Writeup: Ultrasecure

In this challenge, we are given a binary and the instructions to “Use pwntools and ghidra to reverse engineer and break into the ultrasecure(tm) vault!”

Let’s check it out!

Running the binary gives us the output:

$ ./ultrasecure
Prove that you are not human, repeat this to me in less than .05s: 1626412526
1626412526
Whoops, too slow

Looks like my reflexes aren’t quite fast enough, so we’ll have to automate the nonce. This is a good time to use pwntools! First we’ll connect to the binary, and then we’ll read in and repeat the nonce back. The code for the nonce looks like this:


nonce = conn.recvline()
nonce = nonce.split()
nonce = nonce[-1]
# Sends line
conn.sendline(nonce)

Running this script gives us

You passed the nonce check! Now, Unlock the UltraSecure(tm) Vault:
$ password
Whoops, wrong password :(

Firing up Ghidra gives us a password_check function, which contains the lines below.

  
  local_c = -0x21524cc1;  
__isoc99_scanf(&DAT_00400b9f,&local_3c);
  if (local_c == local_3c) {
    print_flag();
                    /* WARNING: Subroutine does not return */
    exit(0);
  }

-0x21524cc1 = -559041729, so we’ve got our password! Entering it after running our script gives us access to the flag.

Leave a Reply

Your email address will not be published. Required fields are marked *