0

I'm new to RE. I'm trying to solve a HackTheBox challenge called RAuth, with angr. I understand how to analyze and solve this challenge differently, without angr, but I really want to understand what is wrong with my angr script, or maybe what is the reason why angr is not feasible for this (and similar) case?

The application is easy, after it starts it's requesting the password from stdin, and exits if the password is incorrect:

>:~/challenges/rauth$ ./rauth
Welcome to secure login portal!
Enter the password to access the system:
wqeqwwqewqewqeqwewqeqweqweqweqweqwewqeqwe
You entered a wrong password!

When I run my script it works for around 15 minutes and dies with one of two errors:

"Killed"
"IndexError: tuple index out of range"

My angr script:

#!/usr/bin/env python
#coding: utf-8
import angr
import claripy
import time
import sys

def is_successful(st):
    output = st.posix.dumps(sys.stdout.fileno())
    if b'Successfully Authenticated' in output:
        return True
    return False

def should_abort(state):
    output = state.posix.dumps(sys.stdout.fileno())
    return b'You entered a wrong password!' in output

def main(round):
    print("Checking "+str(round))
    p = angr.Project('rauth',auto_load_libs=False)

    flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(round)]
    flag = claripy.Concat(*flag_chars + [claripy.BVV(b'\n')])

    st = p.factory.full_init_state(
        args=['./rauth'],
        add_options=angr.options.unicorn,
        stdin=angr.SimPackets(name='stdin', content=[(flag, 32)])
        #stdin=flag,
    )
    st.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
    st.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)

    for k in flag_chars:
        st.solver.add(k >= ord(" "))
        st.solver.add(k <= ord("~"))

    sm = p.factory.simulation_manager(st)

    #sm.explore(find=is_successful,avoid=should_abort)
    sm.explore(find=lambda s: b"Successfully" in s.posix.dumps(1),avoid=lambda s: b"wrong" in s.posix.dumps(1))

    if len(sm.found) > 0:
        for solution_state in ex.found:
            print("[>>] {!r}".format(solution_state.solver.eval(flag,cast_to=bytes)))
    else:
        print("[>>] no solution found :(")

if __name__ == "__main__":   
    print(main(32))

Am I using angr for the case when it's not applicable? What am I missing?

A also tried to play with options, like removing unicorn, enabling auto_load_libs, using or disabling lambdas etc. No success.

niksa
  • 1
  • 2

0 Answers0