDB:

   gdb ./rise core
   

2. Find the memory map:

   (gdb) info proc mappings
   

3. Locate the shuffled flag in the mapped region

4. Extract the indices stored between data segments — these are the original shuffle positions

5. Reconstruct the flag by using the indices to reorder characters from the shuffled string back to their original positions

# indices: list extracted from core dump
# shuffled: string found in mapped memory
flag = [''] * len(indices)
for i, idx in enumerate(indices):
    flag[idx] = shuffled[i]
print(''.join(flag))