Compiled
- π Website: TryHackMe
- π₯ Level: Easy
- π₯οΈ OS: N/D
- π Link: Compiled
Download the task file and get started. The binary can also be found in the AttackBox inside the /root/Rooms/Compiled/ directory.
Note: The binary will not execute if using the AttackBox. However, you can still solve the challenge.
βQuestion¶
What is the password?
π Walkthrough¶
We download the file provided by the challenge. The file is called Compiled-1688545393558.Compiled.
We try to extract it and inside we find an exe file called Tetrix.exe. I try to run it but only get errors. I try running strings to look for something interesting:
We can see there is a password, and if it is correct we are told "Correct!", otherwise "Try again!". Let's try to decompile it using this (tool)[https://dogbolt.org/] online. Here is the full decompiled code:
Code
int64_t (* const)() _init()
{
if (!__gmon_start__)
return __gmon_start__;
return __gmon_start__();
}
int64_t sub_401020()
{
int64_t var_8 = data_403ff0;
/* jump -> data_403ff8 */
}
int32_t printf(char const* format, ...)
{
/* tailcall */
return printf(format);
}
int64_t sub_401036()
{
int64_t var_8 = 0;
/* tailcall */
return sub_401020();
}
int32_t strcmp(char const* arg1, char const* arg2)
{
/* tailcall */
return strcmp(arg1, arg2);
}
int64_t sub_401046()
{
int64_t var_8 = 1;
/* tailcall */
return sub_401020();
}
int32_t __isoc99_scanf(char const* format, ...)
{
/* tailcall */
return __isoc99_scanf(format);
}
int64_t sub_401056()
{
int64_t var_8 = 2;
/* tailcall */
return sub_401020();
}
uint64_t fwrite(void const* buf, uint64_t size, uint64_t count, FILE* fp)
{
/* tailcall */
return fwrite(buf, size, count, fp);
}
int64_t sub_401066()
{
int64_t var_8 = 3;
/* tailcall */
return sub_401020();
}
void __cxa_finalize(void* d)
{
/* tailcall */
return __cxa_finalize(d);
}
void _start(int64_t arg1, int64_t arg2, void (* arg3)()) __noreturn
{
int64_t stack_end_1;
int64_t stack_end = stack_end_1;
void ubp_av;
__libc_start_main(main, __return_addr, &ubp_av, nullptr, nullptr, arg3, &stack_end);
/* no return */
}
uint64_t* const* deregister_tm_clones()
{
return &__TMC_END__;
}
int64_t (* const)() register_tm_clones()
{
return nullptr;
}
void __do_global_dtors_aux()
{
if (completed.0)
return;
if (__cxa_finalize)
__cxa_finalize(__dso_handle);
deregister_tm_clones();
completed.0 = 1;
}
int64_t (* const)() frame_dummy()
{
/* tailcall */
return register_tm_clones();
}
int32_t main(int32_t argc, char** argv, char** envp)
{
int64_t var_48;
__builtin_strcpy(&var_48, "StringsIsForNoobs");
fwrite("Password: ", 1, 0xa, __TMC_END__);
char var_28[0x20];
__isoc99_scanf("DoYouEven%sCTF", &var_28);
int32_t rax_1 = strcmp(&var_28, "__dso_handle");
int32_t rax_2;
if (rax_1 >= 0)
rax_2 = strcmp(&var_28, "__dso_handle");
if (rax_1 >= 0 && rax_2 <= 0)
printf("Try again!");
else if (strcmp(&var_28, "_init"))
printf("Try again!");
else
printf("Correct!");
return 0;
}
int64_t _fini() __pure
{
return;
}
Let's analyze the code step by step: - "Password: " is printed and we are asked to enter a string with the format "DoYouEven%sCTF". So the string we need to enter must be of the form "DoYouEven[something]CTF". - The entered string is compared against __dso_handle. If it is greater than or equal to __dso_handle and less than or equal to __dso_handle, "Try again!" is printed. - The entered string is compared against _init. If it differs from _init, "Try again!" is printed. - If the entered string equals _init, "Correct!" is printed.
The key detail about scanf is that when using the format "DoYouEven%sCTF", the string we enter must be of the form "DoYouEven[something]CTF". Note that %s in scanf reads a string until a space, tab or newline. So, if we enter "DoYouEven _init", the string read by scanf will be "_init". This way, the entered string will equal _init and we will get "Correct!".
Answer
THM{DoYouEven _init}