Impossible Password is a reversing challenge available on the popular CTF-site Hack The Box.
Since it is an “Easy” challenge, it doesn’t delve very deep into the complexities of binary analysis and reverse engineering, but it is still a fun one.
In my case, I will be using IDA Freeware and the GNU Debugger (GDB) to reverse the binary and get the flag.
If you’d like to try it out for yourself, you can find the challenge here.
Static Analysis
When we first open up the binary on IDA for static analysis, we can notice something interesting in the main function. Namely, a string of characters that correspond to “SuperSeKretKey”.
We can notice, that the program uses the scanf()
function to get input from the user. This input is then stored in the rax
register. After the user has provided the input, the program calls the strcmp()
function, to compare the user-provided input against the string of characters stored in the rdx
register (the “super secret” key).
If the strcmp()
function call returns zero (i.e., the values are equal), the program will jump to another location in the program. Otherwise the program will just exit.
In the next part of the program, it will once again call scanf()
for user input and store the it in the rax
register. After this is done, the program will call another function (sub_40078D), the return value of which will be stored in rdx
.
If we take a look at this function, we can see that it is used for generating some sort of a randomized string.
Afterwards, the program once again performs a string comparison and compares the user input against the randomly generated string.
If the comparison returns zero, the program will call a function that prints our flag. If it doesn’t, the program will exit.
Getting the Flag
With the information that we learned about the binary during our static analysis using IDA, we can move on to the next part of solving this challenge, which is going to involve setting a breakpoint before the string comparison is performed, and setting the rax
register equal to the randomly generated string stored in rdx
and then continuing execution.
If we take a look at the binary on GDB, we find that the binary is stripped. We could use other methods to find the main function on GDB but we can simply just find our desired breakpoint by looking at the main function in IDA’s text view.
After this, we can just set the breakpoint in GDB by typing the following:
break *0x000000000040095e
Now we can run the binary by typing r
. We will be asked for our first key (“super secret key”), and after we have given this, we will be asked for the second key. We don’t care about this value, so we can just literally type 123
. Next, the program will halt at the breakpoint we have specified.
Now we can inspect the registers to confirm our static analysis.
Just type the following:
x/s $rax
x/s $rdx
The rax
register contains the value we passed it (123), and rdx
contains the string that the program generated.
We can set the two registers to be equal to each other by typing the following:
set $rax=$rdx
Now, for the moment of truth, we can just type c
to continue the execution of the program.
As you can see, this gave us the flag.