RE Series #2: HTB Bypass and dnSpy

In this post we’re going to solve the Bypass challenge from Hack The Box. This includes us learning and using dnSpy, which is a tool to analyze and debug .NET applications (WARNING! If you’re downloading dnSpy, be aware that there is a malicious version circulating around: https://heimdalsecurity.com/blog/malicious-campaign-spreading-dnspy-targets-developers-and-security-researchers/ . Download the original one here: https://github.com/dnSpy/dnSpy)

x32dbg and going no where

Seeing as it was a .NET application, I tried to use x32dbg to do a dynamic analysis of the binary. When the program is executed, it asks for a username and password:

Perhaps I could gleam into the strings or functions it was executing at the backend. I tried to search in all modules for string references to “Enter a”, but found no results

When looking at all the modules loaded or used by this program, we see that cryptbase.dll is loaded. This could be indicative of some encryption being used, and hence us unable to find any string references because it probably has been encrypted.

After a combination of “Animate Into”, setting breakpoints, and digging deeper into the code, we find the string that asks for a username and password, as well as an interesting string

If we let the animation run long enough, eventually we would get the flag decoded and stored in the memory for reading. However, that’s not a very smart way, and takes up way too much time. A smarter way to do it is using dnSpy to decompile and change the way .NET binaries run

dnSpy

Loading the program into dnSpy, and looking at the second block of code, we see something very similar to the prompt asking us for a username and password

We also observe that it always returns false, which means no matter what we enter, it would be false. This means that in the first block of code, flag2 will always = false, and we will never proceed forward. We can change this by modifying the value when we run the program.

We first add a break point to the assignment of flag2 to flag, and we run the program

We see at the bottom that flag is assigned to false, and flag2 will have the same value. If we change the value of flag to true, we will proceed to the next part of the program

We set another breakpoint at the third block of code, where it compares <<EMPTY_NAME>> to b

Entering any random string, we see the actual key being shown to us. We change the value of b to the key to get the flag!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: