Skip to content

Latest commit

 

History

History
137 lines (66 loc) · 3.5 KB

README.md

File metadata and controls

137 lines (66 loc) · 3.5 KB
Raw

Bypass

Write-up author: jon-brandy

DESCRIPTION:

The Client is in full control. Bypass the authentication and read the key to get the Flag.

HINT:

  • NONE

STEPS:

  1. First, unzip the .zip file given.

RESULT

image

  1. Got an exe file.
  2. Let's run it on windows.

RESULT

image

  1. Let's decompile it with ghidra.

RESULT

image

  1. Surprisingly we got no clue.
  2. Then i tried to strings the file to see if there are any hints.

RESULT

image

  1. Now we know that the codebase was written in .NET.
  2. To decompile .NET binaries we need to use dnSpy.

RESULT

image

  1. Now check this function.

image

image

  1. Based from it we know that the boolean values of flag and flag2 is the same.

image

  1. Now set breakpoints at flag2 and flag.

image

image

  1. Run the program.

RESULT

image

  1. Hmm.. When i checked the 1() function.

image

  1. The bool always return false.
  2. Anyway let's change bool value of flag2 to true then click the continue button.

image

image

RESULT ON THE CMD

image

  1. Now enter any strings.

RESULT

image

  1. Notice we got this value for the secret key.

image

  1. Copy that.

SECRET KEY

ThisIsAReallyReallySecureKeyButYouCanReadItFromSourceSoItSucks
  1. Now run the program again at dnspy and use the same step.
  2. When prompted the secret key, paste the strings we got.

RESULT

image

  1. Nice, but don't click the continue button, press f10 at dnspy to step over execution.

RESULT

image

  1. Got the flag!

FLAG

HTB{SuP3rC00lFL4g}