SpellBrewery by HTB - writeup
To start we are given a zip file with two binaries and two json files inside it
Let’s first run the elf to see what it’s doing.
./SpellBrewery
1. List Ingredients
2. Display Current Recipe
3. Add Ingredient
4. Brew Spell
5. Clear Recipe
6. Quit
> 3
What ingredient would you like to add? Vampire's Kiss
The cauldron fizzes as you toss in a 'Vampire's Kiss'...
1. List Ingredients
2. Display Current Recipe
3. Add Ingredient
4. Brew Spell
5. Clear Recipe
6. Quit
> 2
Vampire's Kiss
1. List Ingredients
2. Display Current Recipe
3. Add Ingredient
4. Brew Spell
5. Clear Recipe
6. Quit
>
Looks like we’re dealing with a potion making .NET application. I’ve actually never seen an ELF binary use a dll before. we can confirm this by modifying the dll with dnSpy (not gonna show it since it doesn’t really help our cause) and running the ELF:
However we don’t get the flag, this seems to be because the flag is derived from user input:
Let’s find the list then:
And here’s a python script cause ain’t nobody got time for that
from pwn import *
context.binary = binary = ELF("./SpellBrewery")
p = process()
def addIng(ingredientName):
p.sendline(b'3')
p.sendline(ingredientName)
ingList = ['Phantom Firefly Wing', 'Ghastly Gourd', 'Hocus Pocus Powder', 'Spider Sling Silk', "Goblin's Gold", "Wraith's Tear", 'Werewolf Whisker', 'Ghoulish Goblet', 'Cursed Skull', "Dragon's Scale Shimmer", 'Raven Feather', "Dragon's Scale Shimmer", 'Ghoulish Goblet', 'Cursed Skull', 'Raven Feather', 'Spectral Spectacles', "Dragon's Scale Shimmer", 'Haunted Hay Bale', "Wraith's Tear", 'Zombie Zest Zest', 'Serpent Scale', "Wraith's Tear", 'Cursed Crypt Key', "Dragon's Scale Shimmer", "Salamander's Tail", 'Raven Feather', 'Wolfsbane', "Frankenstein's Lab Liquid", 'Zombie Zest Zest', 'Cursed Skull', 'Ghoulish Goblet', "Dragon's Scale Shimmer", 'Cursed Crypt Key', "Wraith's Tear", "Black Cat's Meow", 'Wraith Whisper']
for ing in ingList:
addIng(ing)
p.sendline(b'4')
p.interactive()
script in action:
