fedai@ubuntu:~/hackthebox/Behind the Scenes/rev_behindthescenes$ file behindthescenes
behindthescenes: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e60ae4c886619b869178148afd12d0a5428bfe18, for GNU/Linux 3.2.0, not stripped
It’s an ELF file, so we can try and run it:
fedai@ubuntu:~/hackthebox/Behind the Scenes/rev_behindthescenes$ ./behindthescenes
./challenge <password>
fedai@ubuntu:~/hackthebox/Behind the Scenes/rev_behindthescenes$ ./behindthescenes meow
fedai@ubuntu:~/hackthebox/Behind the Scenes/rev_behindthescenes$
It’s expecting an argument, but nothing interesting happens. Let’s run strings to see if there is anything interesting:
It should print the flag through the variable / format specifier “%s”. There are also various other printf functions that also send formatted output to stdout.
Let’s try ltrace which intercepts and records the dynamic library calls which are called by the executed process and the signals which are received by that process.
Nothing interesting happens. Let’s take a look at strace now which lets you observe a given process in detail, printing its system calls as they occur.
Time for Ghidra! I want to have a look at the decompiled code to understand what it’s doing.
I firstly look at main.
Line 16 on the decompiled code is just an infinite loop:
invalidInstructionException();
Looking at this function takes us to this assembly code:
It just says UD2. No idea what this is but looking it up explains that it’s some kind of error / invalid opcode - “This instruction is provided for software testing to explicitly generate an invalid opcode.”
The submitted issue explains that ghidra “doesn’t go further than this instruction”, unlike objdump or gdb (other decompilers). This is true as we can see loads of uncompiled assembly code. Simply select this, right click, and decompile.
We can then see various strncmp operations which is used to compare at most the first n characters of two strings.
There are multiple strncmp operations, each one spells out a different section of the flag.