Tags: rev
Rating:
## cereal killer 05
### description
> points: 50
>
> created by: `thezeal0t`
we think dr. geschichter of lytton labs likes to use his favorite monster cereal as a password for all of his accounts! see if you can figure out what it is, and keep it handy! choose one of the binaries to work with.
enter the answer as flag{whatever-it-is}.
[download file](https://gr007.tech/writeups/2023/deadface/rev/cereal_killer_5/cereal)
### solution
when the binary is run, it askes for dr. geschichter's favourite cereal and entity.
```sh
deadface/rev/cereal_killer_5 on master [!?]
❯ ./cereal
dr. geschichter, just because he is evil, doesn't mean he doesn't have a favorite cereal.
please enter the passphrase, which is based off his favorite cereal and entity: adsfadff
notf1aq{you-guessed-it---this-is-not-the-f1aq}
```
i don't know if it is the intended solution, i just ran the program in gdb, interrupted it when it asked for input and search for any string having `flag{}` and there it was, the flag.
```sh
deadface/rev/cereal_killer_5 on master [!?]
❯ gdb cereal
gnu gdb (gdb) 13.2
copyright (c) 2023 free software foundation, inc.
license gplv3+: gnu gpl version 3 or later <http://gnu.org/licenses/gpl.html>
this is free software: you are free to change and redistribute it.
there is no warranty, to the extent permitted by law.
type "show copying" and "show warranty" for details.
[ legend: modified register | code | heap | stack | string ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0xfffffe00
$ebx : 0x0
$ecx : 0x5655a5b0 → 0x00000000
$edx : 0x400
$esp : 0xffffc2c0 → 0xffffc328 → 0xffffc998 → 0xffffcc38 → 0x00000000
$ebp : 0xffffc328 → 0xffffc998 → 0xffffcc38 → 0x00000000
$esi : 0xf7e20e34 → "l\r""
$edi : 0xf7e207c8 → 0x00000000
$eip : 0xf7fc7579 → <__kernel_vsyscall+9> pop ebp
$eflags: [zero carry parity adjust sign trap interrupt direction overflow resume virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffc2c0│+0x0000: 0xffffc328 → 0xffffc998 → 0xffffcc38 → 0x00000000 ← $esp
0xffffc2c4│+0x0004: 0x00000400
0xffffc2c8│+0x0008: 0x5655a5b0 → 0x00000000
0xffffc2cc│+0x000c: 0xf7d1e0d7 → 0xfff0003d ("="?)
0xffffc2d0│+0x0010: 0xf7e215c0 → 0xfbad2288
0xffffc2d4│+0x0014: 0xf7e20e34 → "l\r""
0xffffc2d8│+0x0018: 0xffffc328 → 0xffffc998 → 0xffffcc38 → 0x00000000
0xffffc2dc│+0x001c: 0xf7c827b2 → <_io_file_underflow+674> add esp, 0x10
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
0xf7fc7573 <__kernel_vsyscall+3> mov ebp, esp
0xf7fc7575 <__kernel_vsyscall+5> sysenter
0xf7fc7577 <__kernel_vsyscall+7> int 0x80
→ 0xf7fc7579 <__kernel_vsyscall+9> pop ebp
0xf7fc757a <__kernel_vsyscall+10> pop edx
0xf7fc757b <__kernel_vsyscall+11> pop ecx
0xf7fc757c <__kernel_vsyscall+12> ret
0xf7fc757d <__kernel_vsyscall+13> int3
0xf7fc757e nop
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] id 1, name: "cereal", stopped 0xf7fc7579 in __kernel_vsyscall (), reason: sigint
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xf7fc7579 → __kernel_vsyscall()
[#1] 0xf7d1e0d7 → read()
[#2] 0xf7c82690 → _io_file_underflow()
[#3] 0xf7c84f1a → _io_default_uflow()
[#4] 0xf7c62b63 → add esp, 0x10
[#5] 0xf7c56df9 → __isoc99_scanf()
[#6] 0x5655637a → main()
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ grep flag{
[+] searching 'flag{' in memory
[+] in '[stack]'(0xfffdc000-0xffffe000), permission=rw-
0xffffca0b - 0xffffca2b → "flag{xeno-do-do-do-do-do-dooooo}"
gef➤
```
flag: `flag{xeno-do-do-do-do-do-dooooo}`