TryHackMe: Reversing ELF Writeup

InfoSec Write-ups – Medium–

This article demonstrates my approach to solving the Reversing ELF room created by mrpvr, available for free on the TryHackMe platform. This room contains 8 beginner crackme challenges which increase in difficulty as you progress. I have provided a link to the TryHackMe platform below for anyone interested in trying these challenges.

Crackme1

Let’s start with a basic warmup, can you run the binary?

The challenge provides a binary which I am asked to run. Using the file command, I can see that it is an ELF binary as expected based on the room’s title.

file crackme1

Using the chmod command, I can make the file executable and then run the ELF binary to get the flag. Nice and easy!

chmod +x crackme1
./crackme1

Crackme2

Find the super-secret password! and use it to obtain the flag

The challenge provides an ELF binary which requires a password in order to get the flag.

./crackme2 password

Retrieving the password for the binary can be done by simply using the strings command. The password can be seen in the output.

strings crackme2

Providing this password as input to the binary gives the flag.

Crackme3

Use basic reverse engineering skills to obtain the flag

An ELF binary is provided which requires a password in order to retrieve the flag. The password can be retrieved by using the same approach as seen with crackme2 but with an extra step. Using the strings command, I found a base64 encoded string.

Using CyberChef, I can decode the string and retrieve the password, which turns out to be the flag.

Crackme4

Analyze and find the password for the binary?

Running the ELF binary for this challenge without a password, I am provided the following message.

This hint tells me that the strcmp function is used by the ELF binary. I decided to use gdb debugger to debug the binary.

gdb crackme4

Next, I used gdb to list the different functions in the binary file.

(gdb) info functions

There are a few interesting function names that standout which include main, get_pwd, and compare_pwd. However, I am interested in the strcmp@plt function based on the message provided. We can assume that the password entered is compared to the correct password via strcmp(). Using gdb, I decided to set a breakpoint at the memory address of this function.

N.B. In software development, a breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes and to help acquire knowledge about a program during its execution.

(gdb) b *0x0000000000400520

With the breakpoint set, I can now run the binary in gdb with some test input.

(gdb) run test

The binary is executed until it hits the breakpoint as seen in the image above. Next, I can view the current state of the registers with gdb.

N.B. Registers are essentially small storage areas in your processor that can be used to store anything that can be represented with eight bytes or less.

(gdb) info registers

Looking at the output above I can see the name of the register, the registers value in hexadecimal format and the registers value in the format gdb thinks most appropriate (hex for pointers, decimal for the others). I can see that the general purpose registers rax and rdx have memory address values. I can use gdb to print the strings at these addresses.

(gdb) x/s 0x7fffffffe030

This shows me both the string I provided as input when executing the binary and the password/flag used to compare with my input.

Crackme5

What will be the input of the file to get output Good game ?

For this ELF binary, I am tasked with providing some input that will output the message “Good game”.

Using gdb, I listed the different functions in the binary.

Unlike in Crackme4, the binary is now using strncmp@plt instead of strcmp@plt. Looking at the memory address string values for the rax and rcx registers gives me the necessary input to get the output message “Good game”.

This same approach could also be used with the strcmp_ function to retrieve the flag.

Crackme6

Analyze the binary for the easy password

Running the ELF binary without a password presents a message that tells me to look at the source code.

For this challenge I will be using Ghidra, a software reverse engineering (SRE) suite of tools. I loaded the crackme6 binary into Ghidra, which decompiles the binary and provides me with the source code. I started by looking at the main function.

I can see that the input taken for the password is passed to a function called compare_pwd, the source code for which can be seen below.

This function takes the password and passes it to another function called my_secure_test. Looking at the source code for this function reveals a block of if else statements that check if each letter in the input corresponds to a specified string value.

Reassembling these specified string values into one string provides the flag (i.e. “1”,“3”,“3”,“7”,etc..).

Crackme7

Analyze the binary to get the flag

Executing the ELF binary provides me with three different tasks that I can perform by entering their corresponding number.

I decided to use Ghidra to decompile the binary’s source code. Looking at the source code for the main function, I can see that the number entered by the user is checked by if else statements and then performs an action based on the value entered.

I noted that there appeared to be a hidden option which runs a method called giveFlag(). To trigger this option I need to enter the hex value 0x7a69 in it’s decimal format, which is 31337. This gives me the flag.

Crackme8

Analyze the binary and obtain the flag

This is another ELF binary that requests a password in order to get the flag. As seen previously, I use Ghidra to decompile the binary and started looking at the decompiled source code for the main function. I can see that the input is passed to a function called atoi() before the input is checked if it is equal to -0x35010ff3.

The atoi() function is a function in the C programming language that converts a string into an integer numerical representation. I can convert the -0x35010ff3 value to decimal, which is -889262067 and then pass it as the password to the binary to get the flag.

./crackme -889262067

Closing Remarks

I found these challenges really enjoyable and easy to approach for someone learning more about reversing ELF binaries. These challenges encompass the basics of how to reverse engineer ELF binary files and can help beginners learn more about the field of reverse engineering. Thanks for reading till the end and keep hacking 😄!

References

TryHackMe | Hacking Training


TryHackMe: Reversing ELF Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s