THM: Classic Passwd
Classic Passwd
Practice your skills in reversing and get the flag bypassing the login
david@DESKTOP-ROP5TSG:/mnt/c/Temp$ gdb ./Challenge.Challenge
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./Challenge.Challenge...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x12fa
(gdb) run
Starting program: /mnt/c/Temp/Challenge.Challenge
Breakpoint 1, 0x00000000080012fa in main ()
(gdb) disass main
Dump of assembler code for function main:
0x00000000080012f6 <+0>: push %rbp
0x00000000080012f7 <+1>: mov %rsp,%rbp
=> 0x00000000080012fa <+4>: mov $0x0,%eax
0x00000000080012ff <+9>: callq 0x8001185 <vuln>
0x0000000008001304 <+14>: mov $0x0,%eax
0x0000000008001309 <+19>: callq 0x8001289 <gfl>
0x000000000800130e <+24>: mov $0x0,%eax
0x0000000008001313 <+29>: pop %rbp
0x0000000008001314 <+30>: retq
End of assembler dump.
(gdb) break gfl
Breakpoint 2 at 0x800128d
(gdb) jump gfl
Continuing at 0x800128d.
Breakpoint 2, 0x000000000800128d in gfl ()
(gdb) disass gfl
Dump of assembler code for function gfl:
0x0000000008001289 <+0>: push %rbp
0x000000000800128a <+1>: mov %rsp,%rbp
=> 0x000000000800128d <+4>: sub $0x10,%rsp
0x0000000008001291 <+8>: movl $0x52c8d5,-0x4(%rbp)
0x0000000008001298 <+15>: jmp 0x80012e9 <gfl+96>
0x000000000800129a <+17>: cmpl $0x638a78,-0x4(%rbp)
0x00000000080012a1 <+24>: jne 0x80012e5 <gfl+92>
0x00000000080012a3 <+26>: movl $0x1474,-0x8(%rbp)
0x00000000080012aa <+33>: jmp 0x80012dc <gfl+83>
0x00000000080012ac <+35>: cmpl $0x2130,-0x8(%rbp)
0x00000000080012b3 <+42>: jne 0x80012d8 <gfl+79>
0x00000000080012b5 <+44>: mov -0x8(%rbp),%edx
0x00000000080012b8 <+47>: mov -0x4(%rbp),%eax
0x00000000080012bb <+50>: mov %eax,%esi
0x00000000080012bd <+52>: lea 0xd79(%rip),%rdi # 0x800203d
0x00000000080012c4 <+59>: mov $0x0,%eax
0x00000000080012c9 <+64>: callq 0x8001050 <printf@plt>
0x00000000080012ce <+69>: mov $0x0,%edi
0x00000000080012d3 <+74>: callq 0x8001080 <exit@plt>
0x00000000080012d8 <+79>: addl $0x1,-0x8(%rbp)
0x00000000080012dc <+83>: cmpl $0x270e,-0x8(%rbp)
0x00000000080012e3 <+90>: jle 0x80012ac <gfl+35>
0x00000000080012e5 <+92>: addl $0x1,-0x4(%rbp)
0x00000000080012e9 <+96>: cmpl $0x77d088,-0x4(%rbp)
0x00000000080012f0 <+103>: jle 0x800129a <gfl+17>
0x00000000080012f2 <+105>: nop
0x00000000080012f3 <+106>: nop
0x00000000080012f4 <+107>: leaveq
0x00000000080012f5 <+108>: retq
End of assembler dump.
(gdb) continue
Continuing.
THM{65235128496}[Inferior 1 (process 73) exited normally]
(gdb) q
I feel like I’ve missed something here.
Also I did inplainsight from Vulnhub but it wasn’t anything special so whatever.