THM: Classic Passwd Tue, Feb 09, 2021 Classic Passwd Practice your skills in reversing and get the flag bypassing the login david@DESKTOP-ROP5TSG:/mnt/c/Temp$ gdb ./Challenge.Challenge GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./Challenge.Challenge...(no debugging symbols found)...done. (gdb) break main Breakpoint 1 at 0x12fa (gdb) run Starting program: /mnt/c/Temp/Challenge.Challenge Breakpoint 1, 0x00000000080012fa in main () (gdb) disass main Dump of assembler code for function main: 0x00000000080012f6 <+0>: push %rbp 0x00000000080012f7 <+1>: mov %rsp,%rbp => 0x00000000080012fa <+4>: mov $0x0,%eax 0x00000000080012ff <+9>: callq 0x8001185 <vuln> 0x0000000008001304 <+14>: mov $0x0,%eax 0x0000000008001309 <+19>: callq 0x8001289 <gfl> 0x000000000800130e <+24>: mov $0x0,%eax 0x0000000008001313 <+29>: pop %rbp 0x0000000008001314 <+30>: retq End of assembler dump. (gdb) break gfl Breakpoint 2 at 0x800128d (gdb) jump gfl Continuing at 0x800128d. Breakpoint 2, 0x000000000800128d in gfl () (gdb) disass gfl Dump of assembler code for function gfl: 0x0000000008001289 <+0>: push %rbp 0x000000000800128a <+1>: mov %rsp,%rbp => 0x000000000800128d <+4>: sub $0x10,%rsp 0x0000000008001291 <+8>: movl $0x52c8d5,-0x4(%rbp) 0x0000000008001298 <+15>: jmp 0x80012e9 <gfl+96> 0x000000000800129a <+17>: cmpl $0x638a78,-0x4(%rbp) 0x00000000080012a1 <+24>: jne 0x80012e5 <gfl+92> 0x00000000080012a3 <+26>: movl $0x1474,-0x8(%rbp) 0x00000000080012aa <+33>: jmp 0x80012dc <gfl+83> 0x00000000080012ac <+35>: cmpl $0x2130,-0x8(%rbp) 0x00000000080012b3 <+42>: jne 0x80012d8 <gfl+79> 0x00000000080012b5 <+44>: mov -0x8(%rbp),%edx 0x00000000080012b8 <+47>: mov -0x4(%rbp),%eax 0x00000000080012bb <+50>: mov %eax,%esi 0x00000000080012bd <+52>: lea 0xd79(%rip),%rdi # 0x800203d 0x00000000080012c4 <+59>: mov $0x0,%eax 0x00000000080012c9 <+64>: callq 0x8001050 <printf@plt> 0x00000000080012ce <+69>: mov $0x0,%edi 0x00000000080012d3 <+74>: callq 0x8001080 <exit@plt> 0x00000000080012d8 <+79>: addl $0x1,-0x8(%rbp) 0x00000000080012dc <+83>: cmpl $0x270e,-0x8(%rbp) 0x00000000080012e3 <+90>: jle 0x80012ac <gfl+35> 0x00000000080012e5 <+92>: addl $0x1,-0x4(%rbp) 0x00000000080012e9 <+96>: cmpl $0x77d088,-0x4(%rbp) 0x00000000080012f0 <+103>: jle 0x800129a <gfl+17> 0x00000000080012f2 <+105>: nop 0x00000000080012f3 <+106>: nop 0x00000000080012f4 <+107>: leaveq 0x00000000080012f5 <+108>: retq End of assembler dump. (gdb) continue Continuing. THM{65235128496}[Inferior 1 (process 73) exited normally] (gdb) q I feel like I’ve missed something here. Also I did inplainsight from Vulnhub but it wasn’t anything special so whatever.