2026-01-29
2~ minutes
Note: I am not a English speaker. Expect bad grammar. Also, I am noob at reverse engineering. This is my first challenge.
The software simp-password asks for a password. If the user
enters an incorrect password, it will be prompted with an error message.
The goal is to discover the correct password.
The first step is to discover the type of the file:
> file simp-password
simp-password: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0ce043e55a600ecf0dc30ee1949e298d314402fe, for GNU/Linux 3.2.0, not strippedWe can see it is an ELF (Executable and Linking Format), LSB (Linux Standard Base) and pie (Position Independent Executable) software. Basically, it is a standard Linux binary that every time it loads into memory, it is loaded at random addresses, avoiding memory predictions.
It is dynamically linked, so function libraries are called externally, and not reside inside the binary.
The binary is not stripped, so the binary contains the symbol table, giving us useful information about functions used in the binary, for example, glibc functions:
> objdump -t simp-password | grep GLIBC
0000000000000000 F *UND* 0000000000000000 __libc_start_main@GLIBC_2.34
0000000000000000 F *UND* 0000000000000000 puts@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 __stack_chk_fail@GLIBC_2.4
0000000000000000 F *UND* 0000000000000000 printf@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 strcmp@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 __isoc99_scanf@GLIBC_2.7
0000000000000000 w F *UND* 0000000000000000 __cxa_finalize@GLIBC_2.2.5We can confirm that the software performs input/output operations.
The next step it would be find strings in the binary. If the binary ask for a password, it means has to compared with something, and there is a possibility that the password is hardcoded:
PTE1
u+UH
Enter password:
%41s
iloveicecream
I love ice cream too!
Wrong try again.
9*3$"
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0We can see the message for an incorrect input, and what it looks the message for the correct input with an interesting string. Time to test it:
> ./simp-password
Enter password: iloveicecream
I love ice cream too!Who does not love some ice cream?
In this case, knowing about the binary with file and
readelf or objdump was not necessary because the
password was hardcoded in the binary. But if we want to bypass the
authentication, or the password was checked using other methods, then we
would need to know more about the software behaviour.