TryHackMe | Reversing ELF
In this blog, I will try to show and explain the TryHackMe room Reversing Elf. This room features eight increasingly tough crackme challenges for beginners.
What is ELF?
Executable and Linkable Format (previously known as Extensible Linking Format) is a standard file format for executable files, object code, shared libraries, and core dumps in computing. First published in the specification for the application binary interface (ABI) of the Unix operating system version System V Release 4 (SVR4), and subsequently, in the Tool Interface Standard, it was rapidly adopted by manufacturers of Unix systems. The 86open project selected it as the standard binary file format for Unix and Unix-like systems on x86 processors in 1999.
Simply said, it is a binary executable format. The segments of an ELF file define the creation of a process/memory image for execution at runtime. When the kernel detects these segments, it uses the mmap(2) system function to map them into virtual address space. It translates predetermined instructions into a memory picture, so to speak.
crackme1
The prompt says, “Let’s start with a basic warmup, can you run the binary?”
It says to run the binary. Let us first look at what the file is.
Now, let us attempt to run the file.
crackme2
The prompt says, “Find the super-secret password! and use it to obtain the flag”
Let us run the file first.
Running the file reveals that a password is required. Let’s do a string search on the file to see whether it contains any potentially useful information.
We uncovered a related component, which may be a password. Using this as the password for the executable binary, the following is discovered.
crackme3
The prompt says, “Use basic reverse engineering skills to obtain the flag”.
Let’s try a similar approach by executing the binary first.
The file’s execution discloses that a password is necessary. Let’s do a string search to see if the file includes potentially helpful information.
Something was discovered, which may be a base-encoded string. Trying base64 decoding –
crackme4
The prompt says, “Analyze and find the password for the binary?”
Executing the binary first.
This hint indicates that the ELF binary uses the strcmp function. Choosing to use gdb as the debugger for the binary.
There are a number of intriguing function names, like main, get_pwd, and compare_pwd. Based on the supplied message, we should be interested in the strcmp@plt function. We may presume that strcmp() is used to compare the entered password with the right password. Using gdb, place a breakpoint at this function’s memory location.
In software development, a breakpoint is a place in a program where it stops or pauses on purpose. This is done for debugging and to learn more about the program as it runs.
Let’s take a look at the registers now.
We can see that both rax and rdx, which are general-purpose registers, have memory address values. The values that are sent back from functions are stored in the rax register. Scratch register is part of the rdx registers.
Reference: https://www.cs.uaf.edu/2017/fall/cs301/lecture/09_11_registers.html
crackme5
The prompt says, “What will be the input of the file to get output Good gameย ?”
Executing the binary.
Now let’s try to get a feel for things. The question says that it wants the answer “Good Game.” Maybe the program compares what we type to something in the code’s function. Using the same strategy as in the last reversing challenge, crackme4.
strncmp@plt is used by the program. Let’s put a breakpoint at that address of memory.
crackme6
The prompt says, “Analyze the binary for the easy password”.
Let us execute the binary.
If we try to run the ELF binary without a password, we get a message telling us to look at the source code. For this task, we will use Ghidra, a set of tools for software reverse engineering (SRE). When we load the crackme6 binary into Ghidra, the binary is decompiled, and we get the source code.
We can see the following functions.
The main function has the following code.
We can see that the input is passed to the compare_pwd function. Let us see, what the function has –
Here we can see that it takes the input and sends it to another function named my_secure_test. Looking into the function.
If we look at the source code for this function, we’ll see a block of if/else statements that check if each letter in the input matches a certain string value. By putting these specified string values back together into one string, the flag can be found.
crackme7
The prompt says, “Analyze the binary to get the flag”.
Let us first execute the binary.
Starting up Ghidra to get to the source code of the binary. If we look at the source code for the main function, we can see that if/else statements check the number entered by the user and then act based on that number.
A method called giveFlag() is run by a hidden operation. To use this option, we need to enter the hex value 0x7a69 in its decimal form. This is how we get the flag.
crackme8
The prompt again says, “Analyze the binary and obtain the flag”.
Executing the binary.
Spinning up Ghidra to analyze the source code.
We can see that the program uses atoi() function. Before checking if the input is equal to -0x35010ff3, the input is sent to a function called atoi(). The C programming language has a function called atoi() that takes a string and turns it into an integer number. We can turn -0x35010ff3 into a decimal and then use it as the password to get the flag from the binary.
Conclusion
I found these tasks to be quite entertaining and straightforward for anybody interested in learning more about reversing ELF binaries. These challenges cover the fundamentals of how to reverse-engineer ELF binary files and might assist beginners in learning more about this topic. This room teaches you bit-by-bit binary reversing tools that are very useful for reverse engineering.