SpookyPass
2 minutes to read
We are given a binary called pass
:
$ file pass
pass: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3008217772cc2426c643d69b80a96c715490dd91, for GNU/Linux 4.4.0, not stripped
If we run the program, it asks for a password:
$ ./pass
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: asdf
You're not a real ghost; clear off!
Solution
If we open the binary in IDA, we will see the following main
function:
int __fastcall main(int argc, const char** argv, const char** envp) {
unsigned int i; // [rsp+4h] [rbp-BCh]
char* v5; // [rsp+8h] [rbp-B8h]
char v6[8]; // [rsp+10h] [rbp-B0h] BYREF
_BYTE v7[10]; // [rsp+18h] [rbp-A8h] BYREF
__int64 v8; // [rsp+22h] [rbp-9Eh]
char s[136]; // [rsp+30h] [rbp-90h] BYREF
unsigned __int64 v10; // [rsp+B8h] [rbp-8h]
v10 = __readfsqword(0x28u);
*(_QWORD*) v6 = 0;
memset(v7, 0, sizeof(v7));
v8 = 0;
puts("Welcome to the \x1B[1;3mSPOOKIEST\x1B[0m party of the year.");
printf("Before we let you in, you'll need to give us the password: ");
fgets(s, 128, _bss_start);
v5 = strchr(s, '\n');
if (v5) {
*v5 = '\0';
}
if (!strcmp(s, "s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5")) {
puts("Welcome inside!");
for (i = 0; i <= 0x19; ++i) {
v6[i] = parts[i];
}
puts(v6);
} else {
puts("You're not a real ghost; clear off!");
}
return 0;
}
As can be seen, the program simply prints the message, reads user input with fgets
and compares it with "s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5"
. Therefore, we only need to input this string and we are done.
There are other ways to solve this challenge. For instance, we can uses strings
, because this password is hard-coded in the code and it doesn’t get removed or transformed during compilation:
$ strings pass
/lib64/ld-linux-x86-64.so.2
fgets
...
Welcome to the
[1;3mSPOOKIEST
[0m party of the year.
Before we let you in, you'll need to give us the password:
s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
Welcome inside!
You're not a real ghost; clear off!
;*3$"
GCC: (GNU) 14.2.1 20240805
...
.bss
.comment
Another way to solve this is using ltrace
, which catches function calls from external libraries, so we will see the password check. And even another way is using GDB.
Flag
Anyways, if we input the password, we will get the flag:
$ ./pass
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
Welcome inside!
HTB{un0bfu5c4t3d_5tr1ng5}