Neurosoft is recruiting part 1: re_challenge3

re_challenge3 is a nice little challenge that could be solved at NorthSec 2019. There were three re_challenge in total found under the topic “Neurosoft is recruiting part 1”. This one looks more like the typical crackme that you would find online.

This challenge is very simple, there’s nothing magical about it. It’s a C++ program and its insides are complicated if you go for the static analysis approach. Every flag starts with “FLAG-”, so if you do a simple test like this one (pictured) and you can easily guess what the program does.

Image for post
Image for post
Output of the program after entering the character ‘F’ as input

Although it’s a very simple program, I though about sharing my solution to show off how Bash is useful to do automation. After figuring out what the program wants as its input and understanding its output, you would have to type characters one by one to generate the flag. This is slow. You don’t want to type in characters manually just in case the flag is as long as a SHA-512 hash.

Bash has the ability to write data to the stdin of a program and reading its stdout. Once we know the program prints the next valid character for the flag as its output, we have to save it to our own buffer in order to resubmit it as input to the program in order to get the next character.

The following script gets us the correct flag:

#!/bin/bashflag=""while true; do    k=$(echo $flag | ./re_challenge3 | tr -d '\0' | sed -n '2p')    flag="$flag${k:0:1}"    echo "$flag"    if [ -z "${k:0:1}" ]; then
break
fi
done

sed -n ‘2p’ will print the second line of the program’s output. In this case, the result will be stored in a variable.

tr -d ‘\0’ will get rid of the annoying message “warning: command substitution: ignored null byte in input” that would appear when there is a null character in the ELF’s output. Bash doesn’t like them.

Running this script on the binary will get you the flag “FLAG-a4e5a7fa50cc14830523b5ff36cf9bbaef43ffc9”. Yay!

Image for post
Image for post
Sure, you can already see parts of the flag in IDA, but the program outputs what to feed itself with, so don’t waste time understanding how the program does it.

I hope that you learned something reading this. If you are looking for the file, it has been forever immortalized on VirusTotal. You can find it using this SHA-1 hash: 6e809a2e4f9bb691a9ca58dedee49d2f4bf09418

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store