Dear readers,
Today’s post is on a Windows-based Reverse Engineering (RE) challenge in HackTheBox called Bypass. It was created on 14th March 2020. This challenge tests on reverse engineering .NET programs with dnSpy so read on if you are interested. Let’s get started!
Files provided
There is only one 32-bit file provided which is Bypass.exe.
Software/Tools required
- dnSpy
- Windows Operating System
Analysis
When I first open up the program in IDA Pro, I noticed that it is a .NET program that requires a different decompiler (see Fig 4a). The decompiler I used is dnSpy which includes a debugger in the decompiler, making it very useful.
While trying to run the file in dnSpy, I noticed that it is a 32-bit which requires us to run the x86 version of dnSpy.exe. Therefore, make sure you open the correct version before continuing the write-up.
Setting the breakpoint at the start of the program as well as the line of code after it, we can see that the program actually stops there before prompting us to input the username. This indicates that Class 0 is indeed the entry class.
If we look at the code in line 9, we will notice that it calls for 1() which is from the same class. Looking at the code in 1(), it is quite obvious that the 2 Console.write() and Console.read() will prompt for username and password and taking in our input.
public static bool 1()
{
Console.Write(5.1);
string text = Console.ReadLine();
Console.Write(5.2);
string text2 = Console.ReadLine();
return false;
}
If we look at 1() carefully, we will notice that the result will always return FALSE. Therefore, there is no correct username and password.
We can just input a random username and password then depend on the breakpoint at line 10 to change the value returned.
Enter a username: a Enter a password: a
Once the breakpoint hits line 10, the control will be given back to dnSpy. We can then change the value of flag1 since the breakpoint hits before the line of code execute (see Fig 4c). Thus, changing flag1 to True at line 10’s breakpoint will cause flag2 to be assigned to TRUE from flag1 once we continue the execution of the debugger.
Once we continue the execution, we will notice that we are prompted to input the secret key.
Please Enter the secret Key:
If we look at 2() in class 0 which was called in line 13, we will notice that another prompt occurs where the result will be checked against <<EMPTY_NAME>> whose value comes from class 5‘s static variable 3.
public static void 2()
{
string <<EMPTY_NAME>> = 5.3;
Console.Write(5.4);
string b = Console.ReadLine();
bool flag = <<EMPTY_NAME>> == b;
if (flag)
{
Console.Write(5.5 + global::0.2 + 5.6);
}
else
{
Console.WriteLine(5.7);
global::0.2();
}
}
Looking at class 5‘s variable 3, it gets more and more complex where it retrieves the value from a binary reader. Luckily we have dnSpy where we can use our debugger to get the value from. Alternatively, we can just set the breakpoint at line 13 which is right at the IF statement which compares the value of the variable flag. Once the breakpoint hits, we can modify its value to true.
In line 41, the flag will be printed. As the program will close immediately after the flag is printed since the Bypass program is spawned by dnSpy’s debugger, we will need to do Step-over execution instead of pressing the “Continue” button. To Step-over execution, press F10 on your keyboard. Keep pressing and observe the console, the flag will eventually be printed on the console.
Flag obtained
Enter a username: a
Enter a password: a
Please Enter the secret Key: a
Nice here is the Flag:HTB{SuP3rC00lFL4g}
Flag: HTB{SuP3rC00lFL4g}
I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂
Lamecarrot 