Bypass — HackTheBox

Description

"The Client is in full control. Bypass the authentication and read the key to get the Flag."

The task provides a Windows executable file (Bypass.exe) — a .NET assembly requiring authentication bypass.

Analysis

File Identification

$ file Bypass.exe
Bypass.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

The file is a .NET assembly, which means IL code can be disassembled.

Disassembly

Used monodis to obtain the IL code:

monodis --output=bypass.il Bypass.exe

Authentication Structure

The binary contains two checks:

1. Login Check (Method '0'::'1')

• Prompts for username and password
• Always returns false regardless of input
• Key IL code:

IL_0043: ldc.i4.0    // push 0 (false)
IL_0044: ret         // return

2. Secret Key Check (Method '0'::'2')

• Prompts for a secret key
• Compares input with stored key via string::op_Equality
• Uses brfalse.s to jump to "Wrong Key" if comparison fails
• On success, outputs the flag via string::Concat

Solution

Binary Patching

Used Python to patch two locations:

#!/usr/bin/env python3
"""
Bypass.exe patcher
Patches authentication checks in .NET binary
"""

with open('Bypass.exe', 'rb') as f:
    data = bytearray(f.read())

# Patch 1: Bypass Login Check
# Location: Offset 0x2bf
# Change: ldc.i4.0 (0x16) -> ldc.i4.1 (0x17)
# Effect: Login function now always returns true
data[0x2bf] = 0x17

# Patch 2: Bypass Key Check  
# Location: Offset 0x2f5
# Change: brfalse.s (0x2c) -> brtrue.s (0x2d)
# Effect: Inverted conditional - shows flag when key is WRONG
data[0x2f5] = 0x2d

with open('Bypass_patched.exe', 'wb') as f:
    f.write(data)

print("Patched successfully!")

IL Opcodes Reference

...