> For the complete documentation index, see [llms.txt](https://jedi.gitbook.io/jedi/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jedi.gitbook.io/jedi/ctf-archive/downunderctf-2025/rocky-100-pts.md).

# rocky (100 pts)

### Description

Dear CSI,

An underdog boxer gets a once-in-a-lifetime shot at the world heavyweight title and proves his worth through sheer determination.

Regards,\
jzt

#### Attachments

* [rocky](https://storage.googleapis.com/downunderctf-2025-noctf-files/noctf-files/A2iBtHAobS7ajuTs6Jiqr?X-Amz-Algorithm=AWS4-HMAC-SHA256\&X-Amz-Credential=GOOG1ELBSKCSEHWDHBGZCFZBP3RXLJBHVAZJTTYKCMYMRJRM6O5N35G46S26H%2F20250720%2Fauto%2Fs3%2Faws4_request\&X-Amz-Date=20250720T144000Z\&X-Amz-Expires=1200\&X-Amz-SignedHeaders=host\&X-Amz-Signature=905f2b86287a880541fea88bd4405f21e5861a0c2ed7b60af4d284d2bfc5879a)

### Solution

We were given a binary file named **rocky**

```
jedi@aqua: /mnt/d/CTF/ductf/rev
$ file rocky                                                                                                           
rocky: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=12a85b1a1e6c5bb107276f005ddac83c26136f0b, for GNU/Linux 3.2.0, not stripped
```

When we run it, it ask for an input

<figure><img src="/files/M6Wm93g8aeAZohGVO6Ao" alt=""><figcaption></figcaption></figure>

If the input is wrong, the out of the program is **Hash mismatch :(.** We need to investigate how the binary works, one of the tool that we can use is IDA. We open IDA, and then check the main function

<figure><img src="/files/Vi0hkSTSv3oD6St8bNWN" alt=""><figcaption></figcaption></figure>

We see several points here :&#x20;

1. The program takes up to 16 characters of input and removes the newline
2. It computes the MD5 hash of the input and compares it to a hardcoded target
3. The target MD5 hash is split into two 64-bit integers
4. If the hash matches, the program proceeds to reverse the input and run a decryption function
5. The MD5 target, after being converted to little-endian format, is `70924d0cf669f9d23ccabd561202351f`

So now, we just need to check is there any string that has MD5 value that match the target hash. We can check it in the [crackstation](https://crackstation.net/), and we get the string to uncover the flag from the program

<figure><img src="/files/FkZdqGXTiGprYSrveCVq" alt=""><figcaption></figcaption></figure>

### Flag

<figure><img src="/files/qRbPa9ghJHfjEWM2ewI4" alt=""><figcaption></figcaption></figure>

`DUCTF{In_the_land_of_cubicles_lined_in_gray_Where_the_clock_ticks_loud_by_the_light_of_day}`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jedi.gitbook.io/jedi/ctf-archive/downunderctf-2025/rocky-100-pts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.