HTB – Hack the Box – Reg: A Technical Deep Dive
Welcome to another installment of our “HTB – Hack the Box Series” (HTB Series). In this guide, we’ll explore the ‘Reg’ challenge, focusing on its technical aspects and the steps to conquer it.
Initial Analysis and Setup
The ‘Reg’ challenge in Hack The Box offers a complex scenario for cybersecurity enthusiasts. This section covers the initial steps of setting up and analyzing the binary file.
Unzipping and Analyzing the Binary
Security Mechanisms and Vulnerabilities
Understanding the security mechanisms in place is crucial. The following commands reveal the protections enabled and potential vulnerabilities.
String Analysis and Execution
String analysis often gives insights into the binary’s functionality. Here’s how we probe deeper:
Behind-the-Scenes Analysis with Ltrace
Using ‘ltrace’, we can observe the runtime library calls, which is pivotal for understanding the binary’s behavior.
Advanced Analysis with Tools
Tools like Ghidra and Radare2 are invaluable for a more in-depth analysis. They reveal the inner workings of the binary, guiding our exploit strategy.Conclusion
This technical walkthrough of the ‘Reg’ challenge in Hack The Box highlights the importance of a systematic approach in cybersecurity. Stay tuned for more challenges in our series.
Step-by-Step detailed tutorial
┌──(toor㉿kali)-[~/Downloads] └─$ unzip Reg.zip Archive: Reg.zip [Reg.zip] reg password: inflating: reg
┌──(toor㉿kali)-[~/Downloads] └─$ file reg reg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=134349a67c90466b7ce51c67c21834272e92bdbf, for GNU/Linux 3.2.0, not stripped
- checksec will tell us what protection is enabled, in this case NX enabled
┌──(toor㉿kali)-[~/Downloads] └─$ checksec --file=reg RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 80 Symbols No 0 3 reg
- check for the strings
┌──(toor㉿kali)-[~/Downloads] └─$ strings -n 10 reg /lib64/ld-linux-x86-64.so.2 __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable []A\A]A^A_ Congratulations! Enter your name : Registered! GCC: (GNU) 10.2.0 ....
- make the file executable and run the file
┌──(toor㉿kali)-[~/Downloads] └─$ chchmod +x reg chchmod: command not found ┌──(toor㉿kali)-[~/Downloads] └─$ chmod +x reg ┌──(toor㉿kali)-[~/Downloads] └─$ ./reg Enter your name : MyName Registered!
- using ltrace to see what is happyning behind the scene
┌──(toor㉿kali)-[~/Downloads] └─$ ltrace ./reg alarm(30) = 0 setvbuf(0x7f15393f5760, 0, 2, 0) = 0 setvbuf(0x7f15393f5680, 0, 2, 0) = 0 setvbuf(0x7f15393f4a80, 0, 2, 0) = 0 printf("Enter your name : "Enter your name : ) = 18 gets(0x7ffc13f4d7e0, 0x7ffc13f4b6c0, 0, 0MyName ) = 0x7ffc13f4d7e0 puts("Registered!"Registered! ) = 12 +++ exited (status 0) +++
use ghidra to poke arround and search for strings
┌──(toor㉿kali)-[~/Downloads] └─$ ghidra Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
┌──(toor㉿kali)-[~/Downloads] └─$ readelf -s reg Symbol table '.dynsym' contains 16 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND ... 75: 0000000000401206 100 FUNC GLOBAL DEFAULT 13 winner ...
┌──(toor㉿kali)-[~/Downloads] └─$ radare2 reg [0x004010b0]> aaaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Finding and parsing C++ vtables (avrr) [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information (aanr) [x] Finding function preludes [x] Enable constraint types analysis for variables [0x004010b0]> alf Usage: a [abdefFghoprxstc] [...] | a alias for aai - analysis information | a* same as afl*;ah*;ax* | aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) | a8 [hexpairs] analyze bytes | ab[?] analyze basic block | ac[?] manage classes | aC[?] analyze function call | ad[?] analyze data trampoline (wip) | ad [from] [to] analyze data pointers to (from-to) | ae[?] [expr] analyze opcode eval expression (see ao) | af[?] analyze functions | aF same as above, but using anal.depth=1 | ag[?] [options] draw graphs in various formats | ah[?] analysis hints (force opcode size, ...) | ai [addr] address information (show perms, stack, heap, ...) | aj same as a* but in json (aflj) | aL list all asm/anal plugins (e asm.arch=?) | an[?] [name] show/rename/create whatever var/flag/function is used in current instruction | ao[?] [len] analyze Opcodes (or emulate it) | aO[?] [len] Analyze N instructions in M bytes | ap find prelude for current offset | ar[?] like 'dr' but for the esil vm. (registers) | as[?] [num] analyze syscall using dbg.reg | av[?] [.] show vtables | avg[?] [.] manage global variables | ax[?] manage refs/xrefs (see also afx?) [0x004010b0]> s sym.winner [0x00401206]> pdf ┌ 100: sym.winner (); │ ; var char *s @ rbp-0x410 │ ; var file*stream @ rbp-0x8 │ 0x00401206 55 push rbp │ 0x00401207 4889e5 mov rbp, rsp │ 0x0040120a 4881ec100400. sub rsp, 0x410 │ 0x00401211 488d3dec0d00. lea rdi, str.Congratulations_ ; 0x402004 ; "Congratulations!" ; const char *s │ 0x00401218 e813feffff call sym.imp.puts ; int puts(const char *s) │ 0x0040121d 488d35f10d00. lea rsi, [0x00402015] ; "r" ; const char *mode │ 0x00401224 488d3dec0d00. lea rdi, str.flag.txt ; 0x402017 ; "flag.txt" ; const char *filename │ 0x0040122b e870feffff call sym.imp.fopen ; file*fopen(const char *filename, const char *mode) │ 0x00401230 488945f8 mov qword [stream], rax │ 0x00401234 488b55f8 mov rdx, qword [stream] ; FILE *stream │ 0x00401238 488d85f0fbff. lea rax, [s] │ 0x0040123f be00040000 mov esi, 0x400 ; 1024 ; int size │ 0x00401244 4889c7 mov rdi, rax ; char *s │ 0x00401247 e824feffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) │ 0x0040124c 488d85f0fbff. lea rax, [s] │ 0x00401253 4889c7 mov rdi, rax ; const char *s │ 0x00401256 e8d5fdffff call sym.imp.puts ; int puts(const char *s) │ 0x0040125b 488b45f8 mov rax, qword [stream] │ 0x0040125f 4889c7 mov rdi, rax ; FILE *stream │ 0x00401262 e8d9fdffff call sym.imp.fclose ; int fclose(FILE *stream) │ 0x00401267 90 nop │ 0x00401268 c9 leave └ 0x00401269 c3 ret ^C [0x00401206]> [0x00401206]> quit ┌──(toor㉿kali)-[~/Downloads] └─$
- Pwndbg + GEF + Peda – One for all, and all for one
- CyberCogeanu has successfully pwned Reg Challenge from Hack The Box