Pusheen Loves Graphs

Difficulty: easy

Type: Stego

OS: Any

Description: Pusheen just loves graphs, Graphs and IDA. Did you know cats are weirdly controlling about their reverse engineering tools? Pusheen just won’t use anything except IDA.

This is my first stego challenge, and I have no clue about this topic. However, the description gives very useful information: we have to focus on graphs and IDA. But what’s IDA in the first place?
From the internet, it’s an Interactive Disassembler (IDA). It is used to disassemble software, from machine-executable code to the corresponding assembly source code. As mentionned in the description, this tool is often used in reverse engineering tasks.
Hex-rays is the company selling the software, and a free version can be downloaded here: https://www.hex-rays.com/products/ida/support/download_freeware/.\

Since IDA isn’t natively available on Kali, I decided to do this challenge on my Mac. The installation of IDA is very easy and isn’t shown here. After installing it, we can download the file on Hack the box and verify that the checksum matches:

DL the file

After unzipping it, we can open the file with any text editor. Let’s do it with nano:

view file on nano

Besides Pusheen the cat, we see at the beginning of the first line that the file is in elf format (Executable and Linkable Format). It is a common standard file format for executables files, object code, shared libraries and core dumps.
Because this is a stego challenge, we know that this file contains hidden information. However, after a quick glance at the content of the file, we understand that it’s not going to be lying there in plaintext.
After trying to find a quick and easy video explaining IDA, I decided to give it a try and figure out by myself. We start the software, and select Disassemble a new file as follows:

Starting IDA

Then, we open the Pusheen file and get some error messages. Apparently, we can skip those until we get the following warning:

Node error

It says it’s switching to text mode, but from the description, we know that Pusheen only loves graphs. So, let’s try to change this parameter to stay in graph mode:

Config change

Then, it brings us back the the main window and displays the graph correctly. In the lower left window, there’s a graph overview, and within it, we can read fUn_w17h_CFGz:

Flag

And that’s the flag. Unfortunately, I’m not sure what CFGz means. It could be a reference to a game called Crossfire (referred to CFGZ for some reason), or a reference to Context-free Grammars, which are studied in fields of theoretical computer science, compiler design and linguistics. CFG’s are used to describe programming language, and parser programs in compilers can be generated automatically from them.