Find The Secret Flag

@ydrah
You are right. But the binary should be patched in two places.
You can skip the first patch by actions you described, but the second patch to hidden function is necessary.
Then run with different args bruting it slightly and wait the flag.

Guys! sorry to ruin the party! but I am not even able to execute the file. This file runs and doesn’t give me CLI interface to type anything… anyone encountered same issue?

Hints
  1. It works. You just have to figure out how to make it progress. (Needs something to be somewhere)

  2. If you don’t like shortcuts, you need to patch the binary. Utilize everything, leave no function behind!

  3. Cyber chef makes a delicious xor cake.

  4. You can skip 1&2 if shortcuts are your thing.

Thanks to the creators for this challenge!

Hi guys, I seem to be stuck too. I managed to brute force the number for the parameter. I also managed to get the “hit any key” part through patching. But the string I’m getting looks useless, even after I tried putting it in cyberchef. Any help would be appreciated.

Thanks to a particular three letter agency and their new tool I was able to do everything I needed for this for free.

Learned so much about reversing and the tool from this challenge. Great start to Linux reverse engineering.

Happy to provide pointers through DM

Can someone help me with this? The binary doesn’t print anything when I run it :slight_smile:

I finally managed to get the Flag after analysing the asm-code for couple of hours. G***** from the N, * and * was very helpful. I learned a lot about reversing in this challenge. I managed to solve this challenge without patching the application, but I would like to talk about other solutions. Can anyone who solved it by patching the application drop me a DM?! Thanks a lot !
Happy to provide hints through DM.

I got the creator name but i cant verify it, anyone can PM to help me pls :frowning:

I feel like I’m close but not quite there yet…

I found the XOR key, and can get the program to spit out some hex that translates to some readable ASCII text. However, continuing from there just causes the program to exit.

I then tried forcing the program to execute a function that seemed to never be called by changing RIP to the secret function address. I can get to the application saying “–hit any key”, but then after that, it just exits normally with no more data seeming to be provided to me. Not sure what the do next.

Anyone able to send me a nudge would be greatly appreciated.

@i4n said:

Anyone have any suggestions for this one? Most seem to be stuck at the same spot and have found a way to either print the “–hit any key” or “are you sure its the right one”. I can’t seem to figure out exactly what’s going on with this. I know you can change the input in a couple ways and redirect to other functions but haven’t come up with anything that produces the flag

Nice comment, also this was not so difficult as snake for example. I did it just with static analysis.

Is it expected for the binary not to work properly?
When using a debugger (let’s say GDB), and stepping in, I get this message:

“_IO_new_fopen (filename=0x400c76 “/DIR/FILENAME”, mode=0x400c73 “rb”) at iofopen.c:88
88 iofopen.c: No such file or directory.”

p.s. Of course the file in the expected location :slight_smile:

just solved. i spent 6 hours :smiley: . Some tips: 1. radare2 use “aaaa”, find main and calls from main. 2. search for strings. 3. think about some strings (string) u found, where they are called from? good look, and try harder.
Ty, @BananaPr1nc3, your comment is pretty helpfull! :slight_smile:

Is correct add a function to call the piece of the code where there is the string “–hit any key” ? I had a lot of output string but the converted hex and xor doesn’t really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

Type your comment> @Arkango said:

Is correct add a function to call the piece of the code where there is the string “–hit any key” ? I had a lot of output string but the converted hex and xor doesn’t really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

You are on the correct path. When your program prints “useless” stuff, try to backtrack where your operands come from and ask yourself if that makes any sense. At multiple points in the binary, things remain unused which should be used. Radare2 hints at what you could try, can’t tell how it looks like in other disassemblers.

Hint: Find the right byte and profit. No reversing required. Having said that, I did spent time reversing to arrive at this hint. :smile:

This challenge made me want to end it all… And nobody in this thread mentions the issue that confused me the most.

If you get the string with the names of the creators but with a bunch of “unwanted” characters, then do some research about the bell character.

Alternatively, you do not need to know anything about what I mentioned above if you just patch the binary in the right places which, in my opinion, is a bit painful to work out.

new to HTB (and infosec in general), took me a full day!
boy that was challenging, but i learned alot from it.
i made it with 2 binary patches, as well as python script (that did more than just the filecheck).

tips:

  1. strings- take a close look at them. to which function each string belongs to?
  2. the program has few requirements to run properly. find those in the code
  3. identify the important zone that needs to run, as well as its required registers values.

Hello everyone, I’m a beginner. can someone help me ? .
I already found the hidden function , but I didn’t understand the input meaning of the main function,
if the file creation is necessary in the future of the program for the state of the variables ,
and the xor printed how to reverse it

@ydrah i think you finished this challenge already i’m stuck on the hidden function to get the flag can you PM me or if someone can, please?

FInally