Try   HackMD

Tryhackme - Reversing Elf Writeup

This is a complete writeup for Reversing Elf room which is rated easy. The room can be found here
Let's get into it.

crackme1

After downloading the file, start by basic analysis.
Running

​​​​file crackme1

After that make the file executable by running

​​​​chmod +x crackme1 and run the file

we find our flag.
Easy.

Moving on to the next.

crackme2

start by:

​​​​file crackme2

we make the file executable by running chmod +x crackme2
On running ./crackme2 we see that it requires a password.
we try:

​​​​    ./crackme2 password


we get Access denied.
Here we try to run strings to see if we can find details or something.
And oh! we get something.

when we use the found password in strings as the password.We get the flag.

crackme3

we do the same process as the previous one i.e running file and making the binary executable.
run the file ./crackme3 to see what it does.

It also requires a password so, we run strings again maybe we can get lucky this time also.

In the strings we can see a string that is encoded with base64, we try to decode it. You can use decoders online for instance cyberchef
you can also use base64 -d in linux terminal to get the decoded text for instance:

and the password is our flag.

crackme4

By now you should have known how I roll, LOL!
so I'll go directly to run the file and strings
we see after running that it also requires a password and a hint which we find in strings also:

Next we figure out another way. Another method just like strings is the ltrace command. You can read more about ltrace here
since we got a hint that the string is hidden in strcmp(The strcmp() compares two strings character by character. If the strings are equal, the function returns 0.)

We find our flag in the strcmp function.

crackme5

same old procedure with this binary too.
we see that the binary asks for input say we input test. we get "Always dig deeper".
Try to run ltrace again and as input enter test.
we see the command needed to run in strncmp:

we run the binary again with the found string we get good game.
That implies we found our flag.

crackme6

we do the same, but this time running ltrace doesn't get us anywhere.
Hence we can use a debugging tool like ghidra to figure out what's going on with the code.
open Ghidra, click i to import a file and import crackme6.
Select Ok to all the prompts and double click on crackme6 to analyze the binary.Click yes to analyze crackme6. click analyze
it will open a new window.
In the symbol Tree Head over to the functions:

click on the main function, we see the output that the binary gives us when we run the binary.

in the functions windows we see a function called compare_pwd which seems interesting.We can click it see what it contains.

We can see that ivarl is equal to the function my_secure test which is also visible in the functions tab. If ivarl is equal to the contents of my_secure_test then it will output password ok, else it will output password not OK which we get when we tried to run the binary.
we analyze my_secure_test.

Disclaimer: I did not put a screenshot here since it will 
directly give away the flag which is not my intention.

In analyzing the test function we can clearly see the values that are needed as password.
Run the binary with the password found and it outputs password OK.

crackme7

we use ghidra again to decompile the binary.
Go to the symbol tree and main function to analyze the binary.

In The code we see an interesting loop of else if which returns the giveFlag function which is where our flag is stored.

We note that if we enter the value in else if(local14 == 0x7a69), the value is in hexadecimal hence we need to convert it to decimal.
I normally use this tool.
On getting the decimal value we input it in the binary and we get the flag.

crackme8

We see that the binary requires a password.
Let's use ghidra to decompile the binary.
In the main function:

we see that if the value of ivar2 == 'that value'(got lazy to copy paste the value).
convert the hex to decimal, you can use this online tool
Input it as password in the binary then it will print access granted and run the giveFlag() function

We get our final flag.

Happy Hacking Folks.
Kind Regards
0xEpitome.

Last changed by 
0xepitome
Cyber Security Enthuthiast Reverse Enginnering Computer Security and Forensics student. https://twitter.com/0xEpitome
0
2129

Read more

Untitled

Here is a thread of my most interesting ideas:

Jul 8, 2024
MalDoc101 | Cyberdefenders

Hello, this is my approach for solving cyberdefenders challenge for maldoc101 which can be found here Solving the challenge We'll follow the questions for us to solve it. Disclaimer: Please it's better to first solve the challenge first before solving it since it will have some spoliers. Challenge details

Dec 21, 2022
Flare-on challenges 2022

I recently stumbled across some challenges that were done sometime back this year organized by Mandiant. The challenges were in sort of CTF in which you had to find the flags. I got the challenges in my github page if you want to explore them. Challenge 1 - flaredle For the first challenge flaredle we are given some files that look they are a webpage. So we were given a link for which to access the challenge which can be found here When we get into the webpage we see some sort of word puzzle. The puzzle requires 21 characters, so we can try to input some random alphabets to see what it does.

Dec 7, 2022
bof | pwnable challenge

Hello. This is a writeup for the bof challenge(binary exploitation) in pwnable site and can be found here Let's go :wink: Solving The Challenge The challenge has 2 files which we can download. We first run strings to see if anything is there. And we find nothing. Since we are given the source code, we investigate it, to see what we can find. We see it uses a dangerous function gets which does not check for the buffer overflow. For more info, you can use man gets to see how it works.

Dec 1, 2022
Read more from 0xepitome
Published on HackMD