RE Series #6: HTB Headache

My first Insane challenge, and I’m glad I solved it.

Binary Analysis

Running some simple analysis, we see that the binary prompts us for a password, it’s a stripped binary, dynamically linked, and curiously ltrace fails immediately.

Dynamic Analysis with IDA

As we step through the function, we get to the part where it calls “Initialize”

We see that it’s not actually doing anything, but just printing out “.” 4 times, and calling the function sleep

Next, we get to the part where it prompts us to enter our string

It does a comparison to see if the length is 14h, or 20 characters long. If it isn’t, it goes to “Login Failed!”

When we enter the right length of key, it bring us to this part of the code that loops over 20 times, 0-13h, or 0-19.

It seems like its comparing our string character by character in dl and al. We simply extract the key by analyzing what character its comparing against, and we get HTB{w0w_th4ts_c000l}. Easy right?

Nope. PTRACE?

Obviously challenge labelled as insane would not be so easy. When we submit the flag, its wrong. We turn our heads back to PTRACE, which is an anti-debugging technique. When we open up our debugger, PTRACE is implicitly being called. When the code tries to call PTRACE again, it will fail, and if the code detects that, it can choose to execute another flow

We step through the code once more, and see that PTRACE is being called

To circumvent this, we change the value of EAX to be 0. When EAX is 0xFFFFFFFF, it means that PTRACE has failed, whereas a 0 would indicate that PTRACE has succeeded, and the binary is not being debugged.

After changing the value of EAX to 0, the code now takes a longer more complex path that performs various operations on the string we saw earlier. We repeat the same steps above to extract the true flag, which this time when we submit, its correct!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: