Write-up author: jon-brandy
The Client is in full control. Bypass the authentication and read the key to get the Flag.
- NONE
- First, unzip the
.zip
file given.
RESULT
- Got an
exe
file. - Let's run it on windows.
RESULT
- Let's decompile it with ghidra.
RESULT
- Surprisingly we got no clue.
- Then i tried to strings the file to see if there are any hints.
RESULT
- Now we know that the codebase was written in .NET.
- To decompile .NET binaries we need to use dnSpy.
RESULT
- Now check this function.
- Based from it we know that the boolean values of flag and flag2 is the same.
- Now set breakpoints at flag2 and flag.
- Run the program.
RESULT
- Hmm.. When i checked the
1()
function.
- The bool always return false.
- Anyway let's change bool value of flag2 to true then click the
continue
button.
RESULT ON THE CMD
- Now enter any strings.
RESULT
- Notice we got this value for the secret key.
- Copy that.
SECRET KEY
ThisIsAReallyReallySecureKeyButYouCanReadItFromSourceSoItSucks
- Now run the program again at dnspy and use the same step.
- When prompted the secret key, paste the strings we got.
RESULT
- Nice, but don't click the continue button, press f10 at dnspy to step over execution.
RESULT
- Got the flag!
HTB{SuP3rC00lFL4g}