Top 5 This Week

Related Posts

HTB – Hack the Box – Reg

HTB – Hack the Box – Reg: A Technical Deep Dive

Welcome to another installment of our “HTB – Hack the Box Series” (HTB Series). In this guide, we’ll explore the ‘Reg’ challenge, focusing on its technical aspects and the steps to conquer it.

Initial Analysis and Setup

The ‘Reg’ challenge in Hack The Box offers a complex scenario for cybersecurity enthusiasts. This section covers the initial steps of setting up and analyzing the binary file.

Unzipping and Analyzing the Binary

Security Mechanisms and Vulnerabilities

Understanding the security mechanisms in place is crucial. The following commands reveal the protections enabled and potential vulnerabilities.

String Analysis and Execution

String analysis often gives insights into the binary’s functionality. Here’s how we probe deeper:

Behind-the-Scenes Analysis with Ltrace

Using ‘ltrace’, we can observe the runtime library calls, which is pivotal for understanding the binary’s behavior.

Advanced Analysis with Tools

Tools like Ghidra and Radare2 are invaluable for a more in-depth analysis. They reveal the inner workings of the binary, guiding our exploit strategy.Conclusion

This technical walkthrough of the ‘Reg’ challenge in Hack The Box highlights the importance of a systematic approach in cybersecurity. Stay tuned for more challenges in our series.

Step-by-Step detailed tutorial

└─$ unzip   
[] reg password: 
  inflating: reg
└─$ file reg              
reg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, BuildID[sha1]=134349a67c90466b7ce51c67c21834272e92bdbf, for GNU/Linux 3.2.0, not stripped
  • checksec will tell us what protection is enabled, in this case NX enabled
└─$ checksec --file=reg
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   80 Symbols        No    0               3               reg
  • check for the strings
└─$ strings -n 10 reg     
Enter your name : 
GCC: (GNU) 10.2.0
  • make the file executable and run the file
└─$ chchmod +x reg
chchmod: command not found
└─$ chmod +x reg     
└─$ ./reg
Enter your name : MyName
  • using ltrace to see what is happyning behind the scene
└─$ ltrace ./reg
alarm(30)                                                                                                                        = 0
setvbuf(0x7f15393f5760, 0, 2, 0)                                                                                                 = 0
setvbuf(0x7f15393f5680, 0, 2, 0)                                                                                                 = 0
setvbuf(0x7f15393f4a80, 0, 2, 0)                                                                                                 = 0
printf("Enter your name : "Enter your name : )                                                                                                     = 18
gets(0x7ffc13f4d7e0, 0x7ffc13f4b6c0, 0, 0MyName
)                                                                                       = 0x7ffc13f4d7e0
)                                                                                                              = 12
+++ exited (status 0) +++

use ghidra to poke arround and search for strings

└─$ ghidra
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
└─$ readelf -s reg

Symbol table '.dynsym' contains 16 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
    75: 0000000000401206   100 FUNC    GLOBAL DEFAULT   13 winner
└─$ radare2 reg   
[0x004010b0]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x004010b0]> alf
Usage: a  [abdefFghoprxstc] [...]
| a                alias for aai - analysis information
| a*               same as afl*;ah*;ax*
| aa[?]            analyze all (fcns + bbs) (aa0 to avoid sub renaming)
| a8 [hexpairs]    analyze bytes
| ab[?]            analyze basic block
| ac[?]            manage classes
| aC[?]            analyze function call
| ad[?]            analyze data trampoline (wip)
| ad [from] [to]   analyze data pointers to (from-to)
| ae[?] [expr]     analyze opcode eval expression (see ao)
| af[?]            analyze functions
| aF               same as above, but using anal.depth=1
| ag[?] [options]  draw graphs in various formats
| ah[?]            analysis hints (force opcode size, ...)
| ai [addr]        address information (show perms, stack, heap, ...)
| aj               same as a* but in json (aflj)
| aL               list all asm/anal plugins (e asm.arch=?)
| an[?] [name]     show/rename/create whatever var/flag/function is used in current instruction
| ao[?] [len]      analyze Opcodes (or emulate it)
| aO[?] [len]      Analyze N instructions in M bytes
| ap               find prelude for current offset
| ar[?]            like 'dr' but for the esil vm. (registers)
| as[?] [num]      analyze syscall using dbg.reg
| av[?] [.]        show vtables
| avg[?] [.]       manage global variables
| ax[?]            manage refs/xrefs (see also afx?)
[0x004010b0]> s sym.winner
[0x00401206]> pdf
┌ 100: sym.winner ();
│           ; var char *s @ rbp-0x410
│           ; var file*stream @ rbp-0x8
│           0x00401206      55             push rbp
│           0x00401207      4889e5         mov rbp, rsp
│           0x0040120a      4881ec100400.  sub rsp, 0x410
│           0x00401211      488d3dec0d00.  lea rdi, str.Congratulations_ ; 0x402004 ; "Congratulations!" ; const char *s
│           0x00401218      e813feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0040121d      488d35f10d00.  lea rsi, [0x00402015]       ; "r" ; const char *mode
│           0x00401224      488d3dec0d00.  lea rdi, str.flag.txt       ; 0x402017 ; "flag.txt" ; const char *filename
│           0x0040122b      e870feffff     call sym.imp.fopen          ; file*fopen(const char *filename, const char *mode)
│           0x00401230      488945f8       mov qword [stream], rax
│           0x00401234      488b55f8       mov rdx, qword [stream]     ; FILE *stream
│           0x00401238      488d85f0fbff.  lea rax, [s]
│           0x0040123f      be00040000     mov esi, 0x400              ; 1024 ; int size
│           0x00401244      4889c7         mov rdi, rax                ; char *s
│           0x00401247      e824feffff     call sym.imp.fgets          ; char *fgets(char *s, int size, FILE *stream)
│           0x0040124c      488d85f0fbff.  lea rax, [s]
│           0x00401253      4889c7         mov rdi, rax                ; const char *s
│           0x00401256      e8d5fdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0040125b      488b45f8       mov rax, qword [stream]
│           0x0040125f      4889c7         mov rdi, rax                ; FILE *stream
│           0x00401262      e8d9fdffff     call sym.imp.fclose         ; int fclose(FILE *stream)
│           0x00401267      90             nop
│           0x00401268      c9             leave
└           0x00401269      c3             ret
[0x00401206]> quit
Cogeanu Marius
Cogeanu Marius
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on


Please enter your comment!
Please enter your name here

Popular Articles