HackTheBox Headache Challenge Walkthrough

HackTheBox Headache Challenge Walkthrough

In this walkthrough, we’re going to solve the HackTheBox Headache reverse engineering challenge. But before, please make sure that you have the following handy

  • Disassembler
  • Decompiler
  • Debugger

I will be using Hopper for both disassembling and decompiling the binary and GDB as a debugger. Let’s load up the binary in Hopper and see what we have at our disposal

EntryPoint disassembly in Hopper
EntryPoint disassembly in Hopper

As you can see, out EntryPoint is at address 0x1190 and we have a call instruction on 0x11b4. But what’s at “qword_4fd8+8” ?

Woops, nothing here?
Woops, nothing here?

Let’s set initial breakpoints and fire up GDB.

Memory space updates with appropriate address at runtime
Memory space updates with appropriate address at runtime

Now it’s upto you to trace all the way inside the libc and finally end up at “0x0000555555555f30”. If you want to skip this however, you can “si 111” and again directly land info user code section.

If you continue stepping into the debugger, you will eventually land at something like this

Landing into one critical function
Landing into one critical function

Now to get the C Pseudocode of this function, I will be using Hopper (you can use Ghidra/BinaryNinja/IDA)

Ptrace Syscall
Ptrace Syscall

0x1 ^ 0x64 = 101d. Syscall 101 is to identify that whether the program is being debugged or not. The result of this syscall is stored in $RAX register and then pushed to Stack for later use. Now we see some interesting things here

  • A long 32 character string which seems interesting.
  • The program does an if else condition on the result of syscall which seems interesting (I won’t be explaining all the execution methods of this challenge)

This condition check can lead to two pathways

  • A dummy flag routine
  • Another routing which can generate several different flags
  • A legit secret routine?

Now to overcome the issue of satisfying the condition check, we need to patch the memory address where the result of SYSCALL is stored

Monkey patching memory to bypass ptrace check
Monkey patching memory to bypass ptrace check

Stepping inside the debugger through this route might take you to some places but I can assure that we are indeed on the right path which will lead us to the below roadblock

Monkey patching another conditional jump to always jump
Monkey patching another conditional jump to always jump

As you can see, we are able to cross the conditional jump by monkey patching the memory with “EB 0C 48 8D”. Now from here onwards, it will take few trial and errors to figure out the exact steps which we need to take in order to eventually land into the “Secret Routine”

The Secret Routine

The Secret Routine?
The Secret Routine?

This routine is responsible for decoding the actual C code which is responsible for giving the correct flag.

If we examine this routine carefully, it seems to modify the existing code and in the memory which will provide us our flag. Have a look at how this happens

Previous code
Previous code
New Code
New Code

This actually goes for 1749 iterations. This routine also utilizes our interesting 32 character string “a15abe90c112d09369d9f9da9a8c046e” and how this happens is upto you to analyze. The program now expects the user input which should be a valid key in order to “Login” to the application. We can see that they user input must be of specific length in order to perform comparison

Comparison check on Input

After verifying the length of the user input which must be exactly 20 characters, the program goes on to verify whether the matches the program hardcoded key.

Since we have all the necessary checks identified and know what is to be done, we will try to somehwat automate GDB to grab the flag for us. You can check it below in action

DISCLAIMER: I have changed the actual flag in the recording and finding the correct flag is upto you. There are more than 1 dummy flag inside the headache binary so make sure you find the correct one.

I’m providing the GDB boilerplate below which can be used to reverse this binary but make sure to edit the addresses according to your system memory space

Useful Resources

THANK YOU

Leave a Reply

Your email address will not be published. Required fields are marked *