Bypass
Bypass is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Bypass attack path
Bypass is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on Reversing evidence, validation, and reusable operator lessons.
Walkthrough flow
Extract the ZIP and identify the file as a PE32 .NET...
Inspect strings/metadata for framework calls....
Disassemble CIL rather than chasing obfuscated...
Observe the login method reads username/credential...
Observe the static initializer loads managed resource...
Source coverage
High source coverage
Status: complete. This article is generated from 5 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Reversing/Bypass/writeup.md
- htb-challenge/Reversing/Bypass/notes.md
- htb-challenge/Reversing/Bypass/memory-summary.md
- htb-challenge/Reversing/Bypass/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Reversing__Bypass__notes.md.c536457490.md
Technical Walkthrough
Writeup
Challenge
- Name: Bypass
- Category: Reversing
- Difficulty: Easy
- Mode: file
Summary
The provided binary is an obfuscated .NET console application. The visible login flow is intentionally misleading: the username/password check reads input and returns false, making the normal success branch unreachable. Static IL analysis showed that the strings used by the program are stored in an encrypted managed resource. Decrypting that resource exposed the secret key prompt and the flag pieces.
Artifact Inventory
files/a12c736c-e653-4b63-a6fb-ddfb6ef531a7.zip: original challenge archive.analysis/extracted/Bypass.exe: PE32 .NET console assembly.analysis/il-disassembly.txt: decoded CIL listing with the auth branch, resource loader, and decrypt helper.analysis/resource-decrypt-decoded-summary.txt: redacted resource decryption summary.analysis/resource-strings-redacted.txt: redacted decrypted string table.
Analysis
analysis/extracted-file-types.txt identifies Bypass.exe as a .NET assembly. The initial strings output showed RijndaelManaged, GetManifestResourceStream, BinaryReader, and ReadString, which pointed to encrypted embedded data.
The IL listing in analysis/il-disassembly.txt shows three important facts:
- The login/authentication method reads a username and password but stores
0and returns it, so login cannot succeed normally. - The static initializer reads manifest resource
0, decrypts it, and reads strings from aBinaryReader. - The success path compares the entered secret key with one decrypted string, then prints three decrypted string values together to form the flag.
The decrypt helper constructs RijndaelManaged, sets a 128-bit block size and CBC mode, then reads bytes from the resource stream into the generated key-length and IV-length buffers. This means the resource layout is:
32-byte key || 16-byte IV || <secret redacted> ciphertextDecrypting the ciphertext produced a UTF-16LE BinaryReader string table. The raw decrypted table and reconstructed flag are kept under loot/; the redacted analysis summary is in analysis/resource-strings-redacted.txt.
Solve
Run:
cd <local workspace>
python3 solve/solve.pyThe solver parses the PE section table and CLR header, extracts the .NET manifest resource, decrypts it with OpenSSL <secret redacted>, parses the decrypted BinaryReader strings, and reconstructs the flag from the same string indices used by the IL success path. It writes the candidate to loot/flag-candidate.txt without printing it by default.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
For easy .NET reversing challenges, checking CIL and managed resources can be faster than trying to execute or patch the binary. Obfuscated names do not hide control flow, resource loading, or framework crypto calls.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Bypass
- Category: Reversing
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-10T13:16:07Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c736c-e653-4b63-a6fb-ddfb6ef531a7.zip | 4983 | <hash redacted> | Zip archive data, at least v2.0 to extract, compression method=deflate | zip entries: 1 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-10T13:16:07Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-10T13:16:07Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-10T13:16:07Z | hypothesis recorded | hypothesis-board.md | Bypass client-side authentication by statically reversing the provided binary and extracting the key/flag-generation logic. | Medium | Extract the archive, identify binary/runtime, inspect strings/imports/IL or disassembly, and recover the key or patch/bypass condition locally. |
| 2026-06-10T13:16:07Z | research skip | analysis/research/research-skip.md | Research intentionally skipped with recorded reason | Medium | Gate before exploit |
| 2026-06-10T13:16:45Z | archive extraction | analysis/extracted-file-types.txt | ZIP contains Bypass.exe, a PE32 .NET console assembly targeting .NET Framework 4.5.2. | High | Inspect .NET metadata and resources |
| 2026-06-10T13:19:40Z | IL/resource analysis | analysis/il-disassembly.txt | Auth function always returns false; success path concatenates decrypted static strings. Manifest resource 0 contains encrypted string data. | High | Decrypt resource string table |
| 2026-06-10T13:22:40Z | resource decrypt | analysis/resource-decrypt-decoded-summary.txt, analysis/resource-strings-redacted.txt | Resource format is 32-byte AES key, 16-byte IV, and ciphertext; decrypted BinaryReader strings include key prompt and flag pieces. | High | Construct and capture flag |
| 2026-06-10T13:22:51Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-10T13:23:45Z | reproducible solve | solve/solve.py, analysis/solve-run.txt | Solver parses PE/CLI manifest resource, decrypts AES-CBC data, reconstructs the flag, and writes it to loot/ without printing by default. | High | Complete harness |
| 2026-06-10T13:25:45Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
Bypass.exeis a small obfuscated .NET console assembly.- The main login branch calls an auth method that reads username/password but returns
falseunconditionally, so the client-side check is deliberately bypassable by static analysis. - Method row 11 loads manifest resource
0, decrypts it, and populates static strings used by prompts, key validation, and flag construction. - The decrypt helper uses
RijndaelManagedwith 128-bit block size and CBC mode. The encrypted resource starts with the key and IV, then the ciphertext. - The success path prints a prefix, flag body, and suffix from the decrypted string table. The raw reconstructed flag is stored only in
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Bypass was an Easy Reversing challenge containing a small obfuscated .NET Framework console executable.
The useful path was:
- Extract the ZIP and identify the file as a PE32 .NET assembly.
- Inspect strings/metadata for framework calls.
RijndaelManaged,GetManifestResourceStream,BinaryReader, andReadStringindicated encrypted embedded strings. - Disassemble CIL rather than chasing obfuscated type/method names.
- Observe the login method reads username/password but returns
falseunconditionally, making normal auth impossible. - Observe the static initializer loads managed resource
0, decrypts it, and reads a string table. - Decrypt the resource as
32-byte AES key || 16-byte IV || <secret redacted> ciphertext. - Parse the decrypted data as BinaryReader UTF-16LE strings.
- Reconstruct the flag from the same prefix/body/suffix string indices used by the success path.
Reusable lesson: in obfuscated .NET challenge binaries, resource-loader and crypto calls often expose the intended bypass faster than patching. Even with numeric method names, IL tokens reveal the real control flow and string construction.
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Bypass client-side authentication by statically reversing the provided binary and extracting the key/flag-generation logic. | Challenge is Reversing/Easy and scenario says 'The Client is in full control. Bypass the authentication and read the key to get the Flag.' | Extract the archive, identify binary/runtime, inspect strings/imports/IL or disassembly, and recover the key or patch/bypass condition locally. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Notes
Notes
Scope
- Challenge: Bypass
- Category: Reversing
- Difficulty: Easy
- Mode: file
- Remote instance: none
- Start time: 2026-06-10T13:16:07Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c736c-e653-4b63-a6fb-ddfb6ef531a7.zip | 4983 | <hash redacted> | Zip archive data, at least v2.0 to extract, compression method=deflate | zip entries: 1 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-10T13:16:07Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-10T13:16:07Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-10T13: <REDACTED>, identify binary/runtime, inspect strings/imports/IL or disassembly, and recover the key or patch/bypass condition locally. | |||||
| 2026-06-10T13:16:07Z | research skip | analysis/research/research-skip.md | Research intentionally skipped with recorded reason | Medium | Gate before exploit |
| 2026-06-10T13:16:45Z | archive extraction | analysis/extracted-file-types.txt | ZIP contains Bypass.exe, a PE32 .NET console assembly targeting .NET Framework 4.5.2. | High | Inspect .NET metadata and resources |
| 2026-06-10T13:19:40Z | IL/resource analysis | analysis/il-disassembly.txt | Auth function always returns false; success path concatenates decrypted static strings. Manifest resource 0 contains encrypted string data. | High | Decrypt resource string table |
2026-06-10T13: <REDACTED>, analysis/resource-strings-redacted.txt | Resource format is 32-byte AES key, 16-byte IV, and ciphertext; decrypted BinaryReader strings include key prompt and flag pieces. | High | Construct and capture flag | ||
| 2026-06-10T13: <REDACTED> | |||||
2026-06-10T13: <REDACTED>, analysis/solve-run.txt | Solver parses PE/CLI manifest resource, decrypts AES-CBC data, reconstructs the flag, and writes it to loot/ without printing by default. | High | Complete harness | ||
| 2026-06-10T13:25:45Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
Bypass.exeis a small obfuscated .NET console assembly.- The main login branch calls an auth method that reads username/password but returns
falseunconditionally, so the client-side check is deliberately bypassable by static analysis. - Method row 11 loads manifest resource
0, decrypts it, and populates static strings used by prompts, key validation, and flag construction. - The decrypt helper uses
RijndaelManagedwith 128-bit block size and CBC mode. The encrypted resource starts with the key and IV, then the ciphertext. - The success path prints a prefix, flag body, and suffix from the decrypted string table. The raw reconstructed flag is stored only in
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Technical analogy
How to remember this solve
Think of it like taking apart a small appliance on a workbench. You do not need every screw at once; you trace the control path and rebuild just enough logic to make it reveal the answer.
For Bypass, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.