Friday, March 17, 2023

HTB - Behind The Scenes

Initial Investigation

Upon running the application it asks us for ./challenge <password> 

Let's run strings and see what we find:

The interesting parts are we can see it is expected the password to be in the format HTB{something} 


We can throw the binary into Ghidra and see what else we find. Within the main it looks to stop. 

There is a UD2 instruction and then disassembly stops.  
After some research I found this within the Ghidra github . User pjsoberoi's comment is the solution:
"IMHO that is the correct behavior. You can manually disassemble the bytes after but that shouldn't change the decompilation. You can edit your own x86 slaspec and replace ud2 instruction with a "nop" pcode instruction. This should basically make the decompiler ignore the ud2 instruction. That seems like what you want." 
With this information I disassembled the rest.
We then run through and replace all the UD2 instructions with a NOP and slowly the code is built out until we eventually get our password and flag!



THM - Windows Forensics 1

Scenario One of the Desktops in the research lab at Organization X is  suspected to have been accessed by someone unauthorized. Although the...