We were provided with an assembly file that seems to be the result of having GCC dump the assembly of a C program.
First I assembled the assembly into an executable program using gcc sso.s -o sso
Then the assembled program was inspected with radare2 to find the address of the final branches that either displays 'FAIL' or the flag, these were noted down and used in a simple angr script to find an input string that results in the success state being reached.
import angr
p = angr.Project("sso")
st = p.factory.entry_state()
sm = p.factory.simulation_manager(st)
sm.use_technique(angr.exploration_techniques.DFS())
sm.explore(find=0x401242, avoid=0x40113a)
inp = sm.active[0].posix.dumps(0)
print(f"Valid input: {inp!r}")
with open("sso_solution.txt", "wb") as f:
f.write(inp)
This results in:
Valid input: b'licnX\x83"L+\x80:\xc0ect\x01\x00\x02\x00'
After finding a valid input string, we can pass it to the online version to get our flag:
λ cat sso_solution.txt | nc dolphin.hacking-lab.com 4488
Welcome to SSO - Secret Service Online
Enter you mission code:
SUCCESS!
Welcome, Agent Barnett!
Your next mission:
mission ID: 8574
type: recon
location: Etihad Stadium, Manchester, UK
goal: get secret file from room 1337
access code: pactf{s3cr3t_operation_8574}
Good luck and may the force be with you!⏎