Tryhackme "Classic Passwd" Reverse Engineering Report

https://tryhackme.com/room/classicpasswd

A Linux ELF binary is available for download. The challenge is to determine the correct input to reveal the flag. This can be done several different ways, with different software. 

Load the binary into IDA x64 and it shows the instructions for the main function:

The main function calls vuln() and gfl() before main returns.  

vuln():

The vuln() function takes user input and compares it to a hardcoded concatenated string.  If they are different, the program prints an error and then exits.  If they are the same, then the vuln() function returns and the next function in main() is called, gfl().

The highlighted box in the screenshot above shows the hexadecimal representation of the string. 

glf():

glf()gets called when vuln() returns successfully.  It prints out the flag, with the format THM{%d%d}.  There are a couple loops, comparing the iterator to some values.  

In the screenshot above, shown in the bottom left corner is the code responsible for printing the flag. It prints the flag, substituting two decimal values, [rbp+var_4] and  [rbp+var_8] .   The last known values for these two are highlighted in the screenshot above, and are the hexadecimal representation of the values printed in the flag.  

The disassembled pseudocode for vuln() looks like:

The disassembled pseudocode for gfl() looks like:

 

Ghidra definitely doesn’t look as pretty as IDA. NSA budget, amirite?

The decompiled pseudocode is also not as pretty as IDA; it doesn’t automatically decode the hex but is functionally identical to IDA. 

Once decoded, the input and flag will be solved. 

Burp Decoder can be used to convert decode the hexadecimal. 

This isn’t as obvious because in the previous two sections,  the correct input string is split into multiple pieces.  It is also split into multiple pieces when the strings command is used.

 

And finally, the easiest way to solve is using ltrace command.  

Leave a Reply