This problem is taken from PICO CTF 2021.
The solution is discussed below. Proceed with caution.
The problem provides two files to be downloaded:
ltdis.sh
(from BASH script link)static
Let's discuss the ltdis.sh
file to get a better understanding of the challenge.
#!/bin/bash
echo "Attempting disassembly of $1 ..."
#This usage of "objdump" disassembles all (-D) of the first file given by
#invoker, but only prints out the ".text" section (-j .text) (only section
#that matters in almost any compiled program...
objdump -Dj .text $1 > $1.ltdis.x86_64.txt
#Check that $1.ltdis.x86_64.txt is non-empty
#Continue if it is, otherwise print error and eject
if [ -s "$1.ltdis.x86_64.txt" ]
then
echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"
echo "Ripping strings from binary with file offsets..."
strings -a -t x $1 > $1.ltdis.strings.txt
echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"
else
echo "Disassembly failed!"
echo "Usage: ltdis.sh <program-file>"
echo "Bye!"
fi
Seeing the contents of the file and confirming that there is nothing "fishy" in it, let's try to run it. We need to change the permissions first and then execute the file.
chmod +x ltdis.sh
./ltdis.sh
The following output is produced.
Seems like our attempt failed. Seems like an <program-file>
argument needs to be provided based on the message of the output.
This is confirmed if we look deeply at the file. Mainly the bash script will attempt to disassemble an executable file defined by $1
using the Linux command objdump
.
objdump -Dj .text $1 > $1.ltdis.x86_64.txt
Given this information, we know we need an executable file to provide this bash script.
If we run the following:
file static
We can confirm that the static
file is an executable file.
So let's do another attempt but this time providing the static
file as an argument.
./ltdis.sh static
So let's open the produced static.ltdis.strings.txt
Voila. We found the flag among the lines.
So the flag is : picoCTF{d15a5m_t34s3r_98d35619}.
But let's dig deeper to deepen our knowledge.
Seems like the following line in our ltdis.sh
file is responsible in extracting the flag:
strings -a -t x $1 > $1.ltdis.strings.txt
So what is the command strings
?
According to How to Geek, it is a Linux command that allows the pulling of text inside a binary or data file --such as program files. It extracts strings from a file (or even memory). Very useful in our case as if we view the content of static file using a text editor we see nothing but mostly human-unreadable characters.
Why do we just see this characters and not the ones that we extracted using the ./ltdis.sh static
command?
Well, it seems that text programs have difficulty handling non-printable characters.
This is where the strings
command comes in handy.
We would have also found the flag if we ran:
strings static
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)