Tear or Dear

Name: Tear or Dear
Hint: Find the username and password and put them in the flag in the format: HTB{username:password} Warning: It can produce false positives.
Base Points: Easy - Retired [0]
Rated Difficulty:
alamot
Creator: Thiseas

 Happy joy! A Windows executable file for this challenge.....


Can you hear the sarcasm coming through?

 

Let's do this one strictly in Windows using DNSpy.  Always good to have a broad knowledge of the different tools.  On cursory glance, it looks like the "button1_Click" function compares this.o and this.check1 one to ensure the credentials are correct and it is a strict check.  That means this.o and this.check1 are going to be in memory for the check.

 Let's set a breakpoint at that if function and check the memory.  Now, some of you might have noticed that I stupidly tried to debug this in DNSpy x64 not x86.  I fixed that now XD  I set the breakpoint, run the program, and enter a for the userename and b for the password.  Now when we add a watch to this.o and this.check1 we notice that this.check1 cannot be "watched," but that this.o's value is "roiw!@#"  Why can't we watch this.check1?  Because it is function logic and not really a variable.  Let's follow the check1 logic path.

Following the program logic through this.check1(s) to this.check, we see that the variable is acually this.aa.  Grabbing the value of this variable, we start building the flag.

To verify, we try user roiw!@# password piph.  That failed.  Let's switch the order.  SUCCESS! We are greeted with the Correct! message. The flag is username:password like Snake:

 

HTB{piph:roiw!@#}