Little Tommy is so smart he made a banking program, please be nice to him and don’t break it.
You know 0xDiablos
I missed my flag
Old Bridge
Space
roaming in a small space
Bombs Landed
Exatlon
Can you find the password?
$ file exatlon_v1
exatlon_v1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
$strings exatlon
UPX!
UPX!
$upx -d exatlon_v1 -o exatlon
$ file exatlon
exatlon: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=99364060f1420e00a780745abcfa419af0b8b0d8, for GNU/Linux
ghidra:
undefined4 main(void)
{
bool bVar1;
basic_ostream *pbVar2;
undefined4 unaff_R12D;
basic_string,std::allocator> local_58 [32];
basic_string local_38 [32];
do {
std::operator<<((basic_ostream *)std::cout,"\n");
std::operator<<((basic_ostream *)std::cout,&DAT_0054b018);
std::operator<<((basic_ostream *)std::cout,&DAT_0054b0d8);
sleep(1);
std::operator<<((basic_ostream *)std::cout,&DAT_0054b1a8);
std::operator<<((basic_ostream *)std::cout,&DAT_0054b260);
sleep(1);
std::operator<<((basic_ostream *)std::cout,&DAT_0054b320);
sleep(1);
std::operator<<((basic_ostream )std::cout,&DAT_0054b400);
sleep(1);
std::_cxx11::basic_string,std::allocator>::basic_string
(local_58);
/ try { // try from 00404cfe to 00404dce has its CatchHandler @ 00404def */
std::operator<<((basic_ostream *)std::cout,"[+] Enter Exatlon Password : ");
std::operator>>((basic_istream *)std::cin,(basic_string *)local_58);
exatlon(local_38);
bVar1 = std::operator==(local_38, "1152 1344 1056 1968 1728 816 1648 784 1584 816 1728 1520 1840 1664 7841632 1856 1520 1728 816 1632 1856 1520 784 1760 1840 1824 816 1584 1856784 1776 1760 528 528 2000 "
);
std::__cxx11::basic_string,std::allocator>::~basic_string
((basic_string,std::allocator> *)local_38);
if (bVar1 == false) {
bVar1 = std::operator==((basic_string *)local_58,"q");
if (bVar1 == false) {
pbVar2 = std::operator<<((basic_ostream *)std::cout,"[-] ;(\n");
std::basic_ostream>::operator<<char,std::char_traits<char>>::operator<<
((basic_ostream>char,std::char_traits<char>> *)pbVar2,
std::endl>char,std::char_traits<char>>);
bVar1 = true;
}
else {
unaff_R12D = 0;
bVar1 = false;
}
}
else {
pbVar2 = std::operator<<((basic_ostream *)std::cout,"[+] Looks Good ^^ \n\n\n");
std::basic_ostream>::operator<< ((basic_ostream> *)pbVar2,
std::endl>);
unaff_R12D = 0;
bVar1 = false;
}
std::__cxx11::basic_string,std::allocator>::~basic_string
(local_58);
} while (bVar1);
return unaff_R12D;
}
basic_string * exatlon(basic_string *param_1)
{
bool bVar1;
char *pcVar2;
basic_string<char,std::char_traits<char>,std::allocator<char>> *in_RSI;
undefined8 local_80;
undefined8 local_78;
allocator<char> local_69;
basic_string local_68 [32];
__cxx11 local_48 [39];
char local_21;
basic_string<char,std::char_traits<char>,std::allocator<char>> *local_20;
std::allocator<char>::allocator();
/* try { // try from 00404ae8 to 00404aec has its CatchHandler @ 00404bc1 */
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
((char *)param_1,(allocator *)&DAT_0054b00c);
std::allocator<char>::~allocator(&local_69);
local_20 = in_RSI;
local_78 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin
(in_RSI);
local_80 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end
(local_20);
while( true ) {
bVar1 = __gnu_cxx::operator!=((__normal_iterator *)&local_78,(__normal_iterator *)&local_80);
if (bVar1 == false) break;
pcVar2 = (char *)__gnu_cxx::
__normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
::operator*((
__normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
*)&local_78);
local_21 = *pcVar2;
/* try { // try from 00404b63 to 00404b67 has its CatchHandler @ 00404bfd */
std::__cxx11::to_string(local_48,(int)local_21 << 4);
/* try { // try from 00404b7d to 00404b81 has its CatchHandler @ 00404bec */
std::operator+(local_68,(char *)local_48);
/* try { // try from 00404b93 to 00404b97 has its CatchHandler @ 00404bdb */
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=
((basic_string<char,std::char_traits<char>,std::allocator<char>> *)param_1,local_68);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_68);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_48);
__gnu_cxx::
__normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
::operator++((
__normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
*)&local_78);
}
return param_1;
}
exatlon.py
code = [1152, 1344, 1056, 1968, 1728, 816, 1648, 784, 1584, 816, 1728, 1520, 1840, 1664, 784, 1632, 1856, 1520, 1728, 816, 1632, 1856, 1520, 784, 1760, 1840, 1824, 816, 1584, 1856, 784, 1776, 1760, 528, 528, 2000]
alphabet = {"a": "1552", "b": "1568", "c": "1584", "d": "1600", "e": "1616", "f": "1632", "g": "1648", "h": "1664", "i" :"1680", "j" :"1696", "k" :"1712", "l" :"1728", "m" :"1744", "n" :"1760", "o" :"1776", "p" :"1792", "q" :"1808", "r" :"1824", "s" :"1840", "t" :"1856", "u" :"1872", "v" :"1888", "w" :"1904", "x" :"1920", "y" :"1936", "z" :"1952", "A": "1040", "B": "1056", "C": "1072", "D": "1088", "E": "1104", "F": "1120", "G": "1136", "H": "1152", "I": "1168", "J": "1184", "K": "1200", "L": "1216", "M": "1232", "N": "1248", "O": "1264", "P": "1280", "Q": "1296", "R": "1312", "S": "1328", "T": "1344", "U": "1360", "V": "1376", "W": "1392", "X": "1408", "Y": "1424", "Z":"1440", "{": "1968", "}":"2000", "!" :"528", "@" :"1024", "#" :"560", "$" :"576", "%" :"592", "^":"1504", "&" :"608", "*":"672", "(":"640", ")" :"656", "-" :"720", "_" :"1520", "=" :"976", "0" :"768", "1" :"784", "2" :"800", "3" :"816", "4" :"832", "5" :"848", "6" :"864", "7" :"880", "8" :"896", "9" :"912"}
newcode = []
for char in code:
found=False
for item in alphabet:
if alphabet[item] == str(char):
found = True
print(item, end = "")
if found == False:
print("#",end="")
kali@kali:~/0.htb/challenges/Reversing/Exatlon$ ./exatlon
███████╗██╗ ██╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██╗ ██╗ ██╗
██╔════╝╚██╗██╔╝██╔══██╗╚══██╔══╝██║ ██╔═══██╗████╗ ██║ ██║ ██║███║
█████╗ ╚███╔╝ ███████║ ██║ ██║ ██║ ██║██╔██╗ ██║ ██║ ██║╚██║
██╔══╝ ██╔██╗ ██╔══██║ ██║ ██║ ██║ ██║██║╚██╗██║ ╚██╗ ██╔╝ ██║
███████╗██╔╝ ██╗██║ ██║ ██║ ███████╗╚██████╔╝██║ ╚████║███████╗╚████╔╝ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚══════╝ ╚═══╝ ╚═╝
[+] Enter Exatlon Password : HTB{l3g1c3l_sh1ft_l3ft_1nsr3ct1on!!}
[+] Looks Good ^_^
TheNotebook
jwt – java web token exploit
Impossible Password
Are you able to cheat me and get the flag?
$ file impossible_password.bin
impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped
$ strings impossible_password.bin
ASCII "SuperSeKretKey"
$ ./impossible_password
SuperSeKretKey
[SuperSeKretKey]
**
$ ltrace ./impossible_password.bin
... ...
strcmp("test", "c5Bo~v4[!#+f}9T+W1]V") = 17
+++ exited (status 17) +++
$ ltrace ./impossible_password.bin
... ...
strcmp("letmein", "7S\\&{UyJ>&+1PB{Ep*4*") = 53
+++ exited (status 53) +++
compare with random code??? we need bypass this with r2 patch.
$ cp impossible_password.bin impossible_password
$ r2 -A -w impossible_password
[0x004006a0]> s main
[0x0040085d]> pdf
[0x0040085d]> s fcn.0040078d
[0x0040078d]> pdf
*** write jmp 0x0040096a,
[0x0040078d]> s 0x00400966
[0x00400961]> wa jmp 0x0040096a
Written 2 byte(s) (jmp 0x0040096a) = wx eb07
0x00400966 85c0 test eax, eax
│ ┌─< 0x00400968 750c jne 0x400976
│ │ 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
┌─< 0x00400966 eb02 jmp 0x40096a
│ ┌──< 0x00400968 750c jne 0x400976
│ │└─> 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
│ │ ; CODE XREF from main @ 0x400968
│ └──> 0x00400976 c9 leave
└ 0x00400977 c3 ret
after patch, run
$ ./impossible_password
* SuperSeKretKey
[SuperSeKretKey]
** letmein
HTB{40b949f92b86b18}
ghidra:
void FUN_0040085d(void)
{
int iVar1;
char *__s2;
undefined local_48;
undefined local_47;
undefined local_46;
undefined local_45;
undefined local_44;
undefined local_43;
undefined local_42;
undefined local_41;
undefined local_40;
undefined local_3f;
undefined local_3e;
undefined local_3d;
undefined local_3c;
undefined local_3b;
undefined local_3a;
undefined local_39;
undefined local_38;
undefined local_37;
undefined local_36;
undefined local_35;
char local_28 [20];
int local_14;
char *local_10;
local_10 = "SuperSeKretKey";
local_48 = 0x41;
local_47 = 0x5d;
local_46 = 0x4b;
local_45 = 0x72;
local_44 = 0x3d;
local_43 = 0x39;
local_42 = 0x6b;
local_41 = 0x30;
local_40 = 0x3d;
local_3f = 0x30;
local_3e = 0x6f;
local_3d = 0x30;
local_3c = 0x3b;
local_3b = 0x6b;
local_3a = 0x31;
local_39 = 0x3f;
local_38 = 0x6b;
local_37 = 0x38;
local_36 = 0x31;
local_35 = 0x74;
printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28); //input SuperSeKretKey
printf("[%s]\n",local_28);
local_14 = strcmp(local_28,local_10);
if (local_14 != 0) {
/* WARNING: Subroutine does not return / exit(1); } printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28);
__s2 = (char *)FUN_0040078d(0x14); //IF input same as caculated, go next FUN_00400978
iVar1 = strcmp(local_28,__s2);
if (iVar1 == 0) {
FUN_00400978(&local_48); //
}
return;
}
here only FUN_00400978(&local_48) is matter, as local_48 is 'A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
void FUN_00400978(byte *param_1)
{
int local_14;
byte *local_10;
local_14 = 0;
local_10 = param_1;
while ((*local_10 != 9 && (local_14 < 0x14))) {
putchar((int)(char)(*local_10 ^ 9));
local_10 = local_10 + 1;
local_14 = local_14 + 1;
}
putchar(10);
return;
}
the python equivalent:
!/usr/bin/env python2
flag_characters = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
xor_key = 9
flag = []
i = 0
while i < len(flag_characters):
xored = ord(flag_characters[i]) ^ xor_key
flag.append(chr(xored))
i += 1
flag_string = "".join(flag)
print("Flag is: {}".format(flag_string))
$python3
>>>flag = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
>>>"".join([chr(ord(i) ^ 9) for i in flag])
Bypass
The Client is in full control. Bypass the authentication and read the key to get the Flag.
Baby RE
Show us your basic skills! (P.S. There are 4 ways to solve this, are you willing to try them all?)
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ file baby
baby: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=25adc53b89f781335a27bf1b81f5c4cb74581022, for GNU/Linux 3.2.0, not stripped
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
Insert key:
HTB{B4BY_R3V_TH4TS_EZ}
Try again later.
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ strings baby
HTB{B4BYH
R3V_TH4H TS_Ef []A\A]A^A
Dont run strings
on this challenge, that is not the way!!!!
Insert key:
abcde122313
Try again later.
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
Insert key:
abcde122313
HTB{B4BY_R3V_TH4TS_EZ}
ghidra
undefined8 main(void)
{
int iVar1;
undefined8 local_48;
undefined8 local_40;
undefined4 local_38;
undefined2 local_34;
char local_28 [24];
char *local_10;
local_10 = "Dont run `strings` on this challenge, that is not the way!!!!";
puts("Insert key: ");
fgets(local_28,0x14,stdin);
iVar1 = strcmp(local_28,"abcde122313\n");
if (iVar1 == 0) {
local_48 = 0x594234427b425448;
local_40 = 0x3448545f5633525f;
local_38 = 0x455f5354;
local_34 = 0x7d5a;
puts((char *)&local_48);
}
else {
puts("Try again later.");
}
return 0;
}
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 594234427b425448
YB4B{BTHkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 3448545f5633525f
4HT_V3R_kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 455f5354
E_STkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 7d5a
}Zkali@kali:~/0.htb/challenges/Reversing/Baby_RE$
}E_ST4HT_V3R_YB4B{BTH
gdb ida radare2 r2:
ida
mov rax, 594234427B425448h
mov rdx, 3448545F5633525Fh
mov qword ptr [rbp+var_40], rax
mov [rbp+var_38], rdx
mov [rbp+var_30], 455F5354h
mov [rbp+var_2C], 7D5Ah
lea rax, [rbp+var_40]
mov rdi, rax ; s
call _puts
jmp short loc_11E6
gdb
0x00000000000011a3 <+78>: movabs rax,0x594234427b425448
0x00000000000011ad <+88>: movabs rdx,0x3448545f5633525f
0x00000000000011b7 <+98>: mov QWORD PTR [rbp-0x40],rax
0x00000000000011bb <+102>: mov QWORD PTR [rbp-0x38],rdx
0x00000000000011bf <+106>: mov DWORD PTR [rbp-0x30],0x455f5354
0x00000000000011c6 <+113>: mov WORD PTR [rbp-0x2c],0x7d5a
0x00000000000011cc <+119>: lea rax,[rbp-0x40]
0x00000000000011d0 <+123>: mov rdi,rax
0x00000000000011d3 <+126>: call 0x1030 <puts@plt>
0x00000000000011d8 <+131>: jmp 0x11e6 <main+145>
0x00000000000011da <+133>: lea rdi,[rip+0xe7f] # 0x2060
0x00000000000011e1 <+140>: call 0x1030 <puts@plt>
0x00000000000011e6 <+145>: mov eax,0x0
r2/cutter
0x000011a3 48b84854427b. movabs rax, 0x594234427b425448 ; 'HTB{B4BY'
│ │ 0x000011ad 48ba5f523356. movabs rdx, 0x3448545f5633525f ; '_R3V_TH4'
│ │ 0x000011b7 488945c0 mov qword [s], rax
│ │ 0x000011bb 488955c8 mov qword [var_38h], rdx
│ │ 0x000011bf c745d054535f. mov dword [var_30h], 0x455f5354 ; 'TS_E'
│ │ 0x000011c6 66c745d45a7d mov word [var_2ch], 0x7d5a ; 'Z}'
│ │ 0x000011cc 488d45c0 lea rax, [s]
│ │ 0x000011d0 4889c7 mov rdi, rax ; const char *s
│ │ 0x000011d3 e858feffff call sym.imp.puts ; int puts(const char *s)
│ ┌──< 0x000011d8 eb0c jmp 0x11e6