In this walk through, we will be going through the Reversing ELF room from Tryhackme. This room will teach us about the basics of Reverse Engineering and more. On that note, let’s get started.
Table of Contents
Task 1 – Crackme1
Let’s start with a basic warmup, can you run the binary?
Question 1 – What is the flag?
- This one was easy. Just change the mode of the binary and execute it to claim our flag 1.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ file crackme1 crackme1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=672f525a7ad3c33f190c060c09b11e9ffd007f34, not stripped wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme1 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme1 flag{not_that_kind_of_elf} wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
flag{not_that_kind_of_elf}
Task 2 – Crackme2
Find the super-secret password! and use it to obtain the flag
Question 1 – What is the super secret password ?
super_secret_password
Question 2 – What is the flag ?
- The binary in this task requires a password. I used strings command on it to reveal any hidden strings. Found the password inside it with a little bit of scrolling – super_secret_password. Next, used this password to get our flag by executing with it.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme2 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2 Usage: ./crackme2 password wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme2 /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used puts printf memset strcmp __libc_start_main /usr/local/lib:$ORIGIN __gmon_start__ GLIBC_2.0 PTRh j3jA [^_] UWVS t$,U [^_] Usage: %s password super_secret_password Access denied. Access granted. ;*2$"( wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2 super_secret_password Access granted. flag{if_i_submit_this_flag_then_i_will_get_points} wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
flag{if_i_submit_this_flag_then_i_will_get_points}
Task 3 – Crackme3
Use basic reverse engineering skills to obtain the flag
Question 1 – What is the flag?
- The binary in the task asks for a password for going ahead. Used the strings command on it to reveal potentials strings in the binary. Found an unusual base 64 string inside it. Further, i used cyberchef to decode the string which gives us our flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme3 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme3 Usage: ./crackme3 PASSWORD wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme3 /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used puts strlen malloc stderr fwrite fprintf strcmp __libc_start_main GLIBC_2.0 PTRh iD$$ D$,;D$ UWVS [^_] Usage: %s PASSWORD malloc failed ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ== Correct password! Come on, even my aunt Mildred got this one!
f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5
Task 4 – Crackme4
Analyze and find the password for the binary?
Question 1 – What is the password ?
- This task consist of hidden strings that stores our password. We will use ltrace to intercept any function calls in the program and that will give us our desired password inside the hidden strcmp.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme4 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme4 Usage : ./crackme4 password This time the string is hidden and we used strcmp wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme4 test __libc_start_main(0x400716, 2, 0x7fff8030f228, 0x400760 <unfinished ...> strcmp("my_m0r3_secur3_pwd", "test") = -7 printf("password "%s" not OK\n", "test"password "test" not OK ) = 23 +++ exited (status 0) +++
my_m0r3_secur3_pwd
Task 5 – Crackme5
What will be the input of the file to get output Good game
?
Question 1 – What is the input ?
- First ran the binary in order to understand what and how it is being executed. Next used ltrace to see the complete execution of the program. it reveals an interesting string – OfdlDSA|3tXb32~X3tX@sX`4tXtz.
- Used the same to get our flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme5 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5 Enter your input: hello Always dig deeper wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme5 __libc_start_main(0x400773, 1, 0x7ffd76bd4148, 0x4008d0 <unfinished ...> puts("Enter your input:"Enter your input: ) = 18 __isoc99_scanf(0x400966, 0x7ffd76bd4000, 0, 0x7f4e71158077 hello ) = 1 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strncmp("hello", "OfdlDSA|3tXb32~X3tX@sX`4tXtz", 28) = 25 puts("Always dig deeper"Always dig deeper ) = 18 +++ exited (status 0) +++ wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5 Enter your input: OfdlDSA|3tXb32~X3tX@sX`4tXtz Good game
OfdlDSA|3tXb32~X3tX@sX`4tXtz
Task 6 – Crackme6
Analyze the binary for the easy password
Question 1 – What is the password ?
- The binary in this task when run ask us to read the source. This hints towards the source code of the binary. We will use Ghidra for it. Ghidra is a reverse engineering tool developed by Big Alpha NSA boys.
- Analyzing the main function gives us access to the underlying code that is being run by the binary.
- The compare_pwd function seems interesting as it is comparing the input password against the real password.
- Peeking into the same, shows that it is calling a my_secure_test function for checking if the input password is right or not.
- The decompiled version of the my_secure_test function reveals something juicy if looked closely – 1337_pwd and that is our password for the binary.
- Use the found password and complete the task.
1337_pwd
Task 7 – Crackme7
Analyze the binary to get the flag
Question 1 – What is the flag ?
- The binary in this task is a program which is a set of small programs. Nothing fancy.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme7 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 1 What is your name? test Hello, test! Menu: [1] Say hello [2] Add numbers [3] Quit [>] 2 Enter first number: 4 Enter second number: 5 4 + 5 = 9 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 3 Goodbye! wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
- Load it up in Ghidra and analyze the main function.
- The givenFlag() function stand out as it output a potential success. The local_14 variable holds a hexadecimal which is being checked for the condition to met.
- Decoding the hexadecimal value with a converter online gives us – 31337.
- Tried it as an input in our program and got our Flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 31337 Wow such h4x0r! flag{much_reversing_very_ida_wow}
flag{much_reversing_very_ida_wow}
Task 8 – Crackme8
Analyze the binary and obtain the flag
Question 1 – What is the flag ?
- Tried running the binary crackme8 and as per the output it expects a password.
- Throw the file into Ghidra and analyze the main function.
- In the main function, you can see that iVar equals to some hexadecimal string and if its true then “Access granted”.
- Decode the string with an online hexadecimal to decimal convertor, gives us – -889262067
- Using the found converted decimal string, we got our final flag.
flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}
Also Read: Tryhackme – Regular expressions
So that was “Reversing ELF” for you. In this room, we have learned about the basics of Reverse Engineering by analyzing 8 task binaries and finding the flags associated with it. On that note, i will take your leave and meet you in the next one. So stay tuned and till then, “Hack the planet”.