Binary Reverse Engineering

🎯 Objective: Extract database connection strings and credentials from compiled applications using reverse engineering techniques.

Overview

Applications often contain hardcoded connection strings with database credentials. Two main approaches: ELF binary analysis using GDB and .NET DLL examination using dnSpy for credential extraction.

HTB Academy Lab Solution

Lab: Database Credentials Discovery

Question: "What credentials were found for the local database instance while debugging the octopus_checker binary?"

SSH Access: htb-student:HTB_@cademy_stdnt! → 10.129.205.20

Method 1: ELF Binary Analysis (GDB)

# Connect to target
ssh htb-student@10.129.205.20

# Navigate to binary location
find / -name "octopus_checker" 2>/dev/null

# Run initial examination
./octopus_checker
# Expected: SQL connection attempt with driver error

# Debug with GDB
gdb ./octopus_checker

# Set disassembly style
set disassembly-flavor intel

# Disassemble main function
disas main

# Set breakpoint at SQLDriverConnect call
b *0x5555555551b0

# Run program
run

# Examine RDX register for connection string
# Expected: "DRIVER={ODBC Driver 17 for SQL Server};SERVER=localhost,1401;UID=username;PWD=password;"

Answer: SA:N0tS3cr3t!

Reverse Engineering Techniques

1. ELF Binary Analysis

# GDB debugging process
gdb ./binary_name

# Common GDB commands for credential hunting
set disassembly-flavor intel     # Set assembly style
disas main                       # Disassemble main function
b *address                       # Set breakpoint
run                             # Execute program
info registers                  # View register contents
x/s $rdx                        # Examine string at RDX

2. .NET Assembly Analysis

# Using dnSpy (.NET decompiler)
# 1. Load DLL in dnSpy
# 2. Navigate to Controllers/Classes
# 3. Look for connection strings in:
#    - Configuration sections
#    - Database context classes
#    - Connection string variables

# Alternative: strings command
strings MultimasterAPI.dll | grep -i "server\|password\|connection"

3. Connection String Patterns

# Common database connection string formats
"Server=server;Database=db;User Id=user;Password=pass;"
"DRIVER={SQL Server};SERVER=host;UID=user;PWD=pass;"
"Data Source=server;Initial Catalog=db;User ID=user;Password=pass;"

Technical Details

ELF Binary Analysis

GDB breakpoints at database function calls
Register examination for connection strings
Memory dumps for credential discovery
Assembly code analysis for hardcoded values

.NET DLL Examination

dnSpy decompiler for source code access
Configuration sections examination
Connection string constants identification
Database context analysis

Common Locations

# ELF binaries
/usr/local/bin/
/opt/applications/
/home/user/apps/

# .NET assemblies
C:\Program Files\App\
C:\inetpub\wwwroot\bin\
Application directories

Impact & Exploitation

Credential Discovery:

🔑 Database credentials for lateral movement
🎯 Service accounts for privilege escalation
📊 Connection strings revealing infrastructure
🔐 API keys and secrets in compiled code

Attack Escalation:

Database access using extracted credentials
Password spraying with discovered passwords
Service enumeration using connection details
Lateral movement through database networks

Common Findings:

SQL Server credentials (sa, admin accounts)
Database names and server information
Network topology from connection strings
Development/production environment details

Detection & Defense

Prevention:

Configuration files instead of hardcoded strings
Environment variables for sensitive data
Encrypted connection strings
Secret management systems (Azure Key Vault, etc.)

Monitoring:

Binary analysis attempts detection
Unauthorized GDB usage monitoring
File access logging for sensitive executables

💡 Pro Tip: Always check compiled applications for hardcoded credentials - developers often leave database connection strings with production credentials in binaries, especially in legacy enterprise applications.

PreviousPRTG Attacks NextOther Notable Applications

Last updated 5 months ago

hashtagOverview

hashtagHTB Academy Lab Solution

hashtagLab: Database Credentials Discovery

hashtagMethod 1: ELF Binary Analysis (GDB)

hashtagReverse Engineering Techniques

hashtag1. ELF Binary Analysis

hashtag2. .NET Assembly Analysis

hashtag3. Connection String Patterns

hashtagTechnical Details

hashtagELF Binary Analysis

hashtag.NET DLL Examination

hashtagCommon Locations

hashtagImpact & Exploitation

hashtagDetection & Defense