Hack The Box Writeup — Baby RE

Hack the box is a hacking platform that can be used to practice cybersecurity skills. It offers a wide range of categories and a wide range of difficulties.

This writes up is also intended to help new people to understand how to read a memory dump and read assembly.

Enjoy!

This is the easiest level on the HTB platform in the reverse engineering category. Even this solution may not be looked for (because obviously, you can do it by yourself), I want to share with you something important that helps strengthen my understanding of reverse engineering.

Challenge Introduction

The problem is simple. We are asked to enter a secret key and the program will check the key whether it is true or not. If we look under the hood, we can analyze it really quickly.

Disassemble of Main Function

Please ignore the arrow on the left.

We need to look for the final comparison. We know that the final comparison is on strcmp@plt function (addr: 0x0..5..19a). It is important to keep in mind that every system calls, needs certain registers dan contains certain information. When I did this, I did not remember what registers are specifically used, but the good news we can analyze it from the assembly.

We can immediately conclude that %rbp-0x20 register is holding user input and moving its value to %rax (addr: 0x0..5..18c). So, we know that %rax is holding the user input value.

Same as for %rsi register is set by the value of %rip+0xebc and we can assume this is the key. Long story short, I peek what is the value of %rsi, and its value is 0x555555556053 and in asci is UUUU`S.

…. is it?

This is where I was wrong. I forgot to look at the opcode. Their opcode says LEA, not MOV. What is the implication? The implication is, when the opcode says LEA, it copies the address of its value. LEA is a shortened command for (Load Effective Address). Therefore, the 0x55…6053 is an address not the actual value of the key.

So, In order to look at the key, we can examine the address to see what is stored inside that address. I used gdb command to examine the address

x/10xw $rsi
x/ = examine
10 = amount of 'block' to be shown
x = display the hex value
w = size of each 'block'
$rsi = is an address, you can use registers and hex value of the memory address, up to you.
Memory Analysis Result

Now we can see something beautiful. A group of printable hex. Keep in mind, writable alphabets in hex are between 0x41 (A) –0x7a (z) and numbers are between (0x30 (0) — 0x39 (9)). The second question is, how do I know which one belongs to the actual key, which does not? Again, keep in mind that string is terminated by null bytes (0x00).

Okay, now we can determine what is the value. I also want to tell you about how to read memory because I also found it difficult when I learned it for the first time. For each block, we read it from right to left. Every step takes 2 numbers, for instance, first block the with value 0x64636261. The actual flow is 0x61 0x62 0x63 0x64. We read from the rightmost to the leftmost and moves every 2 digits (hex digits). After we are done with the first block, we move 1 block to the right and do the same thing. If we are changing row, we back to the first column.

Now we can read the memory, back to our business. We know that every string has null termination. Now can read all the way through until we meet the 0x00 byte. Therefore the value in hex is 0x61 0x62 0x63 0x64 0x65 0x31 0x32 0x32 0x33 0x31 0x33 0x0a 0x00. Convert it to a string, and we get the answer. Supply that value into the system, you will get the flag.

If you use online hex to ascii converter, please be aware of how they expect the value for instance,

Ignoring Expected Input

.. It produces a different value.

That is all my sharing regarding basic reverse engineering. Hopefully, you will find it useful for you especially for you who is really new to reverse engineering. Happy reversing! God bless and to God be all the glory!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
joshuanatan

A humble learner of everything around IT especially in IT implementation, governance, risk management, and cybersecurity.