Find The Easy Pass has been Pwned!

Today we are continuing the Hack The Box Beginner Track with the Reversing Challenge Find The Easy Pass. Full disclaimer, I have little to almost no reverse engineering experience. I have looked at this challenge before and completed it but I didn’t understand what was going on. I did some assembly back in college but that was over a decade a go now and I’ve forgotten all of it.

So with that out the way, let’s get reversing.

First you need to head over to Hack The Box and download the files for this challenge.

Reversing find the easy pass download
find the easy pass download

That should download the file to your downloads directory or wherever you have it set. You need to extract the contents of the zip archive but it is password protected. The password is listed on the challenge and it is ‘hackthebox’. If you’re on Windows you should be able to double click the executable and run it right away. However, if you’re on Linux then you need to run it with emulation software like wine.

Reversing Find The Easy Pass running the exe
running the exe

Now that the application is running it’s a good to make note of the strings you see displayed in the application. This can help track down locations in the program when it’s time to decompile it. The next thing to check is what happens when we submit data to the application.

Find The Easy Pass wrong password
wrong password

Well we have failed, we have submitted the wrong password and the application is mocking us. So where do we go from here? Well we need a program that rips other programs to bits so we can see their insides. Take a look at my article on Ghidra if you haven’t already got it set up and installed. Let’s get reversing. With the .exe loaded in Ghidra it’s time to search for those strings we made note of earlier. The top menu has a search option. Click it, then click search for strings.

Reversing search for strings
search for strings

A new window should pop up with some options to refine the search. I kept the options as default and clicked search.

Reversing Ghidra search refine
refine search

Once that is done, another window will pop up showing all the strings that Ghidra found in the code. There is a filter option at the bottom which you can use to refine the search even further. As we know from testing the application, the string ‘password’ was seen on the application. Let’s look for it.

Ghidra search filter
search filter

Ok, we’re making slow but steady progress and that’s what we need to do in order to beat the rabbit right, or was it the hare? I hope all reversing doesn’t take this long. Next we need to double click on the row containing “Wrong Password” and that will take us to the location of that code section in the application.

wrong password code location
00545200 reference wrong password code location

The section of code has been highlighted in blue. You can see that are currently looking at memory reference 00545200. If we right click the highlighted section and click on references, then show references to address, a new window will pop up showing the memory address.

Reversing finding wrong password address reference
finding wrong password address reference
wrong password address reference
wrong password address reference

You can see that the location is 00454144. If we double click that address again then it will take us back to the main window and the location of the next memory reference.

reversing find the easy pass memory refrence
00454144 memory reference

Lost? yeah don’t worry it has taken me several attempts to get this far with reversing and I’m not ashamed to admit that I’ve read a number of walkthroughs. Now if you look at the top bar, there is a “hierarchical order” icon (only thing I could think to call it) next to the green play button. Click it to launch the function graph window. You should end up with a window looking like something below.

function graph window
function graph window

Now if you zoom in to the final 4 boxes you can see there is a bit of logic going on. The program has two different sections of code depending on the results. Essentially, this is an IF statement. If one condition is met then run the code in the first box (00454138), if not then run the code in the second box (00454144).

Reversing if statement
IF statement

If we look in the box directly above the two, you can see the function (FUN_00404628) that determines which box is going to run next. If we click on the function number it should take us to where the function is being called. Make a note of the memory reference 00454131.

Function CALL
Function Call

Then if you double click the function, it should take you to the IF statement in the main window where we can see what it’s doing. As you can see below, the application is taking the values from param_1 and param_2 and stores them in EAX and EDX. Then further down you should see that the values of param_1 and param_2 are are written to the stack using PUSH and compared using CMP. We can assume that since this is checking whether that the password is correct that one of these parameters contains the correct password.

reversing comparing parameters
comparing parameters

So next we need to debug the program and check out what’s inside these parameters. To do this I am going to use ollydbg. If you need to install ollydbg you can do so from the CLI using ‘sudo apt-get install ollydbg’. Once the program is installed you can launch it by running ‘ollydbg’. Once ollydbg is running, click file, open and select EasyPass.exe.

reversing using olydbg

With the program loaded in we need to find our memory reference. There is probably a way to search for memory references but I just scrolled through until I found it. Right click the reference and select breakpoint and click toggle.

toggle breakpoint
toggle breakpoint

Now if you click the play button to run the program, it will launch and ask you for the password. However, this time instead of checking whether the password is correct, it will halt, and you will be able to see the value that it is comparing it against. The image below shows our input of “test” and another value “fortran!”.

run program with breakpoint

Now if we run the program again using wine, we can input the password to check to see whether it is correct, and it is. Congratulations you have completed the easiest reversing challenge there is. There are probably much easier ways to do this without using Ghidra but I wanted to check it out.

correct password
correct password
Find the easy pass has been pwned!
Find the easy pass has been pwned!

Check out some of my other posts including ArchetypeOopsie, VaccineShieldPathfinderIncluded and Markup.