Classic Passwd TryHackMe Writeup

``` Practice your skills in reversing and get the flag bypassing the login ``` Given a file, that we need to reverse engineer to get the username so that we can then get the flag. This is literally easy and good for beginners like me:) ### Getting The Flag First before running it , I check the file type: ``` ➜ classic_passwd file Challenge.Challenge Challenge.Challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b80ce38cb25d043128bc2c4e1e122c3d4fbba7f7, for GNU/Linux 3.2.0, not stripped ``` Then I check strings , and look for keyword `THM`: ``` ➜ classic_passwd strings Challenge.Challenge | grep THM THM{%d%d} ``` I now check for all available readable strings: ``` ➜ classic_passwd rabin2 -z Challenge.Challenge [Strings] nth paddr vaddr len size section type string ――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00002004 0x00002004 22 23 .rodata ascii Insert your username: 1 0x0000201e 0x0000201e 8 9 .rodata ascii \nWelcome 2 0x00002027 0x00002027 21 22 .rodata ascii \nAuthentication Error 3 0x0000203d 0x0000203d 9 10 .rodata ascii THM{%d%d} ``` Now it is time ! Since we know that the flag is in integer , and we need to have the username to get it , I try running the program and put in `admin` as the username ``` ➜ classic_passwd ./Challenge.Challenge Insert your username: admin Authentication Error ``` I now use `radare2` and I was able to see a function named `sym.vuln` looking into it , I find out that it's actually using `strcmp` to compare the username that is input with the real username ![](https://i.imgur.com/gpf5df1.png) Now we have two ways to solving this , the first way is to read the string that is compared and write it down then use it to get the flag. And the second way is to use `ltrace` which is the easiest in my opinion: ``` ➜ classic_passwd ltrace ./Challenge.Challenge printf("Insert your username: ") = 22 __isoc99_scanf(0x564f8c10001b, 0x7ffd325c7340, 0, 1024Insert your username: admin ) = 1 strcpy(0x7ffd325c72b0, "admin") = 0x7ffd325c72b0 strcmp("admin", "AGB6js5d9dkG7") = 32 puts("\nAuthentication Error" Authentication Error ) = 22 exit(0 <no return ...> +++ exited (status 0) +++ ``` And now we have the password so let's use the username to log in: ``` ➜ classic_passwd ./Challenge.Challenge Insert your username: AGB6js5d9dkG7 Welcome THM{65235128496} ``` ``` FLAG : THM{65235128496} ``` --- ![](https://i.imgur.com/kOD5xfq.gif)