Classic Passwd — TryHackMe

0xsanz
2 min readFeb 8, 2021

Another TryHackMe’s room write-up where you practice your skills in reversing a binary and get the flag bypassing the login.This room is available here:
https://tryhackme.com/room/classicpasswd

Using Ghidra

Download the binary. Open and Analyse it in Ghidra. If you are not aware of it,then look here:- https://ghidra-sre.org/

Here is the code which Ghidra spits out for us:

We can get to our flag in various ways from the above code:

  1. Analyse the vuln() code, we can see on line 34 a string comparison is done with the username we input. Now we can see that comparison is done against a local variable which is then typecasted in to a char*. The local variable can be reconstructed by taking care of the endiness and converting the hex number in to ASCII characters.Use that string as the input to the Challenge exe to get the flag.

2. Though not a recommended solution, we can read the flag directly from the gfl().

Using ltrace

Give execute permission to the downloaded binary and analyse it using ltrace:

We can see the string comparison happening against the “username”. Give that “username” to the binary when asked and we get the flag.

That it. Thanks for reading have a nice one.

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204