Reversing ELF TryHackMe

This is an article to provide assistance to the Reversing ELF TryHackMe room.

Reverse Engineering can be an important skill in the field of Cybersecurity and this room was geared at giving you experience in the various tools and methodologies to observe when performing Rev Engineering especially in a CTF context.

Prerequisites:

• Access to Internet and a TryHackMe account
• Access to a Kali Linux machine
• Access the room found here:

TryHackMe | Reversing ELF

Task 1: Crackme1

• This task required you to execute the binary to get the flag
• On a Linux machine, you can run the binary by executing it in its directory i.e. if the binary is stored on /home/kali/Downloads/Crackme1 , you can

cd /home/kali/Downloads/Crackme1
./Crackme1

• Or you can execute it with the full directory name

./home/kali/Downloads/Crackme1

• After executing you should be able to get the flag

Task 2: Crackme2

• After downloading the initial files for the task, we attempt to execute it as we did in Task 1 which results in the following

• This shows that the binary requires a password as a command line argument in order to run. Providing a random password results in what is shown below

• We can now attempt static analysis of the binary to see what flag we can manage to extract

Static analysis simply refers to analysing a file without executing it. This can be done by:

Searching for readable strings in the binary using strings command

• Upon executing strings crackme2 , most of the strings returned are standard output we can expect from a binary file but a specific section stands out.

• The password can be extracted from the line that has been obfuscated above.
• Upon running the binary now with that password, we receive the flag to be used in answering the second question

Task 3: Crackme3

• For this task, we once again attempt to run the binary first to see what is required.

• The output is similar to the last task which required a password
• Providing a random password results in what is shown below

• We once again try running strings on it to see if we can find anything useful
• Again, a specific section stands out

• Among the output we can see encoded text which might be base64 due to the padding(==) at the end of the text.
• We attempt to decode this text and receive the password needed to run the binary

Task 4: Crackme4

• After downloading the task files, we try to run the binary to see what is needed

• It also requires a password as a command line argument but we also get a hint at the bottom that indicates the string is hidden and the use of strcmp
• stcmp is a function that compares two strings to see if they are an exact match i.e. string compare.
• We try running the binary with a sample password to observe what output will be given

• Upon trying static analysis on the binary using strings, we get only the strings we’ve already interacted with.

• At this point, we would need to analyze the binary in a more dynamic fashion by interacting with it and observing the functions stored within
• We can begin by using the gdb tool to see if we can determine anything. It can be launched via the command line using

gdb crackme4

• This should launch into a command line for gdb similar to the one below

• You can arbitrarily search through various commands for gdb by using the help command
• For this task, we will execute

info functions

• This results in the output below where most of the functions are standard but some functions in particular stand out

• We already know the binary uses a strcmp function, so we can begin by analysing the function strcmp@plt to gain further information

A breakpoint refers a point in the program where the program pauses after execution until it is allowed to continue.

• We can set a breakpoint in the program at this function using the command below.

b *0x0000000000400520

• We can now try and run the binary with a random password and further examine the program.

• We can then examine the registers at this point to determine what values are stored there

Registers are simply small amounts of high-speed memory contained within the CPU.

They are used by the processor to store small amounts of data that are needed during processing, such as: the address of the next instruction to be executed. the current instruction being decoded.

• Examining the registers using gdb can be done with the following command:

info registers

• We can then examine the general purpose registers that contain values:

1. rax — This register stores the values returned from functions
2. rdx — General purpose register that usually stores an argument from the function

• We can display the contents of these registers using their hexadecimal values and the command below

x/s 0x7fffffffe705
x/s 0x7fffffffe310

• The address of the rax gives us our required password

• You can then exit gdb using the quit command and accept to kill any running processes once you are done.

Task 5: Crackme5

• After downloading the files, we try and execute the binary which prompts us for input

• Upon trying a random password once more, the following happens:

• We attempt to run strings on it once more to see what we can extract but there seems to be nothing useful aside from what we already know

• We can then attempt to analyze the functions of the program using gdb once more

gdb crackme5

• Listing all the functions present using info functions one function in particular stands out as a function we might be interested in

• We can further analyse this function by setting a breakpoint on it and running the program with a sample password once more

b *0x0000000000400560
run

• We can then examine the registers using info registers

• On examining the general purpose register rax and rsi, we get the our sample password and the input required.

x/s 0x7fffffffe310
x/s 0x7fffffffe330

Task 6: Crackme6

• We begin by executing the binary which results in the following output.

• This shows the need for a command line argument and provides a further hint to read the source code of the binary.
• Executing it with a sample password results in the following:

• Running strings on it as well reveals information that is not very useful

• At this point, we can now attempt to further analyze the binary by decompiling it and reading the source code. This can be done with various tools including:

1. Radare2 which can be launched by r2. You can use the following link to guide on learning Radare2 and decompiling a binary

Explore binaries using this full-featured Linux tool

2. IdaFreeware which can be downloaded via the link below

IDA Freeware

3. Ghidra which can be installed via the package manager using:

apt install ghidra

• I will be using ghidra for this challenge. It can be launched via the command line by using the command ghidra . You can learn the basics of using ghidra by watching this video below

• Upon examining the source code for the main function, we see a function called compare_pwd which takes the first argument we pass as input

• We then go to this function and examine the source code. The string is passed into a function my_secure_test which takes the input and further examines it.

• Looking at the source code for this function reveals a series of blocks of if…else… statements which eventually builds up to a specific value that forms our password i.e. {‘1’ , ‘3’ , …}

Task 7: Crackme7

• We begin by executing the binary which results in the following output.

• We try and fill each prompt with values which does not seem to result in much

• Running strings on the binary does not seem to reveal any information of interest either

• We then proceed to launch ghidra to examine the functions and the source code of the binary

• This reveals an interesting value in hex that when used as input results in a print statement and execution of the giveFlag() function. We can easily use this online tool to

Hexadecimal to Decimal Converter

• Upon submitting the number as input, we receive the flag

Task 8: Crackme8

• We begin by executing the binary which results in the following output.

• This indicates the need for a password as a command line argument. Attempting to run it with a sample password results in:

• Attempting to run strings on the binary does not give any output of great significance either.

• We then launch ghidra to analyze the source code of the binary. Looking at the main function, we are able to find something interesting.

• The function takes our second argument, changes it to a integer which if it corresponds to the hex value provided, results in getting a print statement of access granted and executes the giveFlag() function
• After converting the hex value using the site below, we are able to pass it as an argument and receive our flag

Hexadecimal to Decimal Converter

Conclusion

• Congratulations on getting through this room.
• Continue to explore further on Reverse Engineering and even try familiarizing yourself with the other tools. You never know which one might come in handy at what time.