Challenge Description

Are you able to cheat me and get the flag?

Provided Files

$ file impossible_password.bin 
impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped

Solution

Executing impossible_password.bin, whatever we input after * it will print it back inside square bracket, and then exit:

$ ./impossible_password.bin         
* test
[test]

Running strings on the binary, we notice the string SuperSeKretKey:

$ strings impossible_password.bin
<SNIP>
=1       
[]A\A]A^A_
SuperSeKretKey
%20s
[%s]
<SNIP>

which used as input gets us to the next step:

$ ./impossible_password.bin
* SuperSeKretKey
[SuperSeKretKey]
** whatever

but we don’t know the next password to continue.

In Ghidra, inside the void FUN_0040085d(void) function we find the strcmp for the second password, and an if statement whose code block is executed if the password is correct:

<SNIP>
  iVar1 = strcmp(local_28,__s2);
  if (iVar1 == 0) {
    FUN_00400978(&local_48);
  }
  return;
}
<SNIP>

To get around this check, we can simply patch the assembly instruction corresponding to the if statement from JNZ:

00400968 75 0c           JNZ        LAB_00400976

to JZ:

00400968 74 0c           JZ         LAB_00400976

Executing the patched binary, whatever we input as the second password we get the flag:

$ chmod +x impossible_password_patched.bin
$ ./impossible_password_patched.bin       
* SuperSeKretKey
[SuperSeKretKey]
** whatever
HTB{40b*********b18}

Challenge Description#

Provided Files#

Solution#

Challenge Description

Provided Files

Solution