# Reversing ## WIDE - Matixx22 Open binary in hydra, find a key in plaintext and use it to decrypt a flag. Key: `sup3rs3cr3tw1d3` Flag: `HTB{str1ngs_4r3nt_4lw4ys_4sc11}` * * * ## Without\_a\_trace - 0x244 > The challenge can be solved by using `ltrace` and `gdb`. The name of the challenge instantly reminded me of the `ltrace` or `strace` tool. So i ran `ltrace ./without_a_trace` and received the following output: ``` puts("[+] Primary Mothership Tracking "...[+] Primary Mothership Tracking Panel ) = 38 puts("[X] Unusual activity detected"[X] Unusual activity detected ) = 30 puts(" |-------] Unrecognised login lo"... |-------] Unrecognised login location: Earth ) = 46 printf("[X] Please verify your identity "...) = 60 fgets([X] Please verify your identity by entering your password > ``` I entered some dummy data (`test` as the password) and received the following response: ``` fgets([X] Please verify your identity by entering your password > test "test\n", 64, 0x7f0e5f2089a0) = 0x7ffd1881bec0 strchr("test\n", '\n') = "\n" ptrace(0, 0, 0, 0) = -1 strcmp("test", "IUCzus5b2^l2^tq^c5^t^f1f1|") = 43 printf("[X] Intruder detected - dispatch"...) = 52 ``` Due to the second argument in the `strcmp()` function I knew that `IUCzus5b2^l2^tq^c5^t^f1f1|` has to be the correct password: > In case you don't know `strcmp()` compares two strings. If the two strings are the same the function returns **0**, else not. The first string will be compared with the second one. ``` puts("[+] Primary Mothership Tracking "...[+] Primary Mothership Tracking Panel ) = 38 puts("[X] Unusual activity detected"[X] Unusual activity detected ) = 30 puts(" |-------] Unrecognised login lo"... |-------] Unrecognised login location: Earth ) = 46 printf("[X] Please verify your identity "...) = 60 fgets([X] Please verify your identity by entering your password > IUCzus5b2^l2^tq^c5^t^f1f1| "IUCzus5b2^l2^tq^c5^t^f1f1|\n", 64, 0x7f96977819a0) = 0x7ffd768ef8a0 strchr("IUCzus5b2^l2^tq^c5^t^f1f1|\n", '\n') = "\n" ptrace(0, 0, 0, 0) = -1 strcmp("IUCzus5b2^l2^tq^c5^t^f1f1|", "IUCzus5b2^l2^tq^c5^t^f1f1|") = 0 puts("[+] Identity Verified"[+] Identity Verified ) = 22 puts("[+] Fetching fleet locations..."[+] Fetching fleet locations... ) = 32 +++ exited (status 0) +++ ``` I ran the program again in `gdb` (with same dummy data) and found out, that the password string was **xored** (look for **xor** at `R12`): ``` RAX 0xffffffff RBX 0x555555400a40 (__libc_csu_init) ◂— push r15 *RCX 0x0 RDX 0x0 RDI 0x0 RSI 0x555555400bb8 ◂— pop rbx /* '[X] Intruder detected - dispatching security systems' */ R8 0xffffffff R9 0x7ffff7f9ac00 (main_arena+96) —▸ 0x555555602ab0 ◂— 0x0 R10 0x555555400bb8 ◂— pop rbx /* '[X] Intruder detected - dispatching security systems' */ R11 0x286 R12 0x555555400750 (_start) ◂— xor ebp, ebp R13 0x0 R14 0x0 R15 0x0 RBP 0x7fffffffdb60 ◂— 0x0 RSP 0x7fffffffdb10 ◂— 0x74736574 /* 'test' */ *RIP 0x555555400a32 (main+266) ◂— je 0x555555400a39 ``` Python and pwn are your best friends, when it comes to reverse xor :): ```python #!/usr/bin/env python3 import pwn for i in range(10): if b'HTB' in pwn.xor(b'IUCzus5b2^l2^tq^c5^t^f1f1|', i): pwn.xor(b'IUCzus5b2^l2^tq^c5^t^f1f1|', i).decode() # Output: HTB{tr4c3_m3_up_b4_u_g0g0} ```