Classic Passwd TryHackMe walkthrough

Hello guys back again with another walkthrough this time we’ll be doing Classic Passwd from TryHackMe. Am really not great at reverse engineering but from learning buffer overflows i know my way around binary exploitation and some bit of reversing binaries to identify vulnerabilities and that’s what this walkthrough will be all about. I know there are a great number of walkthroughs are out there about solving the challenge but am really a great fan of gdb since it’s one of the main tool used in exploiting buffer overflows and i haven’t seen a walkthrough solving this specific challenge with gdb the second method which I’ll use to solve the binary is to patch it so that even if the wrong password is supplied we still get an authentication success

The first step whenever i get a binary i tried finding the most basic information about it even before trying to reverse it

First i ran the file command

From that command we get really important information like the binary is a 64 bit binary also we see that the binary is not stripped meaning we can access all the symbols within the binary making our jobs much easier. We also see that the binary is dynamically linked meaning all the shared libraries are access from our very own operating systems

Next command that i always run is strings

And if you can see at least some portion of what later on will be the password but for the binary. But still it wasn’t much useful you can also try with different strings encodings and if anything useful will show up

But next i decided to load up the binary in ghidra and so some light reverse engineering. Any program gets executed from the main function and that’s where we’ll beginning analyzing the binary

We see that once the program enters the main function it jumps to the vuln function immediately

In the vuln function we see the program is asking for a username and if the username is correct is continues execution of the program by jumping to the gfl function but if the username is wring the program exit with a status code of 0 meaning we never hit the gfl function which contains the flag

Let’s execute the binary and see this happening

Let’s take a look at the gfl function and see if we can get some quick wins

We can see the flag yes but it’s somewhat obfuscated using hexadecimal encoding but we can use a simple online hex to dec converter to get the flag though i didn’t like this method

Exploitation

But we now have a decent idea of what the script does let’s load it in gdb and use gdb as a debugger

An using the gef extension since I’ve actually come to like it and it’s more often maintained. The first thing you usually after loading a binary in gdb is set breakpoints and looking at the stack for any useful information like memory addresses

So let’s first set a break point on main so that gdb hint it when it reaches the main function

Then let’s continue execution of the program

We’ve successfully hit our first break point sweet. But remember the function we are interested in is vuln since that’s where authentication takes place

So let’s disassemble the vuln function and set a break point where the supplied username is compared to the real function

Let’s set a break point at that memory address and continue through execution of the program

After continuing though the execution of the program we directly get asked to enter a username

Let’s enter a wrong username in my case I’ll enter my name musyoka and press enter to continue execution of the program

And we again hit a break point this time in the string compare memory address and looking at the string compare memory address we have our username in pretty much clear text

Trying to use that username on the binary

And we have the flag. That’s the first way we can get the flag from the binary.

SECOND METHOD

The second way is to patch the binary by changing the flow which the binary takes even if we give it an incorrect password

To demonstrate this we’ll be using ghidra to patch the binary so let’s begin

First we need to import the binary but in a raw format

Things will look different when we open the binary in a raw format but out goal is to find the main function of the program

Depending in the result the code flow execution changes. Looking at the assembly code we see that when the “jump is not equal to zero it jumps to LAB_00001271 ” let’s invert the instruction so that jump always becomes zero

Right clicking on that instruction and selecting patch instruction

Original Instruction

Changed instruction

Now that we have successfully changed the instruction let’s save the binary by pressing o

Doing a directory listing we get another binary was created

Doing a md5sum show they are different binary

Now to show the difference I’ll split my tmux window and the upper window will have the modified binary and the lower window will have the original binary

Trying to use a wrong password on the original binary we get an authentication error

But using the wrong password on the patched binary we get authentication was successful and we even get the flag

We get the flag and it’s the same decimal value we had decoded using the online converter. And that’s it!!!! Easy right I hope you enjoyed the walkthrough if so don’t forget to clap for me down below and don’t forget to follow me so that you won’t miss any upcoming articles

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)