Hunting License

category: reverse engineering

Platform: HTB

Difficulty: very easy

As usual, I started with the file command to see the info about this ELF.

Since the file was not stripped, I used the strings to see some possible info about flags or password

Since I would like to see how and where were the functions called, I opened ghidra. Here, I noticed the questionnaire begins with a "y" response, followed by the call of exam().

Into the exam function, we can get the first password we need which was hardcoded as "PasswordNumeroUno".

First password: PasswordNumeroUno

Then, the main function calls the reverse function with the following parameters: \0, t and 0xb - lenght of the password. With that we gotta se whats inside this "t".

reverse(local_1c,t,0xb);

By converting the bytes of information inside t, manually or with hep from ghidra, we get

0 w T d r 0 w s s 4 P

By reversing this with a max length of 0x11 bytes we get the second password.

Second password: P4ssw0rdTw0

Then the main function calls xor with the following parameters : null string, t2, 0x11 and 0x13. From that, we need to see what's inside t2.

Taking into account how the reverse function is coded

Its possible to make a simple script to get the third password.

p2 = [0x47, 0x7b, 0x7a, 0x61, 0x77, 0x52, 0x7d, 0x77, 0x55, 0x7a, 0x7d, 0x72, 0x7f, 0x32, 0x32, 0x32, 0x13]
p3 = 0x11
p4 = 0x13

password = bytearray(p3)

for i in range(p3):
    password[i] = p2[i] ^ p4
print(password)

Third password: ThirdAndFinal!!!

From here, we just gotta nc this and use the previous info we got.