CTF - Static Ain't Always Noise (picoCTF)

CTF - Static Ain't Always Noise (picoCTF)

This problem is taken from PICO CTF 2021.

The solution is discussed below. Proceed with caution.

The problem provides two files to be downloaded:

  • ltdis.sh (from BASH script link)

  • static

Let's discuss the ltdis.sh file to get a better understanding of the challenge.


echo "Attempting disassembly of $1 ..."

#This usage of "objdump" disassembles all (-D) of the first file given by 
#invoker, but only prints out the ".text" section (-j .text) (only section
#that matters in almost any compiled program...

objdump -Dj .text $1 > $1.ltdis.x86_64.txt

#Check that $1.ltdis.x86_64.txt is non-empty
#Continue if it is, otherwise print error and eject

if [ -s "$1.ltdis.x86_64.txt" ]
    echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"

    echo "Ripping strings from binary with file offsets..."
    strings -a -t x $1 > $1.ltdis.strings.txt
    echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"

    echo "Disassembly failed!"
    echo "Usage: ltdis.sh <program-file>"
    echo "Bye!"

Seeing the contents of the file and confirming that there is nothing "fishy" in it, let's try to run it. We need to change the permissions first and then execute the file.

chmod +x ltdis.sh

The following output is produced.

Seems like our attempt failed. Seems like an <program-file> argument needs to be provided based on the message of the output.

This is confirmed if we look deeply at the file. Mainly the bash script will attempt to disassemble an executable file defined by $1 using the Linux command objdump.

objdump -Dj .text $1 > $1.ltdis.x86_64.txt

Given this information, we know we need an executable file to provide this bash script.

If we run the following:

file static

We can confirm that the static file is an executable file.

So let's do another attempt but this time providing the static file as an argument.

./ltdis.sh static

So let's open the produced static.ltdis.strings.txt

Voila. We found the flag among the lines.

So the flag is : picoCTF{d15a5m_t34s3r_98d35619}.

But let's dig deeper to deepen our knowledge.

Seems like the following line in our ltdis.sh file is responsible in extracting the flag:

strings -a -t x $1 > $1.ltdis.strings.txt

So what is the command strings?

According to How to Geek, it is a Linux command that allows the pulling of text inside a binary or data file --such as program files. It extracts strings from a file (or even memory). Very useful in our case as if we view the content of static file using a text editor we see nothing but mostly human-unreadable characters.

Why do we just see this characters and not the ones that we extracted using the ./ltdis.sh static command?

Well, it seems that text programs have difficulty handling non-printable characters.

This is where the strings command comes in handy.

We would have also found the flag if we ran:

strings static

Until next time. Keep learning.

Stay stoked and code. :)

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)