0x41haz THM room
Table of Contents
0x41haz - Simple Reversing Challenge
In this challenge we are supplied an elf file and the goal is to find the flag. A simple execution of strings on the file is not enough, to find the flag. Once the correct password is found, the flag can be entered into the website, in the usual THM form.
File investigation
A first look at the file shows that it seems to be a 64 bit ELF file with MSB encoding, however the architecture is not recognized.
file 0x41haz.0x41haz
0x41haz.0x41haz: ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)
# Trying to execute the file
./0x41haz.0x41haz
-bash: ./0x41haz.0x41haz: cannot execute binary file: Exec format error
First bytes of the header of the file:
7F 45 4C 46 02 02 01 00 00 00 00 00 00 00 00 00
03 00 3E 00 01 00 00 00 80 10 00 00 00 00 00 00
First bytes other ELF file:
00000000: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
00000010: 03 00 3e 00 01 00 00 00 80 10 00 00 00 00 00 00 ..>.............
00000000 struct Elf64_Header __elf_header =
00000000 {
00000000 struct Elf64_Ident ident =
00000000 {
00000000 char signature[0x4] = "\x7fELF"
00000004 uint8_t file_class = 0x2
00000005 uint8_t encoding = 0x1
00000006 uint8_t version = 0x1
00000007 uint8_t os = 0x0
00000008 uint8_t abi_version = 0x0
00000009 char pad[0x7] = "\x00\x00\x00\x00\x00\x00", 0
00000010 }
00000010 enum e_type type = ET_DYN
00000012 enum e_machine machine = EM_X86_64
00000014 uint32_t version = 0x1
[...]
link to elf docu architecture check here
show that works in IDA (specify version)
reverse ida password length 13 fix header
test that password is correct
Running strings against the file shows that it seems to ask for a password and outputs if the password was correct. It seems to use standard c functions like gets, puts and strlen.
strings 0x41haz.0x41haz
/lib64/ld-linux-x86-64.so.2
gets
exit
puts
strlen
__cxa_finalize
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
2@@25$gfH
sT&@f
[]A\A]A^A_
=======================
Hey , Can You Crackme ?
=======================
It's jus a simple binary
Tell Me the Password :
Is it correct , I don't think so.
Nope
Well Done !!
;*3$"
GCC: (Debian 10.3.0-9) 10.3.0
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
So overall this looks like an ELF file, but it does not want to execute.
Reverse it in IDA
Fixing the header
Change this byte
After changing the byte, this program will be recongized as a 64bit ELF file and the file command will parse it correclty:
file 0x41haz.0x41haz2
0x41haz.0x41haz2: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c9f2e85b64d4f12b91136ffb8e4c038f1dc6dcd, for GNU/Linux 3.2.0, stripped
Now binja and bash
./0x41haz.0x41haz2
=======================
Hey , Can You Crackme ?
=======================
It's jus a simple binary
Tell Me the Password :
2@@<redacted>T&@L
Well Done !!
THM{found_password}