$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Reverse engineer a Rust ELF binary with custom panic handling. Solution: Traced function pointer array in check_flag function to reconstruct the flag character by character.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
"Don't Panic! You've cut a deal with the Brotherhood; if you can locate and retrieve their stolen weapons cache, they'll provide you with the kerosene needed for your makeshift explosives for the underground tunnel excavation. The team has tracked the unique energy signature of the weapons to a small vault, currently being occupied by a gang of raiders who infiltrated the outpost by impersonating commonwealth traders. Using experimental stealth technology, you've slipped by the guards and arrive at the inner sanctum. Now, you must find a way past the highly sensitive heat-signature detection robot. Can you disable the security robot without setting off the alarm?"
Downloaded and extracted the challenge file, revealing a Rust ELF 64-bit binary called dontpanic.
$ file dontpanic dontpanic: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked
Found interesting strings that hint at the challenge theme:
$ strings dontpanic | grep -i rust RUST_BACH $ strings dontpanic | grep -i panic You made me panic! $ strings dontpanic | grep -i message Have you got a message for me?
The "RUST_BACH" and panic-related strings confirm this is a Rust binary with custom panic handling.
Using nm to find key functions:
$ nm dontpanic | grep -E "(check|main)" 0000000000009060 t _ZN3src10check_flag17h397d174e03dc8c74E 0000000000009230 t _ZN3src4main17hf9bc229851763ab9E
Key functions identified:
check_flag at 0x9060 — the flag validation functionmain at 0x9230 — program entry pointThe check_flag function implements a clever validation scheme:
...
$ grep --similar