We are given a 64bit ELF challenge binary.

$file challenge

challenge: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=4570af615de39c4912c17a09f9fbf8419368572b, not stripped

We start off by running it and see a message that says, “Let’s party like it’s 1999!” and then the html contents of example.com.

./challenge

Let’s party like it’s 1999!!

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 50px;
        background-color: #fff;
        border-radius: 1em;
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        body {
            background-color: #fff;
        }
        div {
            width: auto;
            margin: 0 auto;
            border-radius: 0;
            padding: 1em;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is established to be used for illustrative examples in documents. You may use this
    domain in examples without prior coordination or asking for permission.</p>
    <p><a href="http://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

I perform stings on the binary and see some interesting ones related to dates, example.com, and rust.

…
http://www.example.com
stream did not contain valid UTF-8
1/1/1999%d/%m/%Y
This system is obviously not a 90’s kid.1/1/2000Possible Y2K issue.
What year is it?!
%a, %d %b %Y %H:%M:%S GMT
That Date isn’t RFC compliant
That response was not OK
Let’s party like it’s 1999!!
…
rust_builtin.c
rust_begin_unwind
rust_eh_personality
rust_eh_personality_catch
…

Next we open it up and look at it in IDA and after demangling the names, we can see a pretty large main function. We can start by using IDA’s cross references on some of those interesting date strings we found earlier. We see that an http request is made to www.example.com and the headers are checked for the date. This gives us a pretty good idea of what we can try to fiddle with.

I setup an Ubuntu virtual machine on a private virtual network and then created another linked clone to have a server. I changed the hosts file on the client system to point www.example.com to the other server system. I also installed nginx on the server system to have an easy http listener.

I tried to run the program with the current date and it printed out the nginx response and then I changed the date back to 1999 like the challenge asks and it printed out the key.

PAN{ThaddeusVenture}