<- REVERSING

SpookyPass

2 minutes to read

We are given a binary called pass:

$ file pass
pass: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3008217772cc2426c643d69b80a96c715490dd91, for GNU/Linux 4.4.0, not stripped

If we run the program, it asks for a password:

$ ./pass
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: asdf
You're not a real ghost; clear off!

Solution

If we open the binary in IDA, we will see the following main function:

int __fastcall main(int argc, const char** argv, const char** envp) {
  unsigned int i; // [rsp+4h] [rbp-BCh]
  char* v5; // [rsp+8h] [rbp-B8h]
  char v6[8]; // [rsp+10h] [rbp-B0h] BYREF
  _BYTE v7[10]; // [rsp+18h] [rbp-A8h] BYREF
  __int64 v8; // [rsp+22h] [rbp-9Eh]
  char s[136]; // [rsp+30h] [rbp-90h] BYREF
  unsigned __int64 v10; // [rsp+B8h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  *(_QWORD*) v6 = 0;
  memset(v7, 0, sizeof(v7));
  v8 = 0;
  puts("Welcome to the \x1B[1;3mSPOOKIEST\x1B[0m party of the year.");
  printf("Before we let you in, you'll need to give us the password: ");
  fgets(s, 128, _bss_start);
  v5 = strchr(s, '\n');

  if (v5) {
    *v5 = '\0';
  }

  if (!strcmp(s, "s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5")) {
    puts("Welcome inside!");

    for (i = 0; i <= 0x19; ++i) {
      v6[i] = parts[i];
    }

    puts(v6);
  } else {
    puts("You're not a real ghost; clear off!");
  }

  return 0;
}

As can be seen, the program simply prints the message, reads user input with fgets and compares it with "s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5". Therefore, we only need to input this string and we are done.

There are other ways to solve this challenge. For instance, we can uses strings, because this password is hard-coded in the code and it doesn’t get removed or transformed during compilation:

$ strings pass
/lib64/ld-linux-x86-64.so.2
fgets
...
Welcome to the
[1;3mSPOOKIEST
[0m party of the year.
Before we let you in, you'll need to give us the password:
s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
Welcome inside!
You're not a real ghost; clear off!
;*3$"
GCC: (GNU) 14.2.1 20240805
...
.bss
.comment

Another way to solve this is using ltrace, which catches function calls from external libraries, so we will see the password check. And even another way is using GDB.

Flag

Anyways, if we input the password, we will get the flag:

$ ./pass
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
Welcome inside!
HTB{un0bfu5c4t3d_5tr1ng5}