You Cant C Me

1 minute to read

We have a binary called auth:

$ file auth
auth: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped

If we run it, it asks for a key:

$ ./auth  
Welcome!

We can introduce something and see that it is not correct:

$ ./baby
Insert key:
asdf
I said, you can't c me!

We can make use of ltrace to see every call to external functions (functions that belong to a library like Glibc):

$ ltrace ./auth
printf("Welcome!\n"Welcome!
)                                                                             = 9
malloc(21)                                                                                       = 0x4056b0  
fgets(

For example, it uses printf to print the message and fgets to read our input. If we enter some text, we see something really interesting:

$ ltrace ./baby
printf("Welcome!\n"Welcome!
)                                                                             = 9
malloc(21)                                                                                       = 0x4056b0  
fgets(asdf
"asdf\n", 21, 0x7ffff7fa9980)                                                              = 0x4056b0
strcmp("wh00ps!_y0u_d1d_c_m3", "asdf\n")                                                         = 22
printf("I said, you can't c me!\n"I said, you can't c me!
)                                                              = 24
+++ exited (status 0) +++

It is comparing our input with "wh00ps!_y0u_d1d_c_m3", so this is the key we need to enter:

$ ./baby
Welcome!
wh00ps!_y0u_d1d_c_m3
HTB{wh00ps!_y0u_d1d_c_m3}