https://app.hackthebox.com/challenges/694

Description

In order to escape this alive, you must carefully observe and analyze your opponents. Learn every strategy and technique in their arsenal, and you stand a chance of outwitting them. Just do it fast, before they do the same to you…

Exploitation

#!/usr/bin/python3
from pwn import *
import tempfile,base64

def get_process():
    try:
        host, port = sys.argv[1].split(':')
        return remote(host, int(port))
    except IndexError:
        print(f'Usage: python {sys.argv[0]} <ip:port>')
        exit(1)

def get_loaded_value(elf_path):
    e = ELF(elf_path, checksec=False)
    lea_addr = e.entrypoint + 4
    lea_off = u32(e.read(lea_addr + 3, 4), sign='signed')
    target = lea_addr + 7 + lea_off
    return e.read(target, 0x18)

def do_round(r):
    r.recvuntil(b"ELF: ")
    elf_b64 = r.recvline().strip()
    elf_data = base64.b64decode(elf_b64)
    with tempfile.NamedTemporaryFile(delete=False, suffix='.elf') as tmp:
        tmp.write(elf_data)
        tmp.flush()
        loaded_value = get_loaded_value(tmp.name)
    r.sendlineafter(b"Bytes? ", loaded_value.hex().encode())

def main():
    r = get_process()
    do_round(r)
    with log.progress("Solving binaries") as p:
        for i in range(1, 129):
            do_round(r)
            p.status(f"Solved {i} binaries")
    r.interactive()

if __name__ == "__main__":
    main()

Summary

QuickScan: trace the binary, isolate the validation routine, and invert it to recover the flag.