Classic Passwd

Practice your skills in reversing and get the flag bypassing the login

david@DESKTOP-ROP5TSG:/mnt/c/Temp$ gdb ./Challenge.Challenge
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./Challenge.Challenge...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x12fa
(gdb) run
Starting program: /mnt/c/Temp/Challenge.Challenge

Breakpoint 1, 0x00000000080012fa in main ()
(gdb) disass main
Dump of assembler code for function main:
   0x00000000080012f6 <+0>:     push   %rbp
   0x00000000080012f7 <+1>:     mov    %rsp,%rbp
=> 0x00000000080012fa <+4>:     mov    $0x0,%eax
   0x00000000080012ff <+9>:     callq  0x8001185 <vuln>
   0x0000000008001304 <+14>:    mov    $0x0,%eax
   0x0000000008001309 <+19>:    callq  0x8001289 <gfl>
   0x000000000800130e <+24>:    mov    $0x0,%eax
   0x0000000008001313 <+29>:    pop    %rbp
   0x0000000008001314 <+30>:    retq
End of assembler dump.
(gdb) break gfl
Breakpoint 2 at 0x800128d
(gdb) jump gfl
Continuing at 0x800128d.

Breakpoint 2, 0x000000000800128d in gfl ()
(gdb) disass gfl
Dump of assembler code for function gfl:
   0x0000000008001289 <+0>:     push   %rbp
   0x000000000800128a <+1>:     mov    %rsp,%rbp
=> 0x000000000800128d <+4>:     sub    $0x10,%rsp
   0x0000000008001291 <+8>:     movl   $0x52c8d5,-0x4(%rbp)
   0x0000000008001298 <+15>:    jmp    0x80012e9 <gfl+96>
   0x000000000800129a <+17>:    cmpl   $0x638a78,-0x4(%rbp)
   0x00000000080012a1 <+24>:    jne    0x80012e5 <gfl+92>
   0x00000000080012a3 <+26>:    movl   $0x1474,-0x8(%rbp)
   0x00000000080012aa <+33>:    jmp    0x80012dc <gfl+83>
   0x00000000080012ac <+35>:    cmpl   $0x2130,-0x8(%rbp)
   0x00000000080012b3 <+42>:    jne    0x80012d8 <gfl+79>
   0x00000000080012b5 <+44>:    mov    -0x8(%rbp),%edx
   0x00000000080012b8 <+47>:    mov    -0x4(%rbp),%eax
   0x00000000080012bb <+50>:    mov    %eax,%esi
   0x00000000080012bd <+52>:    lea    0xd79(%rip),%rdi        # 0x800203d
   0x00000000080012c4 <+59>:    mov    $0x0,%eax
   0x00000000080012c9 <+64>:    callq  0x8001050 <printf@plt>
   0x00000000080012ce <+69>:    mov    $0x0,%edi
   0x00000000080012d3 <+74>:    callq  0x8001080 <exit@plt>
   0x00000000080012d8 <+79>:    addl   $0x1,-0x8(%rbp)
   0x00000000080012dc <+83>:    cmpl   $0x270e,-0x8(%rbp)
   0x00000000080012e3 <+90>:    jle    0x80012ac <gfl+35>
   0x00000000080012e5 <+92>:    addl   $0x1,-0x4(%rbp)
   0x00000000080012e9 <+96>:    cmpl   $0x77d088,-0x4(%rbp)
   0x00000000080012f0 <+103>:   jle    0x800129a <gfl+17>
   0x00000000080012f2 <+105>:   nop
   0x00000000080012f3 <+106>:   nop
   0x00000000080012f4 <+107>:   leaveq
   0x00000000080012f5 <+108>:   retq
End of assembler dump.
(gdb) continue
Continuing.
THM{65235128496}[Inferior 1 (process 73) exited normally]
(gdb) q

I feel like I’ve missed something here.

Also I did inplainsight from Vulnhub but it wasn’t anything special so whatever.