Compiled -TryHackMe-

Hi, this is a write up for a simple binary challenge from TryHackMe. It use some basic knowledge of binary and can be sloved by some amazing tools quickly.

The main goal of the challenge is to find the binary passcode. So we download the binary first. We can use file command to see the basic structure of this executable file.

file Compiled.Compiled
Compiled.Compiled: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=06dcfaf13fb76a4b556852c5fbf9725ac21054fd, for GNU/Linux 3.2.0, not stripped

After you run this file and it ask you for some password, only the right password can give you the answers. When I saw this, I think maybe this binary logic is compare your password string with some string that stored in the file. Here to test what I thought, I am going to use a tool called ltrace. Here is the output of the tool after I input letter ‘a’ as password.

So ltrace is a very useful tool when you test the binary file. It can intercept the signals before and after the user inputs, and then print these signals. Says, if the logic of the binary file is to compare strings after user input, we can directly get the specific content of the comparison.

Here from the output we know that the file is compare our password to some strings “__dso_handle” and “_init”. However those two strings is not the password we need cause there is scanf function which may filter out input. Now we can use any decompile program to see the original codes. Here I use ghidra to get the code of the main function.

undefined8 main(void)

{
  int iVar1;
  char local_28 [32];
  
  fwrite("Password: ",1,10,stdout);
  __isoc99_scanf("DoYouEven%sCTF",local_28);
  iVar1 = strcmp(local_28,"__dso_handle");
  if ((-1 < iVar1) && (iVar1 = strcmp(local_28,"__dso_handle"), iVar1 < 1)) {
    printf("Try again!");
    return 0;
  }
  iVar1 = strcmp(local_28,"_init");
  if (iVar1 == 0) {
    printf("Correct!");
  }
  else {
    printf("Try again!");
  }
  return 0;
}

We can see that it use the scanf to only store the string after “DoYouEven” and the stored string equals to _init can output the correct. So the password is add the _init to the DoYouEven.

What is the password?
DoYouEven_init

Hope you like this write up and feel free to give me feedback. : )