• This challenge comes under easy level challenge.
  • The binary has a script being executed using execvp.

Challenge Points: 481
No. of solves: 12
Solved by: AmunRha, Ad0lphus, Barla Abhishek, k1n0r4


Our new sys admin is shocked, because the old grumpy one left nothing but these weird binaries which he called ‘shell scripts’.

Can you help?

Hint: We built this in a debian bullseye docker container.


In this challenge we are provided with an elf binary and on executing we get the output as shown below.


On statically analysing the binary we see that the input statement and output statements are no where to be found in the strings section of the binary plus we have a execve instruction in our binary under a function inside main function, which surely means that we have an another script running within our main binary.

Anti-Debug check

While analysing we could also see an anti-debugging test, that is, ptrace. First I went on to pass this debugging test by nopping out the function by adding a ret statemnet at the beginning of the function. Now we are free to debug it or trace it.

Final Step

Hereafter we simply use the ltrace command with the binary

We see that the script being executed is copied up using memcpy and then executed using execvp, thus the trace function gives away the content of the script being copied, including the flag that our input is getting compared with.


Flag - ENO{SH3LL_SCr1Pts_N0t_S3cur3}