SecureState Blog

Read SecureState's award winning blog.

For this challenge, we were provided a binary file and the hint “Your journey begins”.

We then ran “file” on it and verified it was an executable and then executed the file. SecureState then noticed that the binary accepted arguments of numbers 1-11 and the word “all”.

We then ran the binary with these parameters, which produced the following output.

Smiley face after smiley face scrolled across the screen when executed with the “all” argument. We then decided to break them up into their different sections.

$ ./b100_6817e51fa3b60f176b56 1 > section_1
$ ./b100_6817e51fa3b60f176b56 2 > section _2
…etc…
$ ./b100_6817e51fa3b60f176b56 11 > section _11

Once we had the output from all 11 sections, we proceeded to clean them up. By removing the whitespace, newlines, and the “@” symbols, then Base64 decoding each one, we were left with 11 new files. Upon running “file” on each file, we discovered that they had the headers of a 7zip file. Extracting each one separately gave us new files labeled bin2-a, bin2-b, …, bin2-k. 

From here, running “file” on the first one gave us another 7zip archive, while bin2-b through bin2-k came back as “Data”. The next logical step was to assemble all of the files into a single file so we can extract their contents. 

$ cat bin2-* > bin2.7z 

After extracting bin2.7z, we were left with a new binary called “bin2″. When running the “bin2″ executable, we were presented with more Base64 encoded ASCII art, as seen below.

After cleaning up and Base64 decoding the output, we were presented with a message saying “S0 S0RRY 41NT NUTH1N BUT 4 P34NUT” repeated several times. After unsuccessfully attempting to submit this as the key, SecureState then decided to run “strings” on the executable and discovered even more Base64 encoded ASCII art, in addition to an interesting string “h3rr0m3y3n4m31zbr0br0gan”. 

When running bin2 again when passing the “h3rr0m3y3n4m31zbr0br0gan” string as an argument, we got the larger result, which was also contained in the strings output.

$ ./bin2 h3rr0m3y3n4m31zbr0br0gan

After cleaning up and Base64 decoding that output, we were left with another archive file, this time in .lzop format. Once the contents of the .lzop file were extracted, we were left with yet another archive. This went on for a while with archives within archives. The Following is the list of archive format that was revealed and how we extracted each one. 

Packed data   7zip
gzip                 7zip
arc                  Uniextract.exe
xz                     $ xz -d bin3.xz
rzip                  $ rzip -d bin3.rz
gzip                 7zip
POSIX tar        7zip
lzop                 Uniextract.exe
bzip2               7zip
7z                     7zip
ARJ                  7zip

After extracting the files from the last ARJ archive, we were left with three files:

bin3-a
bin3-b
bin3-c 

Running “file” on the first file said that it was an executable, but we received a segmentation fault when trying to run it. Like before, we re-assembled the parts to make a single file. 

$ cat bin3-* > bin3_assembled 

Now, when we try to run the file, we are presented with various cryptic quotes and statements.

After unsuccessfully submitting a handful of them as the key, we figured it was a ruse and began looking for other possible solutions. Some of the strings turned out to be various hashes (SHA1, DES) and we attempted to crack those while continuing to look for more solutions. When running “strings” on the executable, we located all of the quotes that were displayed when the executable is run. However, there was one string that was on its own, separate from the rest of the quotes that are produced when executing the program normally.

This string was a quote from Back to the Future: “Where we’re going we do’t need… roads.”  We submitted this as the key for +100 points.