Neurosoft is recruiting part 1: re_challenge3

re_challenge3 is a nice little challenge that could be solved at NorthSec 2019. There were three re_challenge in total found under the topic “Neurosoft is recruiting part 1”. This one looks more like the typical crackme that you would find online.

This challenge is very simple, there’s nothing magical about it. It’s a C++ program and its insides are complicated if you go for the static analysis approach. Every flag starts with “FLAG-”, so if you do a simple test like this one (pictured) and you can easily guess what the program does.

Output of the program after entering the character ‘F’ as input

Although it’s a very simple program, I though about sharing my solution to show off how Bash is useful to do automation. After figuring out what the program wants as its input and understanding its output, you would have to type characters one by one to generate the flag. This is slow. You don’t want to type in characters manually just in case the flag is as long as a SHA-512 hash.

Bash has the ability to write data to the stdin of a program and reading its stdout. Once we know the program prints the next valid character for the flag as its output, we have to save it to our own buffer in order to resubmit it as input to the program in order to get the next character.

The following script gets us the correct flag:

#!/bin/bashflag=""while true; do    k=$(echo $flag | ./re_challenge3 | tr -d '\0' | sed -n '2p')    flag="$flag${k:0:1}"    echo "$flag"    if [ -z "${k:0:1}" ]; then
break
fi
done

sed -n ‘2p’ will print the second line of the program’s output. In this case, the result will be stored in a variable.

tr -d ‘\0’ will get rid of the annoying message “warning: command substitution: ignored null byte in input” that would appear when there is a null character in the ELF’s output. Bash doesn’t like them.

Running this script on the binary will get you the flag “FLAG-a4e5a7fa50cc14830523b5ff36cf9bbaef43ffc9”. Yay!

Sure, you can already see parts of the flag in IDA, but the program outputs what to feed itself with, so don’t waste time understanding how the program does it.

I hope that you learned something reading this. If you are looking for the file, it has been forever immortalized on VirusTotal. You can find it using this SHA-1 hash: 6e809a2e4f9bb691a9ca58dedee49d2f4bf09418

Alexandre-Xavier Labonté-Lamoureux

Written by

Software Engineering student at École de Technologie Supérieure