Tryhackme - Reversing ELF

Tryhackme – Reversing ELF

In this walk through, we will be going through the Reversing ELF room from Tryhackme. This room will teach us about the basics of Reverse Engineering and more. On that note, let’s get started.

Reversing ELF

Task 1 – Crackme1

Let’s start with a basic warmup, can you run the binary?

Question 1 – What is the flag?

  • This one was easy. Just change the mode of the binary and execute it to claim our flag 1.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ file crackme1 
crackme1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=672f525a7ad3c33f190c060c09b11e9ffd007f34, not stripped
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme1 
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme1 
flag{not_that_kind_of_elf}
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ 

file crackme1

flag{not_that_kind_of_elf}

Task 1 - Crackme1

Task 2 – Crackme2

Find the super-secret password! and use it to obtain the flag

Question 1 – What is the super secret password ?

super_secret_password

Question 2 – What is the flag ?

  • The binary in this task requires a password. I used strings command on it to reveal any hidden strings. Found the password inside it with a little bit of scrolling – super_secret_password. Next, used this password to get our flag by executing with it.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme2
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2
Usage: ./crackme2 password
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme2
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
memset
strcmp
__libc_start_main
/usr/local/lib:$ORIGIN
__gmon_start__
GLIBC_2.0
PTRh 
j3jA
[^_]
UWVS
t$,U
[^_]
Usage: %s password
super_secret_password
Access denied.
Access granted.
;*2$"(


wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2 super_secret_password
Access granted.
flag{if_i_submit_this_flag_then_i_will_get_points}
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ 

chmod +x crackme2

password

crackme2 flag

flag{if_i_submit_this_flag_then_i_will_get_points}

Task 2 - Crackme2

Task 3 – Crackme3

Use basic reverse engineering skills to obtain the flag

Question 1 – What is the flag?

  • The binary in the task asks for a password for going ahead. Used the strings command on it to reveal potentials strings in the binary. Found an unusual base 64 string inside it. Further, i used cyberchef to decode the string which gives us our flag.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme3
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme3
Usage: ./crackme3 PASSWORD
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme3
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
strlen
malloc
stderr
fwrite
fprintf
strcmp
__libc_start_main
GLIBC_2.0
PTRh
iD$$
D$,;D$ 
UWVS
[^_]
Usage: %s PASSWORD
malloc failed
ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==
Correct password!
Come on, even my aunt Mildred got this one!

strings crackme3

Base64 encoded string

Base64 decode

f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5

Task 3 - Crackme3

Task 4 – Crackme4

Analyze and find the password for the binary?

Question 1 – What is the password ?

  • This task consist of hidden strings that stores our password. We will use ltrace to intercept any function calls in the program and that will give us our desired password inside the hidden strcmp.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme4
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme4
Usage : ./crackme4 password
This time the string is hidden and we used strcmp


wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme4 test
__libc_start_main(0x400716, 2, 0x7fff8030f228, 0x400760 <unfinished ...>
strcmp("my_m0r3_secur3_pwd", "test")                                                                  = -7
printf("password "%s" not OK\n", "test"password "test" not OK
)                                                              = 23
+++ exited (status 0) +++

ltrace crackme4

my_m0r3_secur3_pwd

Task 4 - Crackme4

Task 5 – Crackme5

What will be the input of the file to get output Good game ?

Question 1 – What is the input ?

  • First ran the binary in order to understand what and how it is being executed. Next used ltrace to see the complete execution of the program. it reveals an interesting string – OfdlDSA|3tXb32~X3tX@sX`4tXtz.

  • Used the same to get our flag.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme5
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5
Enter your input:
hello
Always dig deeper

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme5
__libc_start_main(0x400773, 1, 0x7ffd76bd4148, 0x4008d0 <unfinished ...>
puts("Enter your input:"Enter your input:
)                                                                             = 18
__isoc99_scanf(0x400966, 0x7ffd76bd4000, 0, 0x7f4e71158077
hello
)                                           = 1
strlen("hello")                                                                                       = 5
strlen("hello")                                                                                       = 5
strlen("hello")                                                                                       = 5
strlen("hello")                                                                                       = 5
strlen("hello")                                                                                       = 5
strlen("hello")                                                                                       = 5
strncmp("hello", "OfdlDSA|3tXb32~X3tX@sX`4tXtz", 28)                                                  = 25
puts("Always dig deeper"Always dig deeper
)                                                                             = 18
+++ exited (status 0) +++
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5
Enter your input:
OfdlDSA|3tXb32~X3tX@sX`4tXtz
Good game

chmod +x crackme5

ltrace

OfdlDSA|3tXb32~X3tX@sX`4tXtz

Task 5 - Crackme5

Task 6 – Crackme6

Analyze the binary for the easy password

Question 1 – What is the password ?

  • The binary in this task when run ask us to read the source. This hints towards the source code of the binary. We will use Ghidra for it. Ghidra is a reverse engineering tool developed by Big Alpha NSA boys.

crackme6

Result Summary

  • Analyzing the main function gives us access to the underlying code that is being run by the binary.

Ghidra Main function

  • The compare_pwd function seems interesting as it is comparing the input password against the real password.

Decompile main

  • Peeking into the same, shows that it is calling a my_secure_test function for checking if the input password is right or not.

Decompile compare_pwd

  • The decompiled version of the my_secure_test function reveals something juicy if looked closely – 1337_pwd and that is our password for the binary.

Decompile my_secure_test

  • Use the found password and complete the task.

crackme6 flag

1337_pwd

Task 6 - Crackme6

Task 7 – Crackme7

Analyze the binary to get the flag

Question 1 – What is the flag ?

  • The binary in this task is a program which is a set of small programs. Nothing fancy.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme7
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7
Menu:

[1] Say hello
[2] Add numbers
[3] Quit

[>] 1
What is your name? test
Hello, test!
Menu:

[1] Say hello
[2] Add numbers
[3] Quit

[>] 2
Enter first number: 4
Enter second number: 5
4 + 5 = 9
Menu:

[1] Say hello
[2] Add numbers
[3] Quit

[>] 3
Goodbye!
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ 

chmod +x crackme7

  • Load it up in Ghidra and analyze the main function.

Ghidra main function

  • The givenFlag() function stand out as it output a potential success. The local_14 variable holds a hexadecimal which is being checked for the condition to met.

giveFlag();

  • Decoding the hexadecimal value with a converter online gives us – 31337.

Hexadecimal to Decimal Converter

  • Tried it as an input in our program and got our Flag.

wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7
Menu:

[1] Say hello
[2] Add numbers
[3] Quit

[>] 31337
Wow such h4x0r!
flag{much_reversing_very_ida_wow}

crackme7 flag

flag{much_reversing_very_ida_wow}

Task 7 - Crackme7

Task 8 – Crackme8

Analyze the binary and obtain the flag

Question 1 – What is the flag ?

  • Tried running the binary crackme8 and as per the output it expects a password.

chmod +x crackme8

  • Throw the file into Ghidra and analyze the main function.

Ghidra main function

  • In the main function, you can see that iVar equals to some hexadecimal string and if its true then “Access granted”.

Ivar

  • Decode the string with an online hexadecimal to decimal convertor, gives us – -889262067

Hexadecimal to Decimal Converter

  • Using the found converted decimal string, we got our final flag.

crackme8 flag

flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}

Task 8 - Crackme8

Also Read: Tryhackme – Regular expressions

So that was “Reversing ELF” for you. In this room, we have learned about the basics of Reverse Engineering by analyzing 8 task binaries and finding the flags associated with it. On that note, i will take your leave and meet you in the next one. So stay tuned and till then, “Hack the planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top