Skip to content

CTF, 123…. crackmes CTF

Published by tomkraz on 20 February 2022

Beginnings…

Continuing on in my “Getting Started with CTF” let’s take our BlackArch Linux system that we built and do a few simple CTF challenges I found on crackmes.one. I will follow a simple process I have come up with over the years to keep track of them. To be honest I didn’t come up with all these ideas but merged a few I came across. Including John Hammond and from one my recommended books “The Art of Network Penetration Test” by Royce Davis.

Folder layout

So let’s get started. I like to keep a folder structure that I can use time and time again. It’s quite simple but works for me. I create a CTF folder in my /home/tkraz directory and under that I build up folders for each CTF site I follow. For example on our newly build BlackArch system I created the structure as in the image below.

CTF Folder layout.

Now this is a moving target. For example there some scripts that I use time and time again that want to keep easy access to. We will get to that.I use the CTF site names as the folder names for each game that I play and if the game has multiple Levels then I create subfolders under those.

My first crackmes.one CTF.

Let’s use the search function over at crackmes.one to find some easy ones to start with.

And we have some results,

crackmes.one

“My First Crackme” looks like a good starting point. Let’s take a look at this beauty.

Ahh! It’s actually the authors first Crackme, and not mine. I should play closer attention. So what are we looking at here. In “Capture the Flag” events we have different types of challenges. This type of challenge is referred to “Reverse Engineering”. We are given a binary that we must download and somehow crack it. There is not much information here so let’s download it and see what’s going on.

Warning, I must mention here that one of the reasons we don’t use Windows here is because of these types of downloads. You could be downloading a Virus or Malware onto your system and this could cause you a lot of problems if it’s your main PC. So we use the BlackArch Virtual Machine we created earlier (or your own Kali install). If we break that system then we don’t really mind and no harm is done.

Right click the download button and copy the link to the file. We have a few steps to follow here so I hope you can follow along. 

#Change into your CTF directory
cd CTF/crackmes.one/

#Make your new directory.
mkdir my_first_crackme

#Use wget to down load the file, 
wget https://crackmes.one/static/crackme/60d766c033c5d410b8843039.zip

#Change the name of the file to something a bit manageable
mv 60d766c033c5d410b8843039.zip my_first_crackme.zip

#Unzip it, 
unzip my_first_crackme.zip 
bash: unzip: command not found

#Ahh, no unzip command on out Blackarch build, we have to install it. 
sudo pacman -S unzip

#Try the unzip again, this time it will ask for a password. 
#"crackmes.one" is the password for them all. 
unzip my_first_crackme.zip 

#what did it create
ls
myfirstcrackme  my_first_crackme.zip

#Lets give it a run, 
./myfirstcrackme
-bash: ./myfirstcrackme: cannot execute binary file: Exec format error

#What the hell, whats wrong with the file whats the type?
file ./myfirstcrackme
./myfirstcrackme: Mach-O 64-bit x86_64 executable, flags:

Didn’t go so well.

Right, so that was a mess. I hope the download part with “wget” and “unzip” were clear. After that, things went a bit wrong here. I could have just deleted this and tried to find a binary that would work, but I thought the lesson here might be valuable for new learners. When I tried to run the binary I got a error around the format. Each Operating system, Windows, Linux and Mac OS have their own types of binaries that run native and not on other systems.

There is a very useful command on Linux called “file” that queries any types of file and determines the type of file it is. When I ran it against the binary that I downloaded it determined it was of type “Mach O” which is a MacOS native file. It wont run on Linux. Even though it was marked as Linux/Unix in the Platform section on crackmes.one, it was clearly not. We could dig a bit deeper and open that file with a decompiler like Ghidra. But that’s way beyond this scope.

So I did a bit more searching on crackme.one and found more than I would like of type “Mac-O” under the unix and Linux categories. Now I am not so confident about crackmes.one, but I will persevere.

Another CTF from crackmes.one

After some small persistence I found that if you keep an eye on the quality tag you can get better results. So I found another one, 

#Make the dir 
mkdir mrempy

#Change into the directory
cd mrempy/

#Download the file with wget
wget https://crackmes.one/static/crackme/61c8deff33c5d413767ca0ea.zip

#Change the name to something more usable. 
mv 61c8deff33c5d413767ca0ea.zip  mrempy.zip

#unzip the file, it will ask for a password. 
#"crackmes.one" is the password for them all. 
unzip mrempy.zip

#Check unzip worked. 
ls
mrempy.zip  trycrackme

#Check the file type. 
file trycrackme
trycrackme: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), 

#Run the file. 
./trycrackme

  _____          ___             _   __  __
 |_   _| _ _  _ / __|_ _ __ _ __| |_|  \/  |___
   | || '_| || | (__| '_/ _` / _| / / |\/| / -_)
   |_||_|  \_, |\___|_| \__,_\__|_\_\_|  |_\___|
           |__/

Put the key: adf
[-] Incorrect key!

Much better, now we have something crack. Its a password challenge and we don’t have the password.

There are a couple of command to try here. As its an beginner level one it should not be hard to find the password. The first command I run would “strings” and see if the password would pop up. For this challenge nothing appeared that might be a password. Try it your self. Second command you can try is “ltrace”.

Ltrace is not install on our linux system so we have to install it. 

pacman -S ltrace

Then run the binary with ltrace, 

ltrace ./trycrackme

Ltrace tends to spit out a lot of information. When you get used to it after some practice you can actually just show the system function that spits out the password. In this case it’s the strncmp function call. 

ltrace -e "strncmp" ./trycrackme

And we have our key. 

trycrackme->strncmp("test", "34407373373234353336", 20)                                 = 65

Conclusion

So after a false start I finally go to do a CTF on crackmes.one. Keep at them and keep trying to learn. These level 1 crackmes are pretty simple affair and you should try your hand at them to see if you can get comfortable with the environment and the few simple commands required.

Support

I really enjoy making this content and if you would like to support the cost of keeping this site up and running, please make a purchase through one of my affiliate links.

Published inCTFGetting Started With CTF Challenges

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *