2023 Cyber Apocalypse: Hunting License

#htb #ctf #reverse #password-cracking #string-reversal #xor

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryReverse
ChallengeHunting License

Summary

This challenge presents a three-stage password validation system in a binary. Each stage requires a different password, with increasing complexity: direct comparison, string reversal, and XOR decryption.

Analysis

The binary implements the exam() function with three password checks:

Stage 1: Direct Comparison

local_10 = readline("Okay, first, a warmup - what's the first password? ");
iVar1 = strcmp(local_10, "PasswordNumeroUno");
if (iVar1 != 0) exit(-1);

Password: PasswordNumeroUno

Stage 2: String Reversal

reverse(&local_1c, t, 0xb);  // Reverse t array of length 0xb (11 bytes)
local_10 = readline("Getting harder - what's the second password? ");
iVar1 = strcmp(local_10, (char *)&local_1c);
if (iVar1 != 0) exit(-1);

The t array contains: 0wTdr0wss4P (from binary analysis) Reversed: P4ssw0rdTw0

Stage 3: XOR Decryption

xor(&local_38, t2, 0x11, 0x13);  // XOR t2 with key 0x13 for 0x11 bytes
local_10 = readline("Your final test - give me the third password: ");
iVar1 = strcmp(local_10, (char *)&local_38);
if (iVar1 != 0) exit(-1);

The t2 array must be XORed with key 0x13 to get the password.

Solution

Extract data from binary:

Terminal window
strings hunting_license | grep -E "(Password|0wTdr0wss4P)"
objdump -d -j .rodata hunting_license

Implement password extraction:

def reverse_string(s, length):
    """Reverse a string of given length"""
    return s[:length][::-1]


# Password 1: Direct
password1 = "PasswordNumeroUno"


# Password 2: Reversed string
t = "0wTdr0wss4P"
password2 = reverse_string(t, 0xb)
# Result: "P4ssw0rdTw0"


# Password 3: XOR decryption
t2 = bytearray([...])  # Extract from binary
key = 0x13
password3 = bytearray(len(t2))
for i in range(len(t2)):
    password3[i] = t2[i] ^ key
password3 = password3.decode('utf-8')

Usage: Connect to the binary and provide the three passwords in sequence to obtain the flag.

Key Takeaways

  • String reversal is weak obfuscation that’s easily reversed
  • XOR with a fixed key is trivially broken
  • Multi-stage password systems are only as strong as the weakest stage
  • Binary analysis reveals hardcoded strings and keys
  • Understanding the protection mechanism is critical for exploitation
  • Always look for hardcoded data in binaries (strings, arrays)