PicoCTF – Static Ain’t Always Noise

https://play.picoctf.org/practice/challenge/163

Description:

Can you look at the data in this binary: static? This BASH script might help!

Solution:

So I had seen the term ‘bash’ around quite a bit but didn’t actually know what it was or what it meant. A search for ‘bash script’ gave me: 

“A Bash script is a text file containing a series of commands. Any command that can be executed in the terminal can be put into a Bash script. Any series of commands to be executed in the terminal can be written in a text file, in that order, as a Bash script.”

Not complicated. But how to set it in motion? That’s not difficult either:

bash filename.sh 
I used wget to get the script downloaded and that gave me a file: ltdis.sh

#!/bin/bash

echo "Attempting disassembly of $1 ..."

#This usage of "objdump" disassembles all (-D) of the first file given by 
#invoker, but only prints out the ".text" section (-j .text) (only section
#that matters in almost any compiled program...

objdump -Dj .text $1 > $1.ltdis.x86_64.txt

#Check that $1.ltdis.x86_64.txt is non-empty
#Continue if it is, otherwise print error and eject

if [ -s "$1.ltdis.x86_64.txt" ]
then
		echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"

		echo "Ripping strings from binary with file offsets..."
		strings -a -t x $1 > $1.ltdis.strings.txt
		echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"



else
		echo "Disassembly failed!"
		echo "Usage: ltdis.sh <program-file>"
		echo "Bye!"
fi

This turns out to be an if statement and tells you what you are looking out for with a successful outcome. “Disassembly successful!” At this stage I don’t understand the detail contained in this script but I knew enough to run it and hopefully find a flag. But how to insert the ‘static’ file into the script?

Using wget to download the ‘static’ file the obvious thing to then try was just putting the filename after the bash script command in the webshell:

bash ltdis.sh static

And yes that worked:

Attempting disassembly of static ...
Disassembly successful! Available at: static.ltdis.x86_64.txt
Ripping strings from binary with file offsets...
Any strings found in static have been written to static.ltdis.strings.txt with file offset

and gave me two more files: static.ltdis.x86_64.txt and static.ltdis.strings.txt the second of which contained the flag.