In this walk through, we will be going through the Reversing ELF room from Tryhackme. This room will teach us about the basics of Reverse Engineering and more. On that note, let’s get started.
![Tryhackme - Reversing ELF Reversing ELF](https://inventyourshit.com/wp-content/uploads/2023/09/Screenshot-from-2023-09-30-14-05-42.png)
Table of Contents
Task 1 – Crackme1
Let’s start with a basic warmup, can you run the binary?
Question 1 – What is the flag?
- This one was easy. Just change the mode of the binary and execute it to claim our flag 1.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ file crackme1 crackme1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=672f525a7ad3c33f190c060c09b11e9ffd007f34, not stripped wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme1 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme1 flag{not_that_kind_of_elf} wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
![Tryhackme - Reversing ELF file crackme1](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624215646.png)
flag{not_that_kind_of_elf}
![Tryhackme - Reversing ELF Task 1 - Crackme1](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624215746-1024x133.png)
Task 2 – Crackme2
Find the super-secret password! and use it to obtain the flag
Question 1 – What is the super secret password ?
super_secret_password
Question 2 – What is the flag ?
- The binary in this task requires a password. I used strings command on it to reveal any hidden strings. Found the password inside it with a little bit of scrolling – super_secret_password. Next, used this password to get our flag by executing with it.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme2 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2 Usage: ./crackme2 password wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme2 /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used puts printf memset strcmp __libc_start_main /usr/local/lib:$ORIGIN __gmon_start__ GLIBC_2.0 PTRh j3jA [^_] UWVS t$,U [^_] Usage: %s password super_secret_password Access denied. Access granted. ;*2$"( wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme2 super_secret_password Access granted. flag{if_i_submit_this_flag_then_i_will_get_points} wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
![Tryhackme - Reversing ELF chmod +x crackme2](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220146.png)
![Tryhackme - Reversing ELF password](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220203.png)
![Tryhackme - Reversing ELF crackme2 flag](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220323.png)
flag{if_i_submit_this_flag_then_i_will_get_points}
![Tryhackme - Reversing ELF Task 2 - Crackme2](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220357-1024x207.png)
Task 3 – Crackme3
Use basic reverse engineering skills to obtain the flag
Question 1 – What is the flag?
- The binary in the task asks for a password for going ahead. Used the strings command on it to reveal potentials strings in the binary. Found an unusual base 64 string inside it. Further, i used cyberchef to decode the string which gives us our flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme3 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme3 Usage: ./crackme3 PASSWORD wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ strings crackme3 /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used puts strlen malloc stderr fwrite fprintf strcmp __libc_start_main GLIBC_2.0 PTRh iD$$ D$,;D$ UWVS [^_] Usage: %s PASSWORD malloc failed ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ== Correct password! Come on, even my aunt Mildred got this one!
![Tryhackme - Reversing ELF strings crackme3](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220812.png)
![Tryhackme - Reversing ELF Base64 encoded string](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220830.png)
![Tryhackme - Reversing ELF Base64 decode](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220850-1024x423.png)
f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5
![Tryhackme - Reversing ELF Task 3 - Crackme3](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624220928-1024x127.png)
Task 4 – Crackme4
Analyze and find the password for the binary?
Question 1 – What is the password ?
- This task consist of hidden strings that stores our password. We will use ltrace to intercept any function calls in the program and that will give us our desired password inside the hidden strcmp.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme4 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme4 Usage : ./crackme4 password This time the string is hidden and we used strcmp wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme4 test __libc_start_main(0x400716, 2, 0x7fff8030f228, 0x400760 <unfinished ...> strcmp("my_m0r3_secur3_pwd", "test") = -7 printf("password "%s" not OK\n", "test"password "test" not OK ) = 23 +++ exited (status 0) +++
![Tryhackme - Reversing ELF ltrace crackme4](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624225535.png)
my_m0r3_secur3_pwd
![Tryhackme - Reversing ELF Task 4 - Crackme4](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624225559-1024x138.png)
Task 5 – Crackme5
What will be the input of the file to get output Good game
?
Question 1 – What is the input ?
- First ran the binary in order to understand what and how it is being executed. Next used ltrace to see the complete execution of the program. it reveals an interesting string – OfdlDSA|3tXb32~X3tX@sX`4tXtz.
- Used the same to get our flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme5 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5 Enter your input: hello Always dig deeper wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ltrace ./crackme5 __libc_start_main(0x400773, 1, 0x7ffd76bd4148, 0x4008d0 <unfinished ...> puts("Enter your input:"Enter your input: ) = 18 __isoc99_scanf(0x400966, 0x7ffd76bd4000, 0, 0x7f4e71158077 hello ) = 1 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strlen("hello") = 5 strncmp("hello", "OfdlDSA|3tXb32~X3tX@sX`4tXtz", 28) = 25 puts("Always dig deeper"Always dig deeper ) = 18 +++ exited (status 0) +++ wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme5 Enter your input: OfdlDSA|3tXb32~X3tX@sX`4tXtz Good game
![Tryhackme - Reversing ELF chmod +x crackme5](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624230257.png)
![Tryhackme - Reversing ELF ltrace](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624230319-1024x477.png)
OfdlDSA|3tXb32~X3tX@sX`4tXtz
![Tryhackme - Reversing ELF Task 5 - Crackme5](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624230919-1024x143.png)
Task 6 – Crackme6
Analyze the binary for the easy password
Question 1 – What is the password ?
- The binary in this task when run ask us to read the source. This hints towards the source code of the binary. We will use Ghidra for it. Ghidra is a reverse engineering tool developed by Big Alpha NSA boys.
![Tryhackme - Reversing ELF crackme6](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235720.png)
![Tryhackme - Reversing ELF Result Summary](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624234838.png)
- Analyzing the main function gives us access to the underlying code that is being run by the binary.
![Tryhackme - Reversing ELF Ghidra Main function](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235046-1024x541.png)
- The compare_pwd function seems interesting as it is comparing the input password against the real password.
![Tryhackme - Reversing ELF Decompile main](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235131.png)
- Peeking into the same, shows that it is calling a my_secure_test function for checking if the input password is right or not.
![Tryhackme - Reversing ELF Decompile compare_pwd](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235210.png)
- The decompiled version of the my_secure_test function reveals something juicy if looked closely – 1337_pwd and that is our password for the binary.
![Tryhackme - Reversing ELF Decompile my_secure_test](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235306.png)
- Use the found password and complete the task.
![Tryhackme - Reversing ELF crackme6 flag](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235411.png)
1337_pwd
![Tryhackme - Reversing ELF Task 6 - Crackme6](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235442-1024x142.png)
Task 7 – Crackme7
Analyze the binary to get the flag
Question 1 – What is the flag ?
- The binary in this task is a program which is a set of small programs. Nothing fancy.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ chmod +x crackme7 wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 1 What is your name? test Hello, test! Menu: [1] Say hello [2] Add numbers [3] Quit [>] 2 Enter first number: 4 Enter second number: 5 4 + 5 = 9 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 3 Goodbye! wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$
![Tryhackme - Reversing ELF chmod +x crackme7](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230624235653.png)
- Load it up in Ghidra and analyze the main function.
![Tryhackme - Reversing ELF Ghidra main function](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625000104-1024x539.png)
- The givenFlag() function stand out as it output a potential success. The local_14 variable holds a hexadecimal which is being checked for the condition to met.
![Tryhackme - Reversing ELF giveFlag();](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625000210.png)
- Decoding the hexadecimal value with a converter online gives us – 31337.
![Tryhackme - Reversing ELF Hexadecimal to Decimal Converter](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001007.png)
- Tried it as an input in our program and got our Flag.
wh1terose@fsociety:~/CTF/TryHackme/Reversing Elf$ ./crackme7 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 31337 Wow such h4x0r! flag{much_reversing_very_ida_wow}
![Tryhackme - Reversing ELF crackme7 flag](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001038.png)
flag{much_reversing_very_ida_wow}
![Tryhackme - Reversing ELF Task 7 - Crackme7](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001108-1024x125.png)
Task 8 – Crackme8
Analyze the binary and obtain the flag
Question 1 – What is the flag ?
- Tried running the binary crackme8 and as per the output it expects a password.
![Tryhackme - Reversing ELF chmod +x crackme8](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001340.png)
- Throw the file into Ghidra and analyze the main function.
![Tryhackme - Reversing ELF Ghidra main function](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001538-1024x539.png)
- In the main function, you can see that iVar equals to some hexadecimal string and if its true then “Access granted”.
![Tryhackme - Reversing ELF Ivar](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001602.png)
- Decode the string with an online hexadecimal to decimal convertor, gives us – -889262067
![Tryhackme - Reversing ELF Hexadecimal to Decimal Converter](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001743.png)
- Using the found converted decimal string, we got our final flag.
![Tryhackme - Reversing ELF crackme8 flag](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001801.png)
flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}
![Tryhackme - Reversing ELF Task 8 - Crackme8](https://inventyourshit.com/wp-content/uploads/2023/09/Pasted-image-20230625001824-1024x127.png)
Also Read: Tryhackme – Regular expressions
So that was “Reversing ELF” for you. In this room, we have learned about the basics of Reverse Engineering by analyzing 8 task binaries and finding the flags associated with it. On that note, i will take your leave and meet you in the next one. So stay tuned and till then, “Hack the planet”.