Cult Meeting
2 minutes to read
We are given a binary called meeting:
$ file meeting
meeting: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=72d8b06e4ca750d5c24395d3349c3121b9b95283, for GNU/Linux 3.2.0, not stripped
Reverse engineering
Using Ghidra, we can read the decompiled source code in C. This is the main function:
int main() {
int ret;
char *pointer;
char input_data[64];
setvbuf(stdout, NULL, 2, 0);
puts("\x1b[3mYou knock on the door and a panel slides back\x1b[0m");
puts(&DAT_00102040);
fwrite("\"What is the password for this week\'s meeting?\" ", 1, 0x30, stdout);
fgets(input_data, 0x40, stdin);
pointer = strchr(input_data, 0xa);
*pointer = '\0';
ret = strcmp(input_data, "sup3r_s3cr3t_p455w0rd_f0r_u!");
if (ret == 0) {
puts("\x1b[3mThe panel slides closed and the lock clicks\x1b[0m");
puts("| | \"Welcome inside...\" ");
system("/bin/sh");
} else {
puts(" \\/");
puts(&DAT_00102130);
}
return 0;
}
Basically, the program asks for a password, and the expected password is hard-coded: sup3r_s3cr3t_p455w0rd_f0r_u!.
Once we enter the valid password system("/bin/sh") will be executed.
Flag
Let’s connect to the server and read the flag:
$ nc 161.35.172.25 31802
You knock on the door and a panel slides back
|/👁️ 👁️ \| A hooded figure looks out at you
"What is the password for this week's meeting?" sup3r_s3cr3t_p455w0rd_f0r_u!
sup3r_s3cr3t_p455w0rd_f0r_u!
The panel slides closed and the lock clicks
| | "Welcome inside..."
/bin/sh: 0: can't access tty; job control turned off
$ ls
ls
flag.txt meeting
$ cat flag.txt
cat flag.txt
HTB{1nf1ltr4t1ng_4_cul7_0f_str1ng5}