THM-Classic Passwd Challenge

---

Classic Passwd - Medium

room link : https://tryhackme.com/room/classicpasswd

First of all, same thing again - I don’t know why this challenge is categorized under medium, it should be under easy challenge. In this writeup, I will provide no messy tools and all that complicated stuff. Let’s analyze it simply.

After getting the task file, first I run:

file Challenge_1609966715991.Challenge 

Output:

Challenge_1609966715991.Challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b80ce38cb25d043128bc2c4e1e122c3d4fbba7f7, for GNU/Linux 3.2.0, not stripped

So it’s an ELF file.

Then I just try to run it, so I give permission with:

chmod +x Challenge_1609966715991.Challenge

Then after this it asks for username which I don’t have.

Then I use strings command to see which library and strings are used here:

strings Challenge_1609966715991.Challenge 

strcpy
exit
__isoc99_scanf
puts
printf
__cxa_finalize
strcmp
__libc_start_main
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
Made by H
4non
https://H
github.cH
om/n0obiH
AGB6js5dH
9dkGf
[]A\A]A^A_
Insert your username: 
Welcome
Authentication Error
THM{ %d %d }
;*3$"
GCC: (Debian 10.2.0-16) 10.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
Challenge.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
strcpy@@GLIBC_2.2.5
puts@@GLIBC_2.2.5
vuln
_edata
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__isoc99_scanf@@GLIBC_2.7
exit@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

Notable strings found:

• It uses strcmp which is comparing the user provided username with actual one
• Various library functions
• String “AGB6js5d9dkGf” caught my attention
• Authentication messages: “Insert your username:”, “Welcome”, “Authentication Error”
• Flag format: “THM{ % d % d}”

Then for dynamic analysis I use ltrace:

ltrace ./Challenge_1609966715991.Challenge 

note : Ltrace is a command-line tool used in Linux to trace library calls made by a program during its execution. It helps developers and system administrators debug and troubleshoot issues by showing how a program interacts with shared libraries. Output:

printf("Insert your username: ") = 22
__isoc99_scanf(0x5644d2e6c01b, 0x7ffd0e5eab80, 0, 0Insert your username: admin) = 1
strcpy(0x7ffd0e5eaaf0, "admin") = 0x7ffd0e5eaaf0
strcmp("admin", "AGB6js5d9dkG7") = 32
puts("\nAuthentication Error") = 22
exit(0 <no return ...>
+++ exited (status 0) +++

After this we can clearly see it compares username with “AGB6js5d9dkG7”.

After that I provide this value as username and boom we got it:

./Challenge_1609966715991.Challenge 
Insert your username: AGB6js5d9dkG7

Welcome
THM{redacted}

Flag: THM{redacted}

for deeper analysis you can use tools like Ghidra or IDA. Thank You

since i am new in reverse engineering stuffs so if i miss anything please suggest me here : sensurajit@proton.me