We were given the file and as the name suggests, it was a
DOS file. Firing it up in IDA would give you a fair idea of what actually happens and also would help you to see that a key is being taken as the input which is 13 in length.
Further moving ahead, we can see that there is a comparison being done along with the characters shown below:
In the beginning, I was trying to run the file using the DOS emulator which did not work and giving strings command gave me a few strings which was later important. There was a string being moved as you can see here which was nothing else but
1337SHELL which was a guess as that was the only string which was not being used anywhere else. You can use r2 or gdb to print out what was there in that address,
The rest was pretty straighforward as the string
1337 stayed there and the rest of our input was being xored
SHEL and compared with the strings shown below
More of like:
if inp != '-': exit(0) if inp ^ buf != 'f': exit(0)
In order to get the
We can get that the resulting four characters after the
In : chr(ord('S')^ord('f')) Out: '5' In : chr(ord('H')^ord('y')) Out: '1' In : chr(ord('E')^ord('t')) Out: '1' In : chr(ord('L')^ord('y')) Out: '5'
Now we have four characters after
- which is
5115. We can see a flag file being opened and hence send the final string to the server where it is hosted.
NOTE:String comparison is only done against first 9 characters
The final string is,
Any questions, reach to us in Twitter.