Neurosoft is recruiting part 1: re_challenge3
re_challenge3 is a nice little challenge that could be solved at NorthSec 2019. There were three re_challenge in total found under the topic “Neurosoft is recruiting part 1”. This one looks more like the typical crackme that you would find online.
This challenge is very simple, there’s nothing magical about it. It’s a C++ program and its insides are complicated if you go for the static analysis approach. Every flag starts with “FLAG-”, so if you do a simple test like this one (pictured) and you can easily guess what the program does.
Although it’s a very simple program, I though about sharing my solution to show off how Bash is useful to do automation. After figuring out what the program wants as its input and understanding its output, you would have to type characters one by one to generate the flag. This is slow. You don’t want to type in characters manually just in case the flag is as long as a SHA-512 hash.
Bash has the ability to write data to the stdin of a program and reading its stdout. Once we know the program prints the next valid character for the flag as its output, we have to save it to our own buffer in order to resubmit it as input to the program in order to get the next character.
The following script gets us the correct flag:
#!/bin/bashflag=""while true; do k=$(echo $flag | ./re_challenge3 | tr -d '\0' | sed -n '2p') flag="$flag${k:0:1}" echo "$flag" if [ -z "${k:0:1}" ]; then
break
fi
done
sed -n ‘2p’ will print the second line of the program’s output. In this case, the result will be stored in a variable.
tr -d ‘\0’ will get rid of the annoying message “warning: command substitution: ignored null byte in input” that would appear when there is a null character in the ELF’s output. Bash doesn’t like them.
Running this script on the binary will get you the flag “FLAG-a4e5a7fa50cc14830523b5ff36cf9bbaef43ffc9”. Yay!
I hope that you learned something reading this. If you are looking for the file, it has been forever immortalized on VirusTotal. You can find it using this SHA-1 hash: 6e809a2e4f9bb691a9ca58dedee49d2f4bf09418