This challenge was actually a re-release of the original challenge "Patch Tuesday", which the author accidentally left the flag in the original binary. This version is more interesting and is an example of using revenge to apply a Windows patch.

Using this CSAW qualifier as a means to test our the tool called revenge I've been working on. This challenge was an easy reversing one, but it was made easier through revenge.

 

beleaf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped

Description: I forgot admin’s product key…

First off, this challenge was listed as 200pts. I was the 7th to solve it with about 45 minutes left in the contest. Other 200 point challenges had many more solves (for instance Baby ROP was 200pt and had 80+ solves). Unfortunately, I got sucked into this and needed to finish it for my own sanity. That said, it was good challenge, just not realistically 200 points.

This specific challenge was not actually solved by me during quals. Aegis officially scored and I'm sure others helped out. That said, I like to look at challenges afterwards and identify what I could do to solve it more efficiently next time. What follows is a walk-through on solving this challenge with my revenge tool.

Mama Trace was an extension of Baby Trace (baby shark theme much?). For this we're given files similar to baby trace:

Dockerfile, headerquery2, pitas.py, flagleak

pitas.py and the Dockerfile are effectively the same as before. headerquery2 is basically the original headerquery elf except with our leak removed. With that in mind, time to look at flagleak.