Windows Of Opportunity
HTB 2023
Solution
Given a file named windows.
windows: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=121c16ba1218dc3686b3cdac4705bc7496fb0fe7, for GNU/Linux 3.2.0, not stripped Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabledThe program wants the user to input a password (flag). If the password incorrect, it will show this.
Checking the code using Ghidra, i can see that line 18 compares variable local_d with array arr.
local_d is the sum of the value at current index and the index after from user input.
local_d = local_38[i+1] + local_38[i];
Double click the arr[] to see the array.
arr XREF[3]: Entry Point(*), main:0010119b(*),
main:001011a2(*)
00104060 9c 96 bd undefine
af 93 c3
94 60 a2
00104060 9c undefined19Ch [0] XREF[3]: Entry Point(*), main:0010119b(*),
main:001011a2(*)
00104061 96 undefined196h [1]
00104062 bd undefined1BDh [2]
00104063 af undefined1AFh [3]
00104064 93 undefined193h [4]
00104065 c3 undefined1C3h [5]
00104066 94 undefined194h [6]
00104067 60 undefined160h [7]
00104068 a2 undefined1A2h [8]
00104069 d1 undefined1D1h [9]
0010406a c2 undefined1C2h [10]
0010406b cf undefined1CFh [11]
0010406c 9c undefined19Ch [12]
0010406d a3 undefined1A3h [13]
0010406e a6 undefined1A6h [14]
0010406f 68 undefined168h [15]
00104070 94 undefined194h [16]
00104071 c1 undefined1C1h [17]
00104072 d7 undefined1D7h [18]
00104073 ac undefined1ACh [19]
00104074 96 undefined196h [20]
00104075 93 undefined193h [21]
00104076 93 undefined193h [22]
00104077 d6 undefined1D6h [23]
00104078 a8 undefined1A8h [24]
00104079 9f undefined19Fh [25]
0010407a d2 undefined1D2h [26]
0010407b 94 undefined194h [27]
0010407c a7 undefined1A7h [28]
0010407d d6 undefined1D6h [29]
0010407e 8f undefined18Fh [30]
0010407f a0 undefined1A0h [31]
00104080 a3 undefined1A3h [32]
00104081 a1 undefined1A1h [33]
00104082 a3 undefined1A3h [34]
00104083 56 undefined156h [35]
00104084 9e undefined19Eh [36]
The value in each of the array is the value of local_d, which i explained earlier. So, we need to calculate the value (in ascii) for the user input.
The flag format starts with HTB{. It should be easy for us to start calculate the rest of the value. You can use ASCII Table as guidance and some simple math skills.
9C = H (48) + T (54)
96 = T (54) + B (42)
BD = B (42) + { (7B)
AF = { (7B) + 4 (34)
...
the rest of the calculations
...
9E = ! (21) + } (7D)We get a flag from it, check it just to make sure it is legit.
Flag
HTB{4_d00r_cl0s35_bu7_4_w1nd0w_0p3n5!}
Last updated