Hissss [easy] - HackTheBox Reversing Challenge

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at the hiss challenge on how the box it's an easy reversing challenge and the description says can you slither around the authentication so as usual let's download the file to our local directory and we'll go through some basic file checks so let's start by making the file executable so we can run it and we'll have a look at the file type as well it's a 64-bit lsb pi executable it's stripped so we'll not be able to see function names and things like that but it's a linux binary anyway let's have a look at the strings as well just see if there's anything interesting we might see a password or something in here we might see a we might get an idea what the program's doing or we might just find part of the flag in this case there's quite a lot of strings let's try that again and do grep dash i pass see if there's any passwords there isn't but we see this my mei pass and it mentions a pi object as well which is interesting so let's try and run the program see what we get run auth and we get this error error loading python lib and it's trying to load this lib python 3 from our temp folder let's see if we got anything there no such file directory okay and we also have this glib c 2.32 not found let's have a look ldd dash dash version so we're running 2.31 this is looking for 2.32 lip c okay uh i did have a look whenever i was trying to solve this i had a bit of a look around online trying to see if we could fix this error but let's just go ahead and create a new project in gear drive and we're going to have a look at the decompiled code and disassemble code first of all i'll just skip through this process a little bit because quite slow and with gear open we have our program trees here so we can see we have access to our global offset table and our data sections of the file and stuff like that the binary we have our symbol tree here so we can go and have a look at the functions we can have a look at what's being imported and exported and we're going to want to go straight to our entry function here unless there's a main method and in this case we know that the program was stripped so the function names and stuff were removed you can see we have if uh function zero zero one zero two which isn't very uh easy to determine what it's doing so we go straight to the entry function we can see that this function is called let's try and open this up and we can see this me i pass two string again we could go and have a look through some of these functions and try and determine what they're doing what i did here was to search for strings and if you're going to have a look for the strings what did we see as the error whenever we tried to run it let's try and run auth we get this error loading python so let's try and put in here python and you can see here we've got this error load in python which is right here and we can see it's being referenced at this function so this is the error that we ran into error loading this python library and we could go and have a look at that and see what that function was doing we could go back and see where is this function referenced so uh what point was this called we have this unconditional call to that function and we can kind of trace our way back through the program we could also just go and have a look through some of these functions but you'll quickly see that there's a lot a lot there to deal with um so because we're seeing some mentions of python which is interesting in a linux binary and we keep seeing that string mei pass two at this point i basically went online did a bit of research to try and find out what some of these strings and what some of these libraries could be referring to so let's go and have a look for mei pass 2 and see what we get so without even clicking on any of these links we can see that pi installer is mentioned quite a bit and we can see the mei pass is an environment variable we could go and click on one of the links let's have a look at the stack overflow question which was asked over four years ago asking what does the mei pass stand for and the answer is it comes from the pine store's ancestor mcmillan enterprise installer so at this point we could go and have a look for some previous write-ups we could search like ctf uh mei pass two and you can see we've got some write-ups here which i mentioned we could do the same and search for pi installer and maybe find some different write-ups and while we're not likely to find something which gives us all the same steps we might find a write-up which gives us an idea what sort of tools to look at or some techniques we could use to analyze files that have been compiled with this pi installer in my case let me just open up the link that i went to and this is a solution for a crackme challenge and it also used pi installer you can see the mei pass string was used here and you'll see that they use uh pi installer extractor to unpack and decompile the python code so if we go and take a look at this so we can see in the description here it says this is the python script to extract the contents of a pi installer generated windows executable file now we're dealing with a linux binary so if we're going to have a look at the github here it says the same thing it's for windows executable files and it tells us that we can run this script and then it'll generate the compiled code that we can then go and decompile with a decompiler like uncompile six so we need to get these pyc files i actually didn't see initially the section down here which says pi instixtractor can now natively extract linux elf binaries without other additional tools so at the time of me solving this i was googling around a little bit and i found pi decipher um which would which could also be used to do the same sort of thing let me just show how as i went through it and then we'll go go and use the pi instant extractor because that will also work but we have this pi decipher which you can install with pip i believe so let me just do python dash m pip install pi decipher and let's try and run this and see if this works for us pi decipher and we pass in earth and you'll see here we get this artifact to produce no additional output we can try and run it with dash v and we get some errors here so let me see did that did that produce anything and it didn't so again with a little more research online i found that we can use 7z to extract auth let's try that and what's that produced we now have this pi data let's do file pi data and it's z lib compress data and now we can try and run pi decipher on that instead so we'll run pi decipher pi data and hopefully this time it'll successfully grab everything it looks like it did although we have an error here with auth dot pyc but let's have a look at pi decipher output we've got plenty of files in here we could have a look and see what do we have that's pyc so these are the python byte compiled code and one of them is the auth dot pyc let's try and print it out and because it's compiled we can't see the original python code so it's not enough for us to work out what the password is but we can see that this is the right file and it will produces the flag if we can work out what the correct password is so now we want to try and actually decompile these files but let me just go back first of all i'm going to remove that folder and i'm going to do it this time with the pi instant installer because we don't need to use pi decipher to do this let me remove the null and the py data and let's go and try this with the pi inst extractor so this is just a simple python script that we can go and download let's get the raw file wget and let's run python python extractor and pass in auth and we do that and it extracts everything fine let's go and have a look at it auth extracted and again we've got our pyc files including the auth.pyc so as we were told with in the instructions here once we have our pyc file we should be able to use uncompile six to decompile it and we can see the github for this here again you can just use pip install to get this installed and then we should just be able to run uncompile 6 and pass in the pyc file and that will give us the original python code so let's actually try it uncompile and compile 6 and we'll pass in auth.pyc and you'll see here it says requires python 2.6 to 3.8 now i have a lot of problems with python installs let me see what we're running here python version you see i've got python 3.92 so that's why this isn't working and even if i install the python 3.8 i'm not able to get this working let me actually just show i can install um python 3.8 if we happen to install this i am i moved from kali linux myself to power os and the reason i actually switched is because i was having so many problems with the python installs so i decided to switch over and start using virtual environments which i have done but unfortunately let me just try and run here in python 3.8 and dash m pip install uncompile six so we get this error disk utils.util i tried copying these over from the python 3.9 installed to 3.8 which didn't work i basically tried installing every python 3.8 package out there whenever i try setting these up as virtual environments as well i run into uh similar problems so i actually spent probably about an hour trying to fix uh python issues here and was wasn't able to get this solved so if anybody's got any tips on dealing with python installs in parrot and let me know because i i thought things would be a lot easier once you start using virtual environments but virtual environments aren't much good if you're not able to actually install them so if i do here virtual and vm p and then we could try and say python 3.8 or we could try and say bin python 3.8 again i get this problems with disk utils but yeah i eventually gave up on that if anybody knows how to fix that let me know another solution another way that we can just decompile this code is to go to decompiler.com and you can see here that it'll actually take pyc files so we can go and choose file let's go and grab the auth dot pyc and it runs through that we've got this auth.py file to download download file you can see it's zero bytes let me open that up zero okay so there's nothing actually in that um whenever i tried this i got a slightly different result but it still didn't have any code in it so whenever i did this initially i had extracted it with the pi decipher rather than pi instaxtractor and whenever i uploaded that pyc file i did have some some comments in there but not code um but either way there's some problems with decompiling that so let's see how we can solve the challenge without decompiling the python file so there'll be a few different tools to do this as well let's go and search for python disassemble code so we know that kind of like we have engager here what we're trying to get is this original decompiled code or well even better than what we see here because this is kind of a rough this isn't not a great example we can see here this is a rough uh decompilation so it's giving you kind of pseudo code you can't just recompile this and get the same result or expect it to even compile but um and then we have on our left we have the disassembled code so if we're not able to get the decompiled code and get our original python script let's at least try and get something like this on the left so that we can manually go through and work out what's going on and yeah if you google this we'll see there's a couple of tools to do it we've got this python disassembler here i used pi uh this asm and if we pass in the auth.pyc you see it runs through and we've got our disassembled code here and so it's not particularly easy to read it's not as nice as looking at a python script but uh hopefully it'll be enough for us to get the flag so let's send this to a file and i'll just call this disassembled and let's open up disassembled and go and try and work through it i do wish there was a bit of syntax highlight in here though let me have a look to see if there's any extensions which we can use to highlight this okay let's try and install this and just see if it gives us a better look at this i guess i'll need to rename the file actually let me close this down and i'm going to move disassembled to disk.asm i'm going to open this.asm all right that's looking a little bit better i don't know whether i actually needed that extension but there we go so let's try and step through some of this code i'll try and do it in a structured way as possible because whenever i was solving this it seemed quite chaotic and my notes are a bit of a mess but we'll we'll see how it goes i don't know too much about python disassembly but a lot of this seemed quite self-explanatory to me so you have some constants at the beginning we've got 29 constants which seem to be local variables so we've got decimals or strings which are being stored and then we have names as well which has got eight names here which seem to be mapping to function names you can see here exit and str ored and then we get into our code so we have a block here which is important sys we have another which is going to load the input function which is obviously going to ask us for this password and then it's going to store whatever we provide i guess in the password variable and next it's going to check the length of the password so it's loading this length function it's loading password it's going to call the function length and then it's going to com it's going to load the value 12 and then do a comparison so if the password is 12 characters long then go to 46 which is going to be this line here otherwise it looks like it's going to say no you've entered the wrong password so providing we enter a password that's at least 12 characters long we'll be able to jump down to this stage here which is going to begin to do the checks on the password and if we have a look at our first block we can see it's loading the function ord which will convert a character to a number it's loading password and then load const zero so it looks like it's loading the zeroth element so the first character of the password it's going to convert it to a number and then it's going to call this you can see that there was a binary subscript to basically take the zeroth element and it's going to call the function and then it's going to load the constant value of 48 decimal and it's going to compare whatever was retrieved here to 48 and if it doesn't match it's going to go to 342 line 342 which is down here sorry password is incorrect so we need to make sure let me go back to it we need to make sure that whatever the first character of the password is if it's converted to a decimal value it's going to equal 48 so we could go to cyber chef or ask it hex.com or something or you can do this in python i'm going to go to cyberchef and let's convert from decimal and we'll convert 48 was it looking for which gives us a zero so we know that the first character the password should be a zero so what i'm going to do is let me open up a new let's open up a new file here i'm going to say let's do zero is equal to and then we'll pass in zero and we'll basically be able to go through we know that there's 12 characters so we've got 12 right here i know there's a far easier way to do that but oh well um and we'll we'll need to go through and map each one of these characters so we've got the first one let's move on to the next character and we can see the next character it's actually gone to load const 11 so it's loading the uh 12th character and it's literally just comparing it to an exclamation mark so we can go straight ahead and say well the last thing that we're going to have here is going to be an exclamation mark and we get to the next character here then which is loading the seventh element of the password converting it to a decimal with this ord function and it's also loading the fifth element of the password converting it to a decimal as well and then it's comparing them so what that's telling us is that five and seven are the same value but it's not giving us any hint as to what that value could be so we need to keep working through i'm not sure what's the best way to solve this in terms of working through from character to character or just working through an order of the program what i did here was to go and say well we know that five is let's just add a rule here and say equal to seven and we can do the same thing for seven map it to five and then once we find out what one of those is we'll know that the other is the same if we go down to the next part then we have the load const 143 so it's loading the decimal 143 it's loading the zeroth element on the first character of the password and converting it to a decimal so we know that that was 48 in decimal and it's going to do a subtraction here so it's going to subtract 48 from 143 and then it's going to grab the fourth character of the password and then do a comparison so essentially what we can see here is if we subtract the zeroth element of the password from 143 the answer will be the number four and so we can let's go and say we've got 143 minus 48 which is 95 so let's go and put in here 95 and you'll see that's an underscore so the fourth character is going to be an underscore and then we can have a look at our rules and see does that now allow us to solve either of these two it doesn't so we need to move on to the next part so the next part here is going to load the first character the password which is actually the second one and because it starts at zero and it's going to load the third character as well it's going to convert them both to decimals and then it's going to xor them and then it's going to load the decimal value 30 and that will and it'll compare it to that so we know that the first character i.e the second character xord with the third character ie the fourth character is going to equal 30 and because xor is a reversible function it means if we have either of these two values if we have any two values we can basically reverse this so do we have one and three let's go back and have a look we actually don't have either of them so we can't do anything with those yet let's uh we could add this as a rule so we could say that um the first character um equals 3 xor with 30. i should probably put something here like pass just so we know what we're talking about and we could do the same thing then with this here we can say this is equal to pass one xor thirty and then we need to move on to the next part because we need to work out some more values before we can continue with that and our next part of the function is dealing with the second and the third characters so it's converting them to decimals and then it's going to multiply them and it's going to load the decimal value 5 610 and then see if that matches so we know that um well if we can find the result of one of these we can divide it by 5610 and that will give us the answer to the other one do we have either two or three and we don't we don't have them at the moment so here we might want to say um 510 divided by five sorry what was it five six five six ten divided by is it two yeah uh past two and we'll say that's equal so we could do the same thing and say that this is equal to 510 divided by past three but again we need to work out what some more of the values are before we can continue so we'll go down to the next one here this one's actually just doing a straight up comparison so we can see that the first character here is going to be p so we can actually just go ahead and take this out now this is a p and probably what would have been a better idea to do here would be to go through and work out what are the easiest ones first that's actually what i did but it did make it a little bit difficult in the you kind of forgot which ones you'd already dealt with and which ones you hadn't looked at so if you kind of go through them one by one you can at least make sure you don't miss any values but now that we have that p value we can go and have let's go and convert that let's do two decimal we can just disable this part at the moment have a look what p is p is 112. so we'll go and add that there as well and we know that then pass one xord with 30 is going to be three so let's go ahead and xor p xord with the decimal value 30 is going to give us an n so we can go back here and say that this is equal to n and you might kind of guess here what the answer is going to be so op a space and then n it looks like it's going to be open right and i did kind of just work that out myself before calculating this but now that we have this part here we can say that if we multiply n which is let me do the two decimal again uh 110 let's go ahead and do 110 times 1.561 0 divided by 110 and we'll get 51. so the answer to that should be 51. let's convert a from decimal 51 and we'll get three so that looks right we've now got open are there any others then that needed to doesn't look like it so now we can move on to the next part and here we can see it's loading the sixth character from the password and the eighth character is converting them to decimals it's gonna subtract the eighth from the sixth and the answer should be minus forty six so uh six minus eight equals minus forty six so we can reverse this and say that for six it is equal to minus 46 which is the answer to the equation plus pass eight and then we can do the same thing for pass eight swap that round to past six but again we need to go and work out some more answers before we can solve those in the next function here we have sixth character for the password and the seventh character from the password being converted into decimals and then they're going to be xored together and compared to this value of 64. so again we can go back here and hang on what were the numbers there six and seven so we've got another rule to put in here for six and we can say that um it's equal to uh past seven xor with 64. i'm not too sure what why that suddenly gave me some nice syntax but i like it um and then we can do the same for oh not for that one for seven so we'll do the same for seven swap this round to six and again we still need to find out what one of these actually equals before we can go any further the next part is grabbing the tenth character from the password and the fifth as well converting the decimals adding them together and then gets a result of 166 so that's 10 and 5 added together equals 166 we don't have either of them again so we can say equals equal to 166 minus um pass five and then we can say the same thing here minus past 10 but again we need to work out another character first we have here the n which is okay so it's loading the character n and it's loading the ninth element of the password which we don't have at the moment it's going to subtract the ninth element from n and then it's gonna load a one and then do a comparison so to clarify that n minus the ninth character equals one so let's go and have a look here at we can convert two decimal from n that's going to give us 110 let's try and change that to 109 do from decimal and we'll get m so we know that the ninth character is equal to m and do we have anything else we can work out now it doesn't look like it so we still need to find something else but now we've got an additional character let's go and have a look at the next part now this is a part that took me a long time to solve and um basically the problem is with here if you get one character wrong it's going to mess up all the other characters that you get so we can see here it's loading the 10th character of the password what i didn't realize here i thought it was loading the third element of the password but it's actually just converting three to a string so this is just running str so it's running something like str three which is gonna convert it to um three so essentially that's just telling us that the tenth element of the password is a three now that we know the answer to that we can now go and start working out what is um we can now work out what five is so we know that this three is equal to 166 minus past five so if we reverse this equation and say what's 166 minus three in decimal we'll get the answer to five so three if we convert it to a decimal is 51 so we need to subtract 166 minus 51 and that gives us 115 so let's go and convert 115 to a character and we get s so we're going to put in s into number five and now this is starting to come together because we know that seven is also equal to five so we can just go ahead and put in an s here as well you might have an idea what this is gonna equal but let's solve the rest of this anyway so for example we can see here that six is equal to seven xored with 64. so we now have this s here let's convert this to if i know i'm gonna disable all of that we've got an s in here so we're just gonna xor it with what do we have xor here yep next saw it with 64. and that's going to give us a three so we can go ahead here and say this is a three and again it's pretty obvious what this is going to equal but let's have a look anyway we've got this this is equal to minus 46 plus past six and past six is a three which in decimal is 51. so if we do minus 46 plus 51 we'll get well we get five but actually that's not correct so it's um 46 plus past six which would give us 97 so if we convert 97 to a decimal no 2hr then we'll get a so let's go and put in our final character and now we've worked out the flag is open sesame and that's the challenge i hope you've enjoyed this video if you have any questions or comments or you know how i can fix all my broken python installs and virtual environments in parrot os let me know in the comments
Info
Channel: CryptoCat
Views: 1,294
Rating: undefined out of 5
Keywords: hissss, pyinstaller, pydisasm, uncompyle6, MEIPASS2, pydecipher, hack the box, hackthebox, htb, hacking, wargames, challenges, capture the flag, ctf, reversing, reverse engineering, assembly, reveng, crypto, stego, misc, forensics, web, osint, pwn, exploit, infosec, security, cyber-security, commando, kali, parrot, ida, ghidra, pwntools, malware, tutorial, learn, hacker, cyberchef, debugging, pwndbg, pen-testing, disassembly, python, re, reverse, ltrace, cybersecurity, writeup, walkthrough, programming, hackathon, flag, HTB, pyinstxtractor, asm
Id: Fl65VMGQ9oU
Channel Id: undefined
Length: 32min 4sec (1924 seconds)
Published: Thu Sep 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.