- Task 1 Crackme 1
- Task 2 Crackme 2
- Task 3 Crackme 3
- Task 4 Crackme 4
- Task 5 Crackme 5
- Task 6 Crackme 6
- Task 7 Crackme 7
- Task 7 Crackme 8
After downloading the task file(s), let's check what's in store for us:
$ file index.crackme1
index.crackme1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=672f525a7ad3c33f190c060c09b11e9ffd007f34, not stripped
I played around with the file until I just ran it and got the flag (haha very risky)...
$ ./index.crackme1
flag{not_that_kind_of_elf}
What is the flag (flag1)??
Answer:
flag{not_that_kind_of_elf}
The task description says: Find the super-secret password! and use it to obtain the flag
The task file is yet another ELF file:
$ file index.crackme2
index.crackme2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b799eb348f3df15f6b08b3c37f8feb269a60aba7, not stripped
$ strings index.crackme2
...
Usage: %s password
super_secret_password
Access denied.
Access granted.
;*2$"(
...
Seems like we found the super_secret_password
Let's see if it works:
$ ./index.crackme2 super_secret_password
Access granted.
flag{if_i_submit_this_flag_then_i_will_get_points}
What is the super secret password ?
Answer:
super_secret_password
What is the flag (flag2)?
Answer:
flag{if_i_submit_this_flag_then_i_will_get_points}
$ strings index.crackme3
...
Usage: %s PASSWORD
malloc failed
ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==
Correct password!
Come on, even my aunt Mildred got this one!
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
...
### Hmmm, seems like a base64 string
$ echo "ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==" | base64 -d
f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5
What is the flag? (flag3)
Answer:
f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5
$ strings index.crackme4
...
password OK
password "%s" not OK
Usage : %s password
This time the string is hidden and we used strcmp
...
$ ltrace ./index.crackme4 thmbest
__libc_start_main(0x400716, 2, 0x7ffd2961db78, 0x400760 <unfinished ...>
strcmp("my_m0r3_secur3_pwd", "thmbest") = -7
printf("password "%s" not OK\n", "thmbest"password "thmbest" not OK
) = 26
+++ exited (status 0) +++
What is the password?
Answer:
my_m0r3_secur3_pwd
─$ ltrace ./index.crackme5
__libc_start_main(0x400773, 1, 0x7ffc593536f8, 0x4008d0 <unfinished ...>
puts("Enter your input:"Enter your input:
) = 18
__isoc99_scanf(0x400966, 0x7ffc59353590, 1, 0x7f5eba900190Always dig deeper
) = 1
strlen("Always") = 6
strlen("Always") = 6
strlen("Always") = 6
strlen("Always") = 6
strlen("Always") = 6
strlen("Always") = 6
strlen("Always") = 6
strncmp("Always", "OfdlDSA|3tXb32~X3tX@sX`4tXtz", 28) = -14
puts("Always dig deeper"Always dig deeper
) = 18
+++ exited (status 0) +++
$ ./index.crackme5
Enter your input:
OfdlDSA|3tXb32~X3tX@sX`4tXtz
Good game
What is the input ?
Answer:
OfdlDSA|3tXb32~X3tX@sX`4tXtz
$ strings ./index.crackme6
...
GLIBC_2.2.5
UH-H
UH-H
[]A\A]A^A_
password OK
password "%s" not OK
Usage : %s password
Good luck, read the source
Loading the executable into Ghidra, we quickly find a function called: my_secure_test
:
Analyzing the source code, we can piece together the password quite easily...
What is the password ?
Answer:
1337_pwd
Same as before, loading the executable in ghidra shows the following logic in the function:
Following the logic, we can quickly provide the decimal value for 0x7a69 and get the flag:
$ ./index.crackme7
Menu:
[1] Say hello
[2] Add numbers
[3] Quit
[>] 31337
Wow such h4x0r!
flag{much_reversing_very_ida_wow}
What is the flag?
Answer:
flag{much_reversing_very_ida_wow}
Loading the executable in ghidra and analyzing it gives us insight to the following program logic:
It's simple enough to exploit this, simply convert the hex value iVar2
is compared to in the nested if statement and supply it to the program...
$ ./index.crackme8 -889262067
Access granted.
flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}
What is the flag?
Answer:
flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}
If this writeup helps, please consider following me on github (https://github.com/NovusEdge) and/or dropping a star on the repository: https://github.com/NovusEdge/thm-writeups
- Author: Aliasgar Khimani
- Room: Reversing Elf by mrpvr