2024 Cyber Apocalypse: BoxCutter

#htb #ctf #reverse #strace #system-calls #dynamic-analysis

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryReverse Engineering
ChallengeBoxCutter
DifficultyVery Easy

Summary

BoxCutter is a reverse engineering challenge that requires using system call tracing to identify the flag. The binary attempts to open a file with the flag as its name. By tracing system calls with strace, the flag filename becomes visible in the openat() syscall attempts.

Analysis

Binary Properties

File: ELF 64-bit LSB pie executable, x86-64
Stripped: No (symbols available)

The Challenge

When executed, the binary produces:

[X] Error: Box Not Found.

However, the binary’s actual purpose is to attempt opening a file whose name is the flag itself. This is a clever obfuscation technique where the flag is hidden in the program’s logic rather than stored as a string.

System Call Approach

Instead of reverse engineering the binary’s machine code, we can observe what files it tries to access using strace. This tool intercepts and logs all system calls made by a process.

Solution

Step 1: Execute with strace

Run the binary under strace to capture all system calls:

Terminal window
strace ./cutter

Step 2: Locate File Operations

In the strace output, look for file operations like open(), openat(), or similar syscalls:

openat(AT_FDCWD, "HTB{tr4c1ng_th3_c4ll5}", O_RDONLY) = -1 ENOENT (No such file or directory)

Step 3: Extract the Flag

The filename parameter in the openat() syscall is the flag. In this case:

HTB{tr4c1ng_th3_c4ll5}

Alternative: Using ltrace

The ltrace tool traces library calls instead of system calls, which may also reveal the flag:

Terminal window
ltrace ./cutter

Output:

open("HTB{tr4c1ng_th3_c4ll5}", 0, 00)

Complete Solution Script

#!/bin/bash


echo "Running strace on the binary..."
strace -e openat ./cutter 2>&1 | grep "HTB{"


# Alternative using ltrace
echo "Running ltrace on the binary..."
ltrace ./cutter 2>&1 | grep "HTB{"

Key Takeaways

  • Dynamic analysis with system call tracing is powerful for understanding program behavior
  • strace reveals system calls including file operations, network activity, and memory operations
  • ltrace reveals library function calls
  • The flag may not always be stored as a visible string but can be revealed through syscall tracing
  • This technique is particularly useful for obfuscated or packed binaries
  • File access attempts can leak sensitive information through their filenames
  • Tracing tools bypass the need for full binary disassembly in many cases

Flag: HTB{tr4c1ng_th3_c4ll5}