TryHackMe - Reversing Elf - Walkthrough

Introduction


Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine.

Task 1 - Crackme1

Questions

What is the flag?

Download the Task 1 Task File
Copy it to your working directory
Give the file executable permissions
Run the file

chmod +x crackme1
./crackme1


Task 2 - Crackme2

Questions

What is the super secret password ?

Give the file executable permissions
Run Ltrace on the file with a test string

chmod +x crackme2
ltrace ./crackme2 test


./crackme2 passwordFoundInPreviousStep


Task 3 - Crackme3

Questions

What is the flag?

Give the file executable permissions
Run strings on the file
Echo the base64 string you found, pipe it into Base64 decode

chmod +x crackme3
strings crackme3
echo “base64stringFoundInPreviousStep” | base64 -d



Task 4 - Crackme4

Questions

What is the password ?

Give the file executable permissions
Run Ltrace on the file with a test string

chmod +x crackme4
ltrace ./crackme4 test


Task 5 - Crackme5

Questions

Give the file executable permissions
Run Ltrace on the file with a test string
Run the file with the discovered strncmp string as input

chmod+x crackme5
ltrace ./crackme5
input test
./crackme5
input string found in previous step 


Task 6 - Crackme6

Questions

What is the password ?

Run the Ghidra program
Click New Project


Click Non-Shared Project, then Next >>


Enter crackme6 as the Project Name, then click Finish


Click File, then Import File


Find the crackme6 file, click it, then click on Select File To Import


Click OK after the file finishes importing


Click OK on the next screen that appears


From the main Ghidra window, double click the crackme6 file


Click Yes in the Analyze window


Then click Analyze


In the Symbol Tree window, select Functions


Then select the main function


In the Decompile window, we see that the main function makes reference to the compare_pwd function


We then select the compare_pwd function from the Symbol Tree window


In the Decompile window, we see that the function makes reference to the my_secure_test function


In the Symbol Tree window, we select the my_secure_test function


In the Decompile window we see the password


Task 7- Crackme7

Questions

What is the flag ?

We import the crackme7 file into Ghidra like we did the previous file
In the Symbol Tree window, we select the main function


In the Decompiler window, we see that there's a special response if we enter hex value 0x7a69, which in decimal is 31337:


 chmod +x crackme7
./crackme7
31337


 Task 8 - Crackme8

We import the crackme8 file into Ghidra like we did the previous file
In the Symbol Tree window, we select the main function


In the Decompile window, we see that the function is looking for the value of -0x35010ff3, which in decimal is -889262067.


 chmod +x crackme8
./crackme8 -889262067


Finish


Comments

  1. NeTechyDecember 10, 2021 at 10:09 PM


    Hi dear,

    Thank you for this wonderful post. It is very informative and useful. I would like to share something here too. NeTechy.com is Internet Based Blog And Informative Website. NeTechy provides technology and digital marketing blogs and articles. Our goal is to help individuals and businesses in to tech industry with knowledge to be more efficient and tech savvy.


    What Are The Best Traffic Sources For Affiliate Marketing In 2021?

    ReplyDelete
  2. GodmilJune 6, 2024 at 4:22 AM

    Oh wow, I spent hours on task5 cause I fell down a rabbit hole using Ghidra and had a fake flag that was in a common format (eg. text{1337_t3xt_h3r3}). I didn't know about ltrace... can't believe it just gives you the solution :D Thanks very much for this write up, I learned a lot.

    ReplyDelete

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - XSS - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the XSS room hosted at https://tryhackme.com/room/ xss . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed XSS vulnerable web client as the the victim machine. Task 1 - Introduction Questions: Read the introduction. No answer needed Task 2 - Deploy your XSS Playground Questions Deploy the machine and navigate to http://<ip> No answer needed Task 3 - Stored XSS Questions The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine. No answer needed Add a comment and see if you can insert some of your own HTML. Doing so will reveal the answer to this question. Register for the web-app with the following parameters Username: test Password: test Click the Register button  Click the “hamburger menu” button Click the ...
Read more