tryhackme Reversing ELF write-up
- Name: Reversing ELF
- Description: Room for beginner Reverse Engineering CTF players.
- Room: tryhackme.com
Crackme1
Question : Let’s start with a basic warmup, can you run the binary?
file crackme1
Using the chmod command, I can make the file executable and then run the ELF binary
chmod +x crackme1
./crackme1
Crackme2
Question : Use basic reverse engineering skills to obtain the flag
In order to get the flag, the challenge provides an ELF binary that requires a password.
./crackme2 password
The strings command can be used to retrieve the password for the binary.
Crackme3
Question : Use basic reverse engineering skills to obtain the flag
To retrieve the flag, an ELF binary is provided that requires a password. You can retrieve the password using the same method as crackme2, but with an additional step.
strings ./crackme3
The flag appears to be encoded with base64
Crackme4
Question: Analyze and find the password for the binary?
The following message appears when I run the ELF binary without a password for this challenge
This time the string is hidden and we used strcmp
The ELF binary uses the strcmp function, based on this hint. To debug the binary, I used the gdb debugger.
gdb crackme4
list all the functions in the binary file.
(gdb) info functions
According to the displayed message it appears the application input is compared with the password by this function
Set breakpoint in strcmp@plt
(gdb) b *0x0000000000400520
With the breakpoint set, I can now run the binary in gdb with some test input.
Next, I can view the current state of the registers with gdb.
(gdb) info registers
Looking at the output above I can see the name of the register, the registers value in hexadecimal format and the registers value in the format gdb thinks most appropriate (hex for pointers, decimal for the others). I can see that the general purpose registers rax and rdx have memory address values. I can use gdb to print the strings at these addresses.
Crackme5
What will be the input of the file to get output Good game?
For this ELF binary, I am tasked with providing some input that will output the message Good game.
gdb crackme4
list all the functions in the binary file.
(gdb) info functions
Unlike Crackme4, the binary now uses strcmp_ instead of strcmp@plt
b *0x00000000004006d6
run
info registers
read registers rax and rdx
x/s 0x7fffffffdf50
x/s 0x7fffffffdf70
Crackme6
Analyze the binary for the easy password
Running the ELF binary without a password presents a message that tells me to look at the source code.
For this challenge I will be using Ghidra, a software reverse engineering (SRE) suite of tools. I loaded the crackme6 binary into Ghidra, which decompiles the binary and provides me with the source code. I began by looking at the main function.
Ghidra is one of many open source software (OSS) projects developed within the National Security Agency. Complete source code for Ghidra along with build instructions have been added to the repository. Please read the updated CONTRIBUTING guide to find out more about how you can join the community.
I can see that the input taken for the password is passed to a function called compare_pwd, the source code for which can be seen below.
This function takes the password and passes it to another function called my_secure_test. Looking at the source code for this function reveals a block of if else statements that check if each letter in the input corresponds to a specified string value.
Reassembling these specified string values into one string provides the flag 1,3,3,7,etc...
Crackme7
Analyze the binary to get the flag
Looking at the source code for the main function, I can see that the number entered by the user is checked by if else statements and then performs an action based on the value entered.
This option runs a method called giveFlag(), which I found to be hidden. I need to enter 0x7a69 in its decimal form, which is 31337, to trigger this option.
Crackme8
Analyze the binary and obtain the flag
This is another ELF binary that requests a password in order to get the flag. I can see that the input is passed to a function called atoi() before the input is checked if it is equal to -0x35010ff3.
./crackme8 -889262067
thank you 🌏🔥