Skip to main content

THM - Compiled

· 2 min read
Strider

Intro

Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Compiled". This CTF-Challenge can be found at the platform TryHackMe. You have to reverse engineer a binary to find out the correct password

OK, lets go! First we have this binary Compiled.Compiled. The first what we can do is to run the command strings to extract all strings from that binary.

dia1.png

Well, we see some interesting strings which can be the password.

dia2.png

To ensure how the binary works, we can use ghidra to disassemble it.

dia3.png

The disassembled main function of that binary looks pretty simple. We see that the password will be stored into the char array local_28. Line 9 sound interesting because the string DoYouEven%sCTF gets stored into this array local_28. We see the after the substring DoYouEven, the operator %s followed by CTF. This operator requires arbitrary char sequences, which will be placed between the first part and the last part of the password. Therefore, we can create the following rule for that password:

  • The password start with DoYouEven
  • The password contains an arbitrary char sequence
  • The password ends with CTF
  • The password has a max. length of 32 characters

If we look closer to the disassembled main function we see there 2 strings which are used as parameter for the function strcmp. I copied the disassembled main function and created my password.c file below to test if which one of both completes the password.

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
int n;
char password [32];

fwrite("Password: ",1,10,stdout);
__isoc99_scanf("DoYouEven%sCTF",password);
printf("Password is: %s", password);
n = strcmp(password,"__dso_handle");
if ((-1 < n) && (n = strcmp(password,"__dso_handle"), n < 1)) {
printf("Try again! 1");
return 0;
}
n = strcmp(password,"_init");
if (n == 0) {
printf("Correct!");
}
else {
printf("Try again! 2");
}
return 0;
}

Next what we can do is to print the stored password after input, and numbered the error messages.

The we have to compile this code to an binary and test the strings __dso_handle and _init

dia4.png

Viola, we have our password DoYouEven_init.

Well it was a very quick challenge but I hope you enjoyed this writeup 😄