whAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt? Just spam a lot of AAAAAAAAAAAAAAAAAAAAAs like so. Done. No seriously, lets go over what this program actually does, and why this even works. I load up the provided binary in Ghidra and take a look at the decompiled code, more specifically at the main function. bool main(void) { bool bVar1; char local_38 [44]; int local_c; setvbuf(stdout,(char *)0x0,2,0); setvbuf(stdin,(char *)0x0,2,0); local_c = 0; printf("Enter your username: "); gets(local_38); bVar1 = local_c != 0; if (bVar1) { puts("Welcome, admin!"); print_flag(); } else { puts("Access denied."); } return !bVar1; } What happens here? The program, will read input into local_38 which can be [44] bytes long. It’s buffer is 44 bytes. For this, it uses gets(), which is not only outdated but also dangerous, because it does not limit the input length. ...
THM Industrial Intrusion CTF - Task 24 [REVERSING] - Auth
Intro This challenge is about reverse engineering a binary called auth, that asks us for a password in order to get the flag. This challenge is pretty similar to the other reversing challenge from this CTF, Access Granted. However, this time we won’t be able to find the password in cleartext - for this one we have to dig deeper with Ghidra, to understand what is happening. I recommend you read the writeup of Access Granted, as this post goes through the basics of Ghidra. In the TryHackme Industrial Intrusion CTF this is the first challenge of the Reversing category, and it’s also labeled as “Easy”, just like the second reversing challenge. Personally however I think that the second reversing challenge is easier than this one here. ...
THM Industrial Intrusion CTF - Task 25 [REVERSING] - Access Granted
Intro This challenge is really simple as the password of that application is stored in cleartext. It can be found with strings, but we will also use Ghidra to confirm that this is actually the password we’re after and talk about the basics of using Ghidra to reverse engineer binaries. Analyzing the binary using strings and file A good starting point to analyze a binary is to run file against it. It will inform us about the file type and any other information related to that. ...
THM Industrial Intrusion CTF - Task 13 [FORENSICS] - Ocram
Intro In this challenge we are presented with an E-Mail, that contains a malicious attachment. The attached doc file contains a malicious VBA macro. Of course, the code is obfuscated and hard to read. It’s up to us to analyze, reverse engineer and crack the VBA code. The name of the challenge, “ocram”, is actually a hint, as it is “macro” spelled backwards. Obtaining the attachment Within the machine that is given to us as part of the challenge, there is a .eml-file. Within this .eml file, there is an attachment. We can see this because it contains strings similar to this: ...
THM Industrial Intrusion CTF - Task 16 [Boot2Root] - Under Construction
User This box runs a website (80) and ssh (22). When clicking a link on the webpage like “about”, you navigate to “view.php?page=about.php”, so it infers that it reads a file and displays it within “itself”. A classic “view-script” in PHP, which is sometimes used to display / embed local files or documents. This can be dangerous! Quick PoC: We can view “index.php” being displayed, even though we are technically at “view.php”: ...
THM Industrial Intrusion CTF - Task 19 [CRYPTO] - No salt, no shame
In Task 19 of the TryHackMe Industrial Intrusion CTF, titled “No Salt, No Shame”, we dive into a cryptographic challenge that hinges on poor key management practices. The goal: decrypt sensitive files using a known passphrase, predictable AES parameters, and no salt or key derivation function. Let’s walk through how CyberChef becomes the MVP tool in solving this challenge. Here is the original Task description What we know: Passphrase known Algorithm known IV known No salt used (to derive key from the passphrase) Ciphertext / Encrypted files known With that, you can just go to cyberchef and do: ...