Skip to content
Branch: master
Find file History

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

Secret IMAGination

Category: Reverse

Points: 995


Here's a minimal system image. Evil kackers know a way to IMAGine secrets, so your task is to bring them to the real world.

You may need to surround flag with kks{}




We have got image of filesystem. First of all, we try to run it in VirtualBox. After start the image demands password. Enter something string:


We received:

Wrong password!

Then, we should to unpack image to understand the logic of application. For example, on Debian:

$ 7z x mlinux.iso

And we received:


We are interested in kernel.gz and rootfs.gz. Unpack them:

  • kernel.gz use binwalk: $ binwalk --extract kernel.gz

The result will be one file 43B1 - ELF 64-bit, statically linked, stripped.

  • rootfs.gz is simple: $ gunzip rootfs.gz. The outcome file rootfs - ASCII cpio archive (SVR4 with no CRC). To get init we again make use of binwalk:

$ binwalk --extract rootfs. And got:


After reading init we see /bin/task.

Let`s begin reverse task - ELF 64-bit, statically linked, not stripped.


In main function we can see, that program get from stdin 20 symbols and open file descriptor /pass to write our string, which we input. Then syscall is called.


As you can see, program calls custom syscall with id 1337.

Then we should reverse 43B1 . In task is called path /pass. Try to find it in 43B1. After call kernel_path proceed to the next call function. We see string md5, suppose, that function generate md5 from our input string. The next function is called with 3 parameters:

  • edx - 16;
  • rsi - md5 from our input string;
  • rdi - string, which is located in .rodata;

Reverse this function, we have found out, that it has compared two strings.


Therefore, string, which is located in .rodata - md5 from true password.


Take advantage of to decode hash. We got diviz_)(159$=*@. Try to enter this string - you receive flag.

flag: kks{Y0u_d0n7_n33D_70_p47ch_k3rn3l_by_y0r53lf}

You can’t perform that action at this time.