HackTheBox Reversing Challenge: Bypass
Difficulty: Easy
Introduction
Description: The Client is in full control. Bypass the authentication and read the key to get the Flag.
This challenge is very simple, requiring two sets of authentication within the program. Each authentication is easily bypassed through the manipulation of Boolean variables, after which the program outputs the flag.
We start off by downloading bypass.exe and running the strings command on it to see if we can gain any useful starting information from it.
We can see that the program was built with the .NET Framework (version 4.5.2). This is useful because we can use dnSpy to reverse the binary, which is a tool made for editing .NET assembly and debugging binaries.
Opening bypass.exe in dnSpy reveals multiple classes defined in the binary. The first class (class 0) is mainly the code we’ll be working with, as it defines the three main functions the control the logic of the program.
First Authentication Bypass
Let’s take a look at the first function (I’ll refer to it as func1).
Essentially, func1 assigns a Boolean variable flag, whose value is the return value of the second function (which we’ll examine shortly) of this class. Func1 then assigns the flag2variable, whose value is set equal to flag. Func1 then checks if flag2 is equal to true, consequently running the third function defined in this class (I’ll call it func3), and in any other case, the program will write out something to the console and just repeat func1.
Now, let’s take a look at func2.
This function writes out “enter a username” and “enter a password” and takes user input for both, saving the input to variables. It then returns the false Boolean value.
If you looked at func1 and func2 closely, you should’ve noticed that func2 always returns false, as it literally returns false on the last line. That false value is then saved to flag from func1, which is then assigned as the value of flag2. This means that func3 (global::0.2()) is never ran because flag2 is never true, and we’re actually just stuck in an endless loop of func1.
The solution is to just set a breakpoint at the flag2 Boolean value check (line 11) and change flag2 to true before continuing the program.
This allows the condition to be true and for func3 to execute, bypassing the first authentication and moving on to the second authentication, which asks to input a secret key.
Second Authentication Bypass
Let’s analyze func3.
Func3 first assigns a variable with a missing name(<<EMPTY_NAME>>) the secret key string. It then prompts for a secret key, saving the user input into a variable b. Following that, it saves the returned value of a string comparison between b and the actual secret key variable, <<EMPTY_NAME>> into the flag variable. Finally, it checks if flag is true, consequently outputting the challenge flag, and in any other case, running func3 again.
Bypassing this one is the same as the first. We set a breakpoint on the flag check (line 39) and change its value to true before letting the function execute. One more thing we can do is set a breakpoint at the end of func3 (line 48) so that the program doesn’t instantly close after outputting the flag, stopping us from actually reading it.
You might notice that we can also see the actual secret key value, so you can actually use that for your input prompt and that should also work.
As you can see, we successfully bypass the secret key check and obtain the flag! I have censored it because it’s an active challenge and I don’t want to go against HTB’s rules.
Thanks for Reading!
If this post was beneficial to you, consider dropping a follow and liking the post! Make sure to leave any comments or questions down below!
CTF Team Info:
If you would like to join my CTF team, then please visit my About Page, and you can find more information there!
