Hack The Boo 2023: SpellBrewery

Writeup for the “SpellBrewery” challenge created by Hack The Box for the Hack The Boo 2023 CTF.

For this challenge, a .NET Core application is provided: rev_spellbrewery.zip

SpellBrewery:                    ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8b106946c31c6346abd618ab5d2232845492e2d9, not stripped
SpellBrewery.deps.json:          JSON text data
SpellBrewery.dll:                PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
SpellBrewery.runtimeconfig.json: JSON text data

The application asks the user to create a recipe from a list of available ingredients.

$ ./SpellBrewery
1. List Ingredients
2. Display Current Recipe
3. Add Ingredient
4. Brew Spell
5. Clear Recipe
6. Quit
> 

Using dnSpy, it is possible to decompile the application to view the recipe required for the flag to be displayed.

private static void BrewSpell()
{
  bool flag = Brewery.recipe.Count < 1;
  if (flag)
  {
    Console.WriteLine("You can't brew with an empty cauldron");
  }
  else
  {
    byte[] array = (from ing in Brewery.recipe
    select (byte)(Array.IndexOf<string>(Brewery.IngredientNames, ing.ToString()) + 32)).ToArray<byte>();
    bool flag2 = Brewery.recipe.SequenceEqual(from name in Brewery.correct
    select new Ingredient(name));
    if (flag2)
    {
      Console.WriteLine("The spell is complete - your flag is: " + Encoding.ASCII.GetString(array));
      Environment.Exit(0);
    }
    else
    {
      Console.WriteLine("The cauldron bubbles as your ingredients melt away. Try another recipe.");
    }
  }
}

private static readonly string[] correct = new string[]
{
  "Phantom Firefly Wing",
  "Ghastly Gourd",
  "Hocus Pocus Powder",
  "Spider Sling Silk",
  "Goblin's Gold",
  "Wraith's Tear",
  "Werewolf Whisker",
  "Ghoulish Goblet",
  "Cursed Skull",
  "Dragon's Scale Shimmer",
  "Raven Feather",
  "Dragon's Scale Shimmer",
  "Zombie Zest Zest",
  "Ghoulish Goblet",
  "Werewolf Whisker",
  "Cursed Skull",
  "Dragon's Scale Shimmer",
  "Haunted Hay Bale",
  "Wraith's Tear",
  "Zombie Zest Zest",
  "Serpent Scale",
  "Wraith's Tear",
  "Cursed Crypt Key",
  "Dragon's Scale Shimmer",
  "Salamander's Tail",
  "Raven Feather",
  "Wolfsbane",
  "Frankenstein's Lab Liquid",
  "Zombie Zest Zest",
  "Cursed Skull",
  "Ghoulish Goblet",
  "Dragon's Scale Shimmer",
  "Cursed Crypt Key",
  "Wraith's Tear",
  "Black Cat's Meow",
  "Wraith Whisper"
};

There are several options to solve this challenge. Firstly, it is possible to enter each ingredient of the recipe manually into the application. It is also possible to implement a small script to replicate all the steps to build the flag with the correct ingredients. Personally, I have created a text file containing all the commands necessary to send to the application to obtain the flag. Simply copy the list of ingredients, add the command 3 before each ingredient, and finally add the command 4 at the end.

3
Phantom Firefly Wing
3
Ghastly Gourd
3
Hocus Pocus Powder
3
Spider Sling Silk
3
Goblin's Gold
3
Wraith's Tear
3
Werewolf Whisker
3
Ghoulish Goblet
3
Cursed Skull
3
Dragon's Scale Shimmer
3
Raven Feather
3
Dragon's Scale Shimmer
3
Zombie Zest Zest
3
Ghoulish Goblet
3
Werewolf Whisker
3
Cursed Skull
3
Dragon's Scale Shimmer
3
Haunted Hay Bale
3
Wraith's Tear
3
Zombie Zest Zest
3
Serpent Scale
3
Wraith's Tear
3
Cursed Crypt Key
3
Dragon's Scale Shimmer
3
Salamander's Tail
3
Raven Feather
3
Wolfsbane
3
Frankenstein's Lab Liquid
3
Zombie Zest Zest
3
Cursed Skull
3
Ghoulish Goblet
3
Dragon's Scale Shimmer
3
Cursed Crypt Key
3
Wraith's Tear
3
Black Cat's Meow
3
Wraith Whisper
4

Finally, by running the application and redirecting the file to the standard input, it will send all the commands and the program will display the flag.

./SpellBrewery < payload

...

> The spell is complete - your flag is: HTB{y0ur3_4_tru3_p0t10n_m45st3r_n0w}