IRCWare

IRCWare is a medium difficulty reverse engineering challenge on Hack The Box available at LINK. It is a Linux x86-64 ELF file.

ircware: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped

When we run the binary we get a stdout message:

EXCEPTION! ABORT

Let us start then by examining main function, which is conveniently already under ‘start’ symbol. Looking at RAX values, syscall at #1 is 0x3e which corresponds to sys_getrandom and at #3 we first have 0x1 (sys_write), which prints error message we had seen, followed by 0x0 sys_exit. Let’s closer examine #2 then to see why exactly we are failing. Our conditional if depends on return value from function at 0x40028f: It calls 2 syscalls then returns. Syscall #1 is 0x29 (sys_socket), then #2 is 0x2a (sys_connect). From that we can deduce there is some networking at play here. To speed up reversing, let’s use strace on the binary. We can see that it is trying to read IP 127.0.0.1 on port 8000. Let’s set up local server to handle the connection with command:

Headache

Headache is a medium difficulty reverse engineering challenge on Hack The Box available at LINK. It is a Linux x86-64 ELF file.

headache: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped

I’ll be working with Ghidra to reverse this file. Right off the start, we can see the binary is not very forthcoming to us.

Let’s run and and see what it does instead: