Baby RE

2 minutes to read

We have a binary called baby:

$ file baby
baby: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=25adc53b89f781335a27bf1b81f5c4cb74581022, for GNU/Linux 3.2.0, not stripped

If we run it, it asks for a key:

$ ./baby
Insert key:

We can introduce something and see that it is not correct:

$ ./baby
Insert key:
1234
Try again later.

We can make use of ltrace to see every call to external functions (functions that belong to a library like Glibc):

$ ltrace ./baby
puts("Insert key: "Insert key:
)                                                                             = 13  
fgets(

For example, it uses puts to print the message and fgets to read our input. If we enter some text, we see something really interesting:

$ ltrace ./baby
puts("Insert key: "Insert key:
)                                                                             = 13
fgets(1234
"1234\n", 20, 0x7fb37e452980)                                                              = 0x7fffa441c7a0  
strcmp("1234\n", "abcde122313\n")                                                                = -48
puts("Try again later."Try again later.
)                                                                         = 17
+++ exited (status 0) +++

It is comparing our input with "abcde122313\n", so this is the key we need to enter:

$ ./baby
Insert key:
abcde122313
HTB{B4BY_R3V_TH4TS_EZ}

There are three more ways to complete this challenge:

Decompile the binary with Ghidra or IDA to see the strcmp instruction.
Use a debugger like GDB and check the expected value of the key.
Run strings on the binary to see the valid key.