DEV Community

L0WK3Y | I.A.A.N

Posted on • Updated on

TryHackMe - Classic Passwd Writeup

Intro

In this TryHackMe room you will be tasked with cracking the password to a binary by bypassing the authentication sequence. There are multiple ways to solve this CTF, but I will go over a few of the ways I solved it.

Scenario

Practice your skills in reversing and get the flag bypassing the login.

Questions

Method 1: Convert the Hex Values to Decimal

To start things off, I pull the strings to find what catches my eye, scrolling through the strings I find THM{ %d%d }. After doing countless CTFs I already know that flags are typically formatted this way (e.g flag{}, THM{}, htb{}), %d is a string format that takes an argument and prints it as an integer we will see that later on in Ghidra. You can read more about %d here.

After importing the file into Ghidra and head over to the main function we can see that two functions are called, vuln and gfl. For this method I will only be focusing on the gfl function. Once in the function we can see the printf function where the flag and the hex arguments that are being formatted into the flag string with %d. If we convert the hex values to decimal (0x638a78 = 65235128496) and (0x2130 = 8496) then append them to the string we get the full flag THM{652351284968496}.

Method 2: ltrace

For the second method I use a command line debugging utility called ltrace. After running the binary through ltrace it will ask the user to input the username. After doing so we can see that there is a strcmp function called with compares the users input to the correct username (AGB6js5d9dkG7). We can test this by executing the binary again and using the same username from the comparison and we can see that it is valid and prints the flag.

Method 3: Swap the Jump Instruction

The third method involves changing the jump instruction that leads to the "Welcome" message and the flag. In this method we will focus on the vuln function, this is where the user input is handled along with the if statement that handles the authentication. Below is the if statement and jump condition that handles the authentication. We can see that at address 00101261 there is a JNZ instruction which leads to the address 00101271 which prints the Authentication Failure message.

We can bypass this by switching the JNZ condition to JZ and patching the binary, which will essentially have the opposite output than that of the original program. Take a look back at the ltrace screenshot, you can see that in the original binary for the first comparison the word "test" was entered and was compared with the expected input the program returned a status code of 51. When the correct username is entered and compared the status code is 0. By swapping the jump condition, the user can input the wrong username, and the program will still print the Welcome message and flag.