Inside the ZIP file is a single, seemingly simple BIN file. Importing into Ghidra (I like Ghidra, just don't do the whole Shared Project thing) and analyzing the functions, we eventually come across a function that is never called FUN_00400AFE.
Incidentally, I'm skipping the entire function at FUN_004009aa. It is a rabbit hole that reads the /tmp/secret and spit out false flags. As someone who already struggles a bit with BIN and Assembly RE, all that did was piss me off.
Here is the function itself:
Here, we reach the limit of what I can do in Ghidra. There may be a way to proceed farther, but I don't know it (struggle with BIN remember). So, I pop it into IDA and look for that function again. Interestingly enough, 400AFE in IDA has us looking at some interesting strings/code.
Going through each line of this, we find a nice subroutine in _ptrace that XOR's that
string with some random byte and we also notice that the \a's are actually Bells on the the actual string so it's really
The HEX of that is 23 3C 3D 3B 37 3C 3D 2A 07 2B 2C 3D 3E 39 36 37 69 69 60 07 79 79 07 25
So, now we know what it's trying to do. Not bad for a guy that SUCKS at assembly, right? Let's dump that string into Cyber Chef and brute force the hex of it. We can Hex it https://onlinehextools.com/convert-hex-to-string
Hey, look! Chek baked a flag for us!