impossible password


I am new to reversing but have worked through a couple of them at this point. Very cool stuff and I have learned a lot. However, I am now facing impossible password which is a very different format. I have figured out step 1. Step 2 is what I am working on and I am not sure of the approach. Any suggestions? I have a vague idea of what is going on as it runs, but not how to solve. I am thinking maybe something like angr but is there a more straightforward way?




  • u should try to trace what's going on
  • If I get what you mean by step 2... solving step 2 could be a good exercise, but may not be necessary to get the flag.

  • @jwstone said:
    If I get what you mean by step 2... solving step 2 could be a good exercise, but may not be necessary to get the flag.

    How could you get the flag without doing the second part? That does not make sense

  • @3XPL017 said:

    @jwstone said:
    If I get what you mean by step 2... solving step 2 could be a good exercise, but may not be necessary to get the flag.

    How could you get the flag without doing the second part? That does not make sense

    I observe there are 3 parts.

  • I confirm that the second part isn't needed.


  • Is this supposed to crash binja (demo version)?

  • It doesn't crash my binja

  • I only see 2 parts to this challenge in IDA.

  • Spoiler Removed

  • @DrWahbi said:
    hey , i'm sorry but i tried every thing , from Hex editor to ollydbg to trace the jumps but the debugger can't read bin , but there's no message to trace , i found something like SuperSekretKey but i didn't understand what next , please any hints !

    Try to chmod +x the .bin file...btw running GDB on it works, its just there is no symbol table :) Also, if anyone has a small hint to share, it would be really appreciated

  • Well @n3m0 , if it's "Impossible Password" it means is quite real impossible :)
    Always follow the hints (titles, descriptions.. ) here in HTB, they say it all.
    Anyway, you only need to know some basics of GDB to overcome this impossible password.... nothing impossible though

    Good luck,

  • @padovah4ck is absolutely correct. If you don't like GDB, use radare2 :) I actually solved this from the disassembly without breakpoints or actual debugging, but that was not the easy road.


  • I've been using radare2 for these and it's been awesome!

  • I solved the challenge and learnt a lot about reverse engineering and how to follow the opcodes execution. I would like to give a suggestion (for those who are new ) Use the combination of EDB-debugger and Radare2 - Graph mode and you can understand the entire assembly.

    Hack The Box


  • edited October 2018

    So I am on stage 2 **; There are 20-ish HEX characters, but it won't accept them as a password. Guys, I need a clue

    Ukrainian.. whatever
  • I don't understand the stages people are talking about. I only understand that it should be debugged, but is possible to solve from disassembly alone. I am trying radare2 and gdb, When I try to debug, it seems strange because no matter where I try to put breakpoints, it never prints any output to the screen. would appreciate a hint.

  • OK nvm my first post. I get it now. I got to the second part but due to above hints will try to jump.

  • OK wow that was strange. I got the flag, though I'm not completely sure how what I did worked.

  • So I played a bit around on stage ** and i found out that abc", "def" will be read as abc",
    So I wondered if there is a way to inject something like 1==1 into strcmp. Can someone PM me and give me a hint whether I'm thinking in the right direction

  • Bringing this back from the dead. I'm completely new in this field of reversals. I've dove straight in and believe Im on "step 2". To solve the rest of this, would my time be better spent learning how to read/write assembly or should I be looking for tools that can decompile elf/convert assembly to C.

    In the few hours i've spent using rabin2 and learning some more common assembly operands like cmp and lea, I feel like im progressing in the puzzle - but is this really the most efficient method in 2019?

    Hack The Box
    ---------- ytho -----------

  • @ytho I just solved it using the NSA tool Ghidra (; it works similar to tools like IDA, Hopper or Radare.

    Step 1 should be very obvious if you know the basic libc functions, step 2 requires you to figure out what that unknown function does (grab an ASCII table) and step3 is what happens after you pass the check.

    As mentioned above, maybe you can skip step 2 since that would be rather hard?

    By doing step 3 in python or similar?

    I don't feel like much assembly knowledge is needed here. Maybe just a Ghidra hint:
    Start at "entry" in the function browser on the left after opening and analyzing the file (tutorials are available), the first argument in __libc_start_main is your "main" function

    Hack The Box

    GitHub repository with writeups:

  • Awesome tool recommendation. Was bashing my head against the wall trying to find something that did this. Working on step 3 recreation now :)

    Hack The Box
    ---------- ytho -----------

  • Thanks to this one, I learnt how to debug in radare2 and also change a condition to get the flag.

    PM me Discord me if you need help

    Discord : secHaq#7121

  • edited December 2019

    Stage 1 was super easy, passed in about 30 seconds. Step 2 was a bit harder but only because I lack any experience in reversing (started a day ago). I have experience in programming in different languages so I understand how programs run.

    Step 2 was a bit hard only because I had to get used to the app. I knew what I wanted to do (modify the code) but didn't know how to. So I just played around with the app, finally managed to change something. Saved the modified bin and rerun it to get the flag.

    @S7uXN37 No need for ASCII tables if you can decompile.

    ps. I hope this info is useful yet not a spoiler.

    Please + Respect me if I helped you out.

    Hack The Box

  • edited December 2019

    Excellent challenge once I took the name literally and started paying attention.
    Also just went back and did it via patching, pretty easy once you spot it!


    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Already knew the tricks used in this challenge, but a good application anyway to gain practice with radare2 =D
    If someone needs help just let me know

  • stoked, learned a lot with this one.
    thanks @decoder for the challenge
    thanks @MarioOlofo for the convo
    and thanks to you at home for reading this. ;)

    My 'hint' is, don't make it hard on yourself and READ the code.

  • ok ... will start this challenge ... am new to these things. I will use Cutter and see how it goes. Will post back!

  • I'm on step 2, but it looks like the string it compares it to is always random? am I looking at the right thing? i'm new to binary RE

  • edited March 2020

    I'm stuck at the ** part. Been trying to study and debug the decompiled code generated from ghidra for hours and I'm not making any progress. Can anybody give me a hint?

    edit: Got it, had to use a combination of ghidra + radare (ghidra wasn't 100% necessary but the decompiled code helps). Learned some really cool things on this one.

Sign In to comment.