When running the binary it asks for an input to validate. Putting test returns nooooh. try harder! So I thought, that the right flag would be the valid input. Putting a single space or multiple characters separated by a space returns various bash errors. Firing up gdb shows that various subprocesses are spawned: first an instance of /bin/bash ist spawned, after that guess3 is spawned again, then another instance of /bin/bash is spawned. At this point we are asked for the input. So I thought, maybe, the second bash call actually passes an inline bash script which is then evaluated and does the input check. So, I fired up gdb again, put a breakpoint on subprocess spawning, and after the first call to /bin/bash I exchanged /bin/bash with an simple c program which simply prints all parameters and continued the execution.
#include <stdio.h> int main(int args, char *argv[]) { int i = 0; for (i = 0; i < args; i++) printf("\n%s", argv[i]); return 0; }
This reveals that /bin/bash is called with the parameters [“./guess3”, “-c”, ” *4096 spaces* #!/bin/bash\n\nread -p \”Your input: \” input\n\nif [ $input = \”HV19{Sh3ll_0bfuscat10n_1s_fut1l3}\” ] \nthen\n echo \”success\”\nelse \n echo \”nooooh. try harder!\”\nfi\n\n”, “./guess3”]. So the flag is HV19{Sh3ll_0bfuscat10n_1s_fut1l3}.