Tag: file

Exatlon

Can you find the password?

$ file exatlon_v1
 exatlon_v1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
$strings exatlon
 UPX!
 UPX!
$upx -d exatlon_v1 -o exatlon
$ file exatlon
 exatlon: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=99364060f1420e00a780745abcfa419af0b8b0d8, for GNU/Linux

ghidra:
undefined4 main(void)
 {
   bool bVar1;
   basic_ostream *pbVar2;
   undefined4 unaff_R12D;
   basic_string,std::allocator> local_58 [32];
   basic_string local_38 [32];
 do {
     std::operator<<((basic_ostream *)std::cout,"\n");
     std::operator<<((basic_ostream *)std::cout,&DAT_0054b018);
     std::operator<<((basic_ostream *)std::cout,&DAT_0054b0d8);
     sleep(1);
     std::operator<<((basic_ostream *)std::cout,&DAT_0054b1a8);
     std::operator<<((basic_ostream *)std::cout,&DAT_0054b260);
     sleep(1);
     std::operator<<((basic_ostream *)std::cout,&DAT_0054b320);
     sleep(1);
     std::operator<<((basic_ostream )std::cout,&DAT_0054b400);
     sleep(1);
     std::_cxx11::basic_string,std::allocator>::basic_string
               (local_58);
                     / try { // try from 00404cfe to 00404dce has its CatchHandler @ 00404def */
     std::operator<<((basic_ostream *)std::cout,"[+] Enter Exatlon Password  : ");
     std::operator>>((basic_istream *)std::cin,(basic_string *)local_58);
     exatlon(local_38);
     bVar1 = std::operator==(local_38, "1152 1344 1056 1968 1728 816 1648 784 1584 816 1728 1520 1840 1664 7841632 1856 1520 1728 816 1632 1856 1520 784 1760 1840 1824 816 1584 1856784 1776 1760 528 528 2000 "
                            );
     std::__cxx11::basic_string,std::allocator>::~basic_string
               ((basic_string,std::allocator> *)local_38);
     if (bVar1 == false) {
       bVar1 = std::operator==((basic_string *)local_58,"q");
       if (bVar1 == false) {
         pbVar2 = std::operator<<((basic_ostream *)std::cout,"[-] ;(\n");
         std::basic_ostream>::operator<<char,std::char_traits<char>>::operator<<
                   ((basic_ostream>char,std::char_traits<char>> *)pbVar2,
                    std::endl>char,std::char_traits<char>>);
         bVar1 = true;
       }
       else {
         unaff_R12D = 0;
         bVar1 = false;
       }
     }
     else {
       pbVar2 = std::operator<<((basic_ostream *)std::cout,"[+] Looks Good ^^ \n\n\n");
       std::basic_ostream>::operator<<                 ((basic_ostream> *)pbVar2,
                  std::endl>);
       unaff_R12D = 0;
       bVar1 = false;
     }
     std::__cxx11::basic_string,std::allocator>::~basic_string
               (local_58);
   } while (bVar1);
   return unaff_R12D;
 }


basic_string * exatlon(basic_string *param_1)

{
  bool bVar1;
  char *pcVar2;
  basic_string<char,std::char_traits<char>,std::allocator<char>> *in_RSI;
  undefined8 local_80;
  undefined8 local_78;
  allocator<char> local_69;
  basic_string local_68 [32];
  __cxx11 local_48 [39];
  char local_21;
  basic_string<char,std::char_traits<char>,std::allocator<char>> *local_20;
  
  std::allocator<char>::allocator();
                    /* try { // try from 00404ae8 to 00404aec has its CatchHandler @ 00404bc1 */
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
            ((char *)param_1,(allocator *)&DAT_0054b00c);
  std::allocator<char>::~allocator(&local_69);
  local_20 = in_RSI;
  local_78 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin
                       (in_RSI);
  local_80 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end
                       (local_20);
  while( true ) {
    bVar1 = __gnu_cxx::operator!=((__normal_iterator *)&local_78,(__normal_iterator *)&local_80);
    if (bVar1 == false) break;
    pcVar2 = (char *)__gnu_cxx::
                                          
                     __normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
                     ::operator*((
                                  __normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
                                  *)&local_78);
    local_21 = *pcVar2;
                    /* try { // try from 00404b63 to 00404b67 has its CatchHandler @ 00404bfd */
    std::__cxx11::to_string(local_48,(int)local_21 << 4);
                    /* try { // try from 00404b7d to 00404b81 has its CatchHandler @ 00404bec */
    std::operator+(local_68,(char *)local_48);
                    /* try { // try from 00404b93 to 00404b97 has its CatchHandler @ 00404bdb */
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=
              ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)param_1,local_68);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
              ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_68);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
              ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_48);
    __gnu_cxx::
        
    __normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
    ::operator++((
                  __normal_iterator<char_const*,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>
                  *)&local_78);
  }
  return param_1;
}

exatlon.py
code = [1152, 1344, 1056, 1968, 1728, 816, 1648, 784, 1584, 816, 1728, 1520, 1840, 1664, 784, 1632, 1856, 1520, 1728, 816, 1632, 1856, 1520, 784, 1760, 1840, 1824, 816, 1584, 1856, 784, 1776, 1760, 528, 528, 2000]
alphabet = {"a": "1552", "b": "1568", "c": "1584", "d": "1600", "e": "1616", "f": "1632", "g": "1648", "h": "1664", "i" :"1680", "j" :"1696", "k" :"1712", "l" :"1728", "m" :"1744", "n" :"1760", "o" :"1776", "p" :"1792", "q" :"1808", "r" :"1824", "s" :"1840", "t" :"1856", "u" :"1872", "v" :"1888", "w" :"1904", "x" :"1920", "y" :"1936", "z" :"1952", "A": "1040", "B": "1056", "C": "1072", "D": "1088", "E": "1104", "F": "1120", "G": "1136", "H": "1152", "I": "1168", "J": "1184", "K": "1200", "L": "1216", "M": "1232", "N": "1248", "O": "1264", "P": "1280", "Q": "1296", "R": "1312", "S": "1328", "T": "1344", "U": "1360", "V": "1376", "W": "1392", "X": "1408", "Y": "1424", "Z":"1440", "{": "1968",  "}":"2000", "!" :"528", "@" :"1024", "#" :"560", "$" :"576", "%" :"592", "^":"1504", "&" :"608", "*":"672", "(":"640", ")" :"656", "-" :"720", "_" :"1520", "=" :"976", "0" :"768", "1" :"784", "2" :"800", "3" :"816", "4" :"832", "5" :"848", "6" :"864", "7" :"880", "8" :"896", "9" :"912"}

newcode = []

for char in code:
    found=False
    for item in alphabet:
        if alphabet[item] == str(char):
            found = True
            print(item, end = "")
    if found == False:
            print("#",end="")

kali@kali:~/0.htb/challenges/Reversing/Exatlon$ ./exatlon
 ███████╗██╗  ██╗ █████╗ ████████╗██╗      ██████╗ ███╗   ██╗       ██╗   ██╗ ██╗
 ██╔════╝╚██╗██╔╝██╔══██╗╚══██╔══╝██║     ██╔═══██╗████╗  ██║       ██║   ██║███║
 █████╗   ╚███╔╝ ███████║   ██║   ██║     ██║   ██║██╔██╗ ██║       ██║   ██║╚██║
 ██╔══╝   ██╔██╗ ██╔══██║   ██║   ██║     ██║   ██║██║╚██╗██║       ╚██╗ ██╔╝ ██║
 ███████╗██╔╝ ██╗██║  ██║   ██║   ███████╗╚██████╔╝██║ ╚████║███████╗╚████╔╝  ██║
 ╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝   ╚══════╝ ╚═════╝ ╚═╝  ╚═══╝╚══════╝ ╚═══╝   ╚═╝
 [+] Enter Exatlon Password  : HTB{l3g1c3l_sh1ft_l3ft_1nsr3ct1on!!}
 [+] Looks Good ^_^ 

Impossible Password

Are you able to cheat me and get the flag?

$ file impossible_password.bin 
 impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped

$ strings impossible_password.bin
 ASCII "SuperSeKretKey"

$ ./impossible_password
 SuperSeKretKey
 [SuperSeKretKey]
 ** 
$ ltrace ./impossible_password.bin 
... ...
strcmp("test", "c5Bo~v4[!#+f}9T+W1]V")                                                                        = 17
+++ exited (status 17) +++
$ ltrace ./impossible_password.bin 
... ...
strcmp("letmein", "7S\\&{UyJ>&+1PB{Ep*4*")                                                                    = 53
+++ exited (status 53) +++
compare with random code??? we need bypass this with r2 patch.

$ cp impossible_password.bin impossible_password
$ r2 -A -w impossible_password 
[0x004006a0]> s main
[0x0040085d]> pdf

[0x0040085d]> s fcn.0040078d
[0x0040078d]> pdf

*** write jmp 0x0040096a, 
[0x0040078d]> s 0x00400966
[0x00400961]> wa jmp 0x0040096a
Written 2 byte(s) (jmp 0x0040096a) = wx eb07

            0x00400966      85c0           test eax, eax
│       ┌─< 0x00400968      750c           jne 0x400976
│       │   0x0040096a      488d45c0       lea rax, [var_40h]
│       │   0x0040096e      4889c7         mov rdi, rax                ; int64_t arg1
│       │   0x00400971      e802000000     call fcn.00400978


        ┌─< 0x00400966      eb02           jmp 0x40096a
│      ┌──< 0x00400968      750c           jne 0x400976
│      │└─> 0x0040096a      488d45c0       lea rax, [var_40h]
│      │    0x0040096e      4889c7         mov rdi, rax                ; int64_t arg1
│      │    0x00400971      e802000000     call fcn.00400978
│      │    ; CODE XREF from main @ 0x400968
│      └──> 0x00400976      c9             leave
└           0x00400977      c3             ret

after patch, run
$ ./impossible_password
* SuperSeKretKey
[SuperSeKretKey]
** letmein
HTB{40b949f92b86b18}
ghidra:
void FUN_0040085d(void)
 {
   int iVar1;
   char *__s2;
   undefined local_48;
   undefined local_47;
   undefined local_46;
   undefined local_45;
   undefined local_44;
   undefined local_43;
   undefined local_42;
   undefined local_41;
   undefined local_40;
   undefined local_3f;
   undefined local_3e;
   undefined local_3d;
   undefined local_3c;
   undefined local_3b;
   undefined local_3a;
   undefined local_39;
   undefined local_38;
   undefined local_37;
   undefined local_36;
   undefined local_35;
   char local_28 [20];
   int local_14;
   char *local_10;
 local_10 = "SuperSeKretKey";
   local_48 = 0x41;
   local_47 = 0x5d;
   local_46 = 0x4b;
   local_45 = 0x72;
   local_44 = 0x3d;
   local_43 = 0x39;
   local_42 = 0x6b;
   local_41 = 0x30;
   local_40 = 0x3d;
   local_3f = 0x30;
   local_3e = 0x6f;
   local_3d = 0x30;
   local_3c = 0x3b;
   local_3b = 0x6b;
   local_3a = 0x31;
   local_39 = 0x3f;
   local_38 = 0x6b;
   local_37 = 0x38;
   local_36 = 0x31;
   local_35 = 0x74;
   printf("* ");
   __isoc99_scanf(&DAT_00400a82,local_28);        //input SuperSeKretKey
   printf("[%s]\n",local_28);
   local_14 = strcmp(local_28,local_10);
   if (local_14 != 0) {
                     /* WARNING: Subroutine does not return /     exit(1);   }   printf("* ");
   __isoc99_scanf(&DAT_00400a82,local_28);
   __s2 = (char *)FUN_0040078d(0x14);            //IF input same as caculated, go next FUN_00400978
   iVar1 = strcmp(local_28,__s2);
   if (iVar1 == 0) {
     FUN_00400978(&local_48);                //
   }
   return;
 }
here only FUN_00400978(&local_48) is matter, as local_48 is 'A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']

 void FUN_00400978(byte *param_1)
 {
   int local_14;
   byte *local_10;
 local_14 = 0;
   local_10 = param_1;
   while ((*local_10 != 9 && (local_14 < 0x14))) {
     putchar((int)(char)(*local_10 ^ 9));
     local_10 = local_10 + 1;
     local_14 = local_14 + 1;
   }
   putchar(10);
   return;
 }
the python equivalent:
 
 !/usr/bin/env python2
 flag_characters = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
 xor_key = 9
 flag = []
 i = 0
 while i < len(flag_characters):
     xored = ord(flag_characters[i]) ^ xor_key
     flag.append(chr(xored))
     i += 1
 flag_string = "".join(flag)
 print("Flag is: {}".format(flag_string))

$python3
>>>flag = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
>>>"".join([chr(ord(i) ^ 9) for i in flag])                 




Baby RE

Show us your basic skills! (P.S. There are 4 ways to solve this, are you willing to try them all?)

kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ file baby
 baby: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=25adc53b89f781335a27bf1b81f5c4cb74581022, for GNU/Linux 3.2.0, not stripped
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
 Insert key: 
 HTB{B4BY_R3V_TH4TS_EZ}
 Try again later.
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ strings baby
 HTB{B4BYH
 R3V_TH4H TS_Ef []A\A]A^A
 Dont run strings on this challenge, that is not the way!!!!
 Insert key: 
 abcde122313
 Try again later.
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby 
 Insert key: 
 abcde122313
 HTB{B4BY_R3V_TH4TS_EZ}

ghidra
undefined8 main(void)

{
  int iVar1;
  undefined8 local_48;
  undefined8 local_40;
  undefined4 local_38;
  undefined2 local_34;
  char local_28 [24];
  char *local_10;
  
  local_10 = "Dont run `strings` on this challenge, that is not the way!!!!";
  puts("Insert key: ");
  fgets(local_28,0x14,stdin);
  iVar1 = strcmp(local_28,"abcde122313\n");
  if (iVar1 == 0) {
    local_48 = 0x594234427b425448;
    local_40 = 0x3448545f5633525f;
    local_38 = 0x455f5354;
    local_34 = 0x7d5a;
    puts((char *)&local_48);
  }
  else {
    puts("Try again later.");
  }
  return 0;
}

kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 594234427b425448
YB4B{BTHkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 3448545f5633525f
4HT_V3R_kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 455f5354
E_STkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 7d5a
}Zkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ 

}E_ST4HT_V3R_YB4B{BTH

gdb ida radare2 r2:
ida
mov     rax, 594234427B425448h
mov     rdx, 3448545F5633525Fh
mov     qword ptr [rbp+var_40], rax
mov     [rbp+var_38], rdx
mov     [rbp+var_30], 455F5354h
mov     [rbp+var_2C], 7D5Ah
lea     rax, [rbp+var_40]
mov     rdi, rax        ; s
call    _puts
jmp     short loc_11E6

gdb

   0x00000000000011a3 <+78>:    movabs rax,0x594234427b425448
   0x00000000000011ad <+88>:    movabs rdx,0x3448545f5633525f
   0x00000000000011b7 <+98>:    mov    QWORD PTR [rbp-0x40],rax
   0x00000000000011bb <+102>:   mov    QWORD PTR [rbp-0x38],rdx
   0x00000000000011bf <+106>:   mov    DWORD PTR [rbp-0x30],0x455f5354
   0x00000000000011c6 <+113>:   mov    WORD PTR [rbp-0x2c],0x7d5a
   0x00000000000011cc <+119>:   lea    rax,[rbp-0x40]
   0x00000000000011d0 <+123>:   mov    rdi,rax
   0x00000000000011d3 <+126>:   call   0x1030 <puts@plt>
   0x00000000000011d8 <+131>:   jmp    0x11e6 <main+145>
   0x00000000000011da <+133>:   lea    rdi,[rip+0xe7f]        # 0x2060
   0x00000000000011e1 <+140>:   call   0x1030 <puts@plt>
   0x00000000000011e6 <+145>:   mov    eax,0x0

r2/cutter
            0x000011a3      48b84854427b.  movabs rax, 0x594234427b425448 ; 'HTB{B4BY'
│       │   0x000011ad      48ba5f523356.  movabs rdx, 0x3448545f5633525f ; '_R3V_TH4'
│       │   0x000011b7      488945c0       mov qword [s], rax
│       │   0x000011bb      488955c8       mov qword [var_38h], rdx
│       │   0x000011bf      c745d054535f.  mov dword [var_30h], 0x455f5354 ; 'TS_E'
│       │   0x000011c6      66c745d45a7d   mov word [var_2ch], 0x7d5a  ; 'Z}'
│       │   0x000011cc      488d45c0       lea rax, [s]
│       │   0x000011d0      4889c7         mov rdi, rax                ; const char *s
│       │   0x000011d3      e858feffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x000011d8      eb0c           jmp 0x11e6

Navigation