In this challenge, we are given a binary and the instructions to “Use pwntools and ghidra to reverse engineer and break into the ultrasecure(tm) vault!”
Let’s check it out!
Running the binary gives us the output:
$ ./ultrasecure
Prove that you are not human, repeat this to me in less than .05s: 1626412526
1626412526
Whoops, too slowLooks like my reflexes aren’t quite fast enough, so we’ll have to automate the nonce. This is a good time to use pwntools! First we’ll connect to the binary, and then we’ll read in and repeat the nonce back. The code for the nonce looks like this:
nonce = conn.recvline()
nonce = nonce.split()
nonce = nonce[-1]
# Sends line
conn.sendline(nonce)
Running this script gives us
You passed the nonce check! Now, Unlock the UltraSecure(tm) Vault:
$ password
Whoops, wrong password :(Firing up Ghidra gives us a password_check function, which contains the lines below.
local_c = -0x21524cc1;
__isoc99_scanf(&DAT_00400b9f,&local_3c);
if (local_c == local_3c) {
print_flag();
/* WARNING: Subroutine does not return */
exit(0);
}-0x21524cc1 = -559041729, so we’ve got our password! Entering it after running our script gives us access to the flag.
