Sebastian's Blog

software developer. security enthusiast.

HACKVent 2019

HV19.10 Guess what

Sebastian

When running the binary it asks for an input to validate. Putting test returns nooooh. try harder! So I thought, that the right flag would be the valid input. Putting a single space or multiple characters separated by a space returns various bash errors. Firing up gdb shows that various subprocesses are spawned: first an instance of /bin/bash ist spawned, after that guess3 is spawned again, then another instance of /bin/bash is spawned. At this point we are asked for the input. So I thought, maybe, the second bash call actually passes an inline bash script which is then evaluated and does the input check. So, I fired up gdb again, put a breakpoint on subprocess spawning, and after the first call to /bin/bash I exchanged /bin/bash with an simple c program which simply prints all parameters and continued the execution.

#include <stdio.h>

int main(int args, char *argv[]) {
        int i = 0;
        for (i = 0; i < args; i++)
                printf("\n%s", argv[i]);
        return 0;
}

This reveals that /bin/bash is called with the parameters [“./guess3”, “-c”, ” *4096 spaces* #!/bin/bash\n\nread -p \”Your input: \” input\n\nif [ $input = \”HV19{Sh3ll_0bfuscat10n_1s_fut1l3}\” ] \nthen\n echo \”success\”\nelse \n echo \”nooooh. try harder!\”\nfi\n\n”, “./guess3”]. So the flag is HV19{Sh3ll_0bfuscat10n_1s_fut1l3}.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top