DEADFACE2022 Logo

Author(s):

  • TheZeal0t

Category:

  • Reverse Engineering

Points:

  • 100

File(s):

  • df2022_re02.exe

Hint(s):

  • None

Cereal Killer 02

Challenge:

How well do YOU know TheZeal0t? See if you can answer this trivia question! Enter the answer as flag{here-is-the-answer}.

Download File SHA1: c3624613e638db237133bb4f4137a2d8e283d633

Solution:

The provided file was a PE32 executable written in .NET:

$ file df2022_re02.exe 
df2022_re02.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

Running the program produced a prompt asking for TheZeal0t's favorite breakfast cereal:

$ mono df2022_re02.exe

What is TheZeal0t's favorite breakfast cereal?
Answer: PingTrip
I'm sorry, but although TheZeal0t will eat almost ANY breakfast cereal(he eats it without milk, which a lot of people find truly disgusting), that is not his FAVORITE cereal.  Therefore, I cannot share the flag with you.  Please try again.

We opened the program in ILSpy and reviewed the code's logic:


Console.WriteLine("What is TheZeal0t's favorite breakfast cereal?");
	Console.Write("Answer: ");
	string text2 = Console.ReadLine();
	text2 = text2.Trim();
	string text3 = "68c6cedc2edc7a6786f05a4419f29f32";
	byte[] second = new byte[16]
	{
		174, 225, 238, 82, 98, 117, 124, 246, 123, 97,
		159, 246, 62, 150, 114, 182
	};
	byte[] array;
	using (MD5 mD = MD5.Create())
	{
		byte[] bytes = Encoding.ASCII.GetBytes(text2);
		array = mD.ComputeHash(bytes);
	}
	if (array.SequenceEqual(second))
	{

We can see that the user's input is used to generate an MD5 hash which is then compared against a hardcoded MD5 hash stored in the byte array named second[]. We extracted the bytes from second[] and used CyberChef to quickly to it into a hex string for cracking.

We loaded the hash onto our cracking rig and ran a Hashcat session with the RockYou wordlist, but it was unable to crack the hash. We ran a second session using the Weakpass2 list and Hashcat produced the plaintext in under five minutes:

$ hashcat -w4 -m0 -a0 "aee1ee5262757cf67b619ff63e9672b6" /data/wrdlists/weakpass_2
Status...........: Cracked

aee1ee5262757cf67b619ff63e9672b6:peanutbuttercrunch

Running the program again and supplying the input peanutbuttercrunch revealed the flag:

$ mono df2022_re02.exe

What is TheZeal0t's favorite breakfast cereal?
Answer: peanutbuttercrunch
That's CORRECT!  Congratulations!  Here is the flag...
flag{Peanut-Butter-Crunch-FTW-For-DaZeal0t!}

The accepted flag was: flag{Peanut-Butter-Crunch-FTW-For-DaZeal0t!}

Published:

Updated:

Leave a comment