Ezloom’s really easy crackme

About the challenge

Author: ezloom
Language: c/c++
Platform: unix/linux
Arch: x86-64
URL: https://crackmes.one/crackme/691fd9362d267f28f69b7f89

The software simp-password asks for a password. If the user enters an incorrect password, it will be prompted with an error message. The goal is to discover the correct password.

Static analysis

Information about the binary

The first step is to discover the type of the file:

> file simp-password

simp-password: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0ce043e55a600ecf0dc30ee1949e298d314402fe, for GNU/Linux 3.2.0, not stripped

We can see it is an ELF (Executable and Linking Format), LSB (Linux Standard Base) and pie (Position Independent Executable) software. Basically, it is a standard Linux binary that every time it loads into memory, it is loaded at random addresses, avoiding memory predictions.

It is dynamically linked, so function libraries are called externally, and not reside inside the binary.

The binary is not stripped, so the binary contains the symbol table, giving us useful information about functions used in the binary, for example, glibc functions:

> objdump -t simp-password | grep GLIBC

0000000000000000       F *UND*  0000000000000000    __libc_start_main@GLIBC_2.34
0000000000000000       F *UND*  0000000000000000    puts@GLIBC_2.2.5
0000000000000000       F *UND*  0000000000000000    __stack_chk_fail@GLIBC_2.4
0000000000000000       F *UND*  0000000000000000    printf@GLIBC_2.2.5
0000000000000000       F *UND*  0000000000000000    strcmp@GLIBC_2.2.5
0000000000000000       F *UND*  0000000000000000    __isoc99_scanf@GLIBC_2.7
0000000000000000  w    F *UND*  0000000000000000    __cxa_finalize@GLIBC_2.2.5

We can confirm that the software performs input/output operations.

Finding interesting stuff with strings

The next step it would be find strings in the binary. If the binary ask for a password, it means has to compared with something, and there is a possibility that the password is hardcoded:

PTE1
u+UH
Enter password:
%41s
iloveicecream
I love ice cream too!
Wrong try again.
9*3$"
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0

We can see the message for an incorrect input, and what it looks the message for the correct input with an interesting string. Time to test it:

> ./simp-password

Enter password: iloveicecream
I love ice cream too!

Who does not love some ice cream?

Conclusion

In this case, knowing about the binary with file and readelf or objdump was not necessary because the password was hardcoded in the binary. But if we want to bypass the authentication, or the password was checked using other methods, then we would need to know more about the software behaviour.