HackTheBox Writeup (impossible password)

who_am_i
4 min readAug 13, 2021

--

This is the challenge

First, we have to download the file “impossible_password.zip” from HTB. After that unzip it. Then check the file type:-

You can see that it is an ELF 64-bit LSB executable. Now execute that file by changing its permission “chmod +x impossible_password.bin” then execute the file “./impossible_password.bin”.

when executing the file you’ll get a symbol * this means they are asking to enter the input. At that time if you enter a random input it will print that same random input closed with a square bracket and it automatically exits. This means it's not a valid input. After that just check for text inside a binary file by “Strings impossible_password.bin”

After using the string command you can see an interesting keyword called SuperSeKretKey. Now copy that name and paste it into that input field. you can see that it is a valid input and they are asking to enter another valid input by **.

But if you enter the wrong input it exits. So we can take over the file by using the reverse engineering process “ r2 impossible_password.bin”.

Now we are going to analyze the file by :-

The next step is for seeking the main function

Now we are going to disassemble the code of the main function by using the “pdf” command.

you can understand that the above 3 screenshots are the disassemble of that file. It means the code behind that file.From 0x0040086c to 0x004008c0 on the right side red color characters denote that the superSeKretKey contain some characters. After that, there are some declarations. Just observe the whole codes you can understand that some of the functions that perform previously are according to these. At 0x00400961 memory address, the binary-safe string comparison strcmp is performed between *s1 and *s2. Just look at the 0x00400968 memory address, register eax will contain the return code from strcmp, after the call, the test eax,eax is the same as and eax,eax except that it doesn’t store the result in eax. So eax isn’t affected by the test, but zero flag. The test eax, eax is necessary to make the jne work in the first place. Also jne is the same as jnz, both act based on the zero flag. The strcmp which compares the strings and sets eax to zero if strings are equal. if they are not, the jne instruction takes us to the memory address 0x00400976 which is program exits. In 0x00400966 no values are stored in eax that’s why it is not going to next step 0x00400968. so it exit from there. so we are going to change 0x00400968 for that we have to write by “oo+”

Then you have to change “jne 0x400976” to nop which means no operation. Here nop declared statement will not execute. it jumps to the next statement.

Now looking for help command by:-

here we are going to set nop by:-

Now see the change by look again at the same command “pdf” and check the address and verify it change to nop. After that press “q” and enter. Then execute “./impossible_password.bin”. And enter the input as SuperSeKretKey and another input you can enter anything and press enter you’ll get the flag:-

#writeup #walkthrough #ethicalhacking #reverseengineering #r2

--

--