Exatlon Walkthrough [Reverse Engineer Challenge]

Dear all,

Overview

I want to share with you a walkthrough of solving hackthebox reverse engineer called exatlon hoping to help someone who gets stuck, challenge level is not hard, this challenge is testing the knowledge of reverse engineering and packers. Once you sign up with Hackthebox you can download the challenge from that link: https://app.hackthebox.com/7bb6ecea-7e69-424e-892f-699e490e67cf.

Once you download the zip file it will ask for a password to extract the file which is (hackthebox).

(file) can give us an initial overview of the file. It is just one ELF binary file and only can be run on UNIX 64-bit. We can use Kali Linux as a virtual machine to solve the challenge.

Software Required

Detect-It-Easy

Static analysis: I have used IDA disassembler

Dynamic analysis: I have used GDB which can be installed by running the following command

$ sudo apt-get update

$ sudo apt-get install gdb

Behavior analysis

We started to run the binary file

As we can see it loads and asks for a password and I have set random letters but didn’t accept it, so the binary file is looking for one specific correct password, which is the flag.

Next, I have extracted the binary strings looking for any low-hanging fruit

But nothing is there that can help us. However, I have used Detect-it-Easy which can be downloaded through https://github.com/horsicq/Detect-It-Easy/blob/master/docs/RUN.md to check if the binary is using packer.

As we can see the binary file is packed using UPX packer. So we need to unpack the binary file we can achieve that by using the following command upx -d /.exatlon_v1.

As we can see from the results the file is compressed by 32 ratios, now we need to put the binary file under analysis. We start to look for strings (Enter Exatlon Password) but with no success. However, I start using IDA Pro for the static analysis and look inside.

I start looking for functions that check my input which is the password with a saved value so I start looking at the main() loop of our binary, as we see in the image above there are a string that looks interesting which is (aLooksGood)

When I go deeper for (aLooksGood) as we see we are seeing a long string of numbers. [1152 1344 1056 1968 1728 816 1648 784 1584 816 1728 1520 1840 1664 784 1632 1856 1520 1728 816 1632 1856 1520 784 1760 1840 1824 816 1584 1856 784 1776 1760 528 528 2000]

Which is binary is used for comparison with our input if it fails so a message will appear (;)) and if the comparison is right a message will appear (Looks Good). So we can assume that long stings of numbers are the flag. So let’s verify that and see how our input is being compared with that string of numbers. So I will use GDB to go deeper. We can run gdb ./exatlon_v1 and then run the program and put any input, then hit CTRL C to terminate.

As we see the (0x404990) is the entry point address of the Exatlon binary, we can pull the values from registers using (info register) and set the break point using (b).

So our interest is the main() loop of our program so using (disassemble ma)  then (Tab) will list them all. Then (disassemble main) after looking carefully we found.

We are seeing the first line which is a call for <_zSt3cin>which is our input prompt

The second line is more interesting which test %bl, %bl which is testing for a conditional jump and if that conditional jump is true then it will jump to memory address 0x404d83 which will lead us to wrong password condition ([-] ;(. So now we know where to set our break points.

So we have set our breakpoint at those 2 addresses b* 0x0000000000404d0a break before we insert our input and b* 0x0000000000404d4a before the comparison is made.

So I run the binary again and insert the H letter to analyze the behavior and see some interest that 1152 is being loaded in one of the registers. Also if we examine the r10 address 0x7fffffffdae4 à 0x30343031 which is the hex value of ASCII 1040.

So we verify that by using p *(char ++)$rax and if we put another letter we can different number being loaded in the rax register so that how the binary is taking our input and convert it and then make a comparisons with the existing number we have seen before in the static analysis

The Bingo

The numbers we saw are our the flag, but those numbers by them mean nothing. So ASCII table is our gate to those numbers so as per ASCII table all of these numbers are multiple of 16 so we divided those numbers by 16 are resulting in a decimal value of ASCII. Example

1152 /16 = 72 here its’ ASCII value is H

1344 / 16 = 84 here its’ ASCII value is T

1056 / 16 = 66 here its’ ASCII value is B…etc

So we got our flag HTB{flag}

Thanks for reading — mrvar0x