CTFtime.org

Authenticator

by evyatar9 / evyatar9

Tags: ida htb hackthebox cyberapocalypse2021 xor ghidra reversing ctf 

Rating:

# Full writeups for this challenge avaliable on [https://github.com/evyatar9/Writeups/blob/master/CTFs/2021-CTF_HackTheBox/Cyber_Apocalypse_2021/](https://github.com/evyatar9/Writeups/blob/master/CTFs/2021-CTF_HackTheBox/Cyber_Apocalypse_2021/)

# CTF HackTheBox 2021 Cyber Apocalypse 2021 - Authenticator

Category: Reversing, Points: 300

![info.JPG](https://github.com/evyatar9/Writeups/raw/master/CTFs/2021-CTF_HackTheBox/Cyber_Apocalypse_2021/Reversing-Authenticator/images/info.JPG)

Attached file: [authenticator](https://github.com/evyatar9/Writeups/blob/master/CTFs/2021-CTF_HackTheBox/Cyber_Apocalypse_2021/Reversing-Authenticator/authenticator)

# Authenticator Solution

Let's run the attached binary:
```console
┌─[evyatar@parrot]─[/ctf_htb/cyber_apocalypse/reversing/authenticator]
└──╼ $ ./authenticator

Authentication System ?

Please enter your credentials to continue.

Alien ID: 1111
Access Denied!
```

We can see the program check the user input and print message "Access Denied".

Let's try to observe the main function using Ghidra:
```c

undefined8 main(void)

{
int iVar1;
undefined8 uVar2;
long in_FS_OFFSET;
char local_58 [32];
char local_38 [40];
long local_10;

local_10 = *(long *)(in_FS_OFFSET + 0x28);
setbuf(stdout,(char *)0x0);
printstr(&DAT_00100bc3,0);
printstr("Please enter your credentials to continue.\n\n",0);
printstr("Alien ID: ",0);
fgets(local_58,0x20,stdin);
iVar1 = strcmp(local_58,"11337\n");
if (iVar1 == 0) {
printstr("Pin: ",0);
fgets(local_38,0x20,stdin);
uVar2 = checkpin(local_38);
if ((int)uVar2 == 0) {
printstr("Access Granted! Submit pin in the flag format: CHTB{fl4g_h3r3}\n",0);
}
else {
printstr("Access Denied!\n",1);
}
}
else {
printstr("Access Denied!\n",1);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
```

So first, we can see the ```strcmp``` with our input ```local_58```:
```c
iVar1 = strcmp(local_58,"11337\n");
```

So if "Alien ID" equals to ```11337``` we can pass the first check.

Next, We can see the program ask for ```Pin``` then the program call to ```checkpin``` function with our input ```local_38```, If we enter incorrect pin we get the message "Access Denied!":
```c
printstr("Pin: ",0);
fgets(local_38,0x20,stdin);
uVar2 = checkpin(local_38);
if ((int)uVar2 == 0) {
printstr("Access Granted! Submit pin in the flag format: CHTB{fl4g_h3r3}\n",0);
}
else {
printstr("Access Denied!\n",1);
}
```

Let's observe on ```checkpin``` function:
```c

undefined8 checkpin(char *param_1)

{
size_t sVar1;
int local_24;

local_24 = 0;
while( true ) {
sVar1 = strlen(param_1);
if (sVar1 - 1 <= (ulong)(long)local_24) {
return 0;
}
if ((byte)("}a:Vh|}a:g}8j=}89gV

Original writeup (https://github.com/evyatar9/Writeups/tree/master/CTFs/2021-CTF_HackTheBox/Cyber_Apocalypse_2021/Reversing-Authenticator).

Comments