Shulou(Shulou.com)06/01 Report--

What is the reverse introduction to Linux CTF? in view of this question, this article introduces in detail the corresponding analysis and solutions, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

1.ELF format

Let's take a look at the ELF header first, and if you want to know more about it, you can check out ELF's man page document.

More detailed explanation about ELF: e_shoff: the file offset of the section header table (bytes). If the file does not have a section header table, this member value is zero. Sh_offset: indicates the distance of the section from the header position of the file

two。 Executable header (Executable Header)

The first part of the ELF file is the executable header (Executable Header), which contains information about the ELF file type. ELF files are common on various platforms. ELF files have 32-bit and 64-bit versions, and their header contents are the same, except that some members are of different sizes. There are also two versions of its file diagram: called "Elf32_Ehdr" and "Elf64_Ehdr". Take the 32-bit version as an example:

Using readelf to analyze the ELF file format

We can use the following calculation method to calculate the size of the entire binary file:

Size = e_shoff + (e_shnum * e_shentsize) size = Start of section headers + (Number of section headers * Size of section headers) size = 137000 + (29064) = 138856 verification of the calculation result:

3. Program header (Program Headers)

The program header describes the various segments segments in the file, which are used to tell the system how to create a process image.

4. Section table header (Section Headers)

The section table header (Section Headers) contains information that describes the section area of the file, such as size, offset, and so on, but these are not important to the execution flow of the binary file.

Sections or segments:segments is to describe the elf file from the running point of view, sections is to describe the elf file from the link point of view, that is, in the link phase, we can ignore program header table to deal with this file, in the run-time can ignore section header table to deal with this program (so a lot of reinforcement means to remove section header table). We can also see from the figure that segments and sections are inclusive, and a segment contains several section.

5. Table (Section)

5.1 .bss Section

Save uninitialized data, such as uninitialized global variables.

5.2 .data Section

Save initialized data.

5.3 .rodata Section

Save the read-only data in the program.

5.4 .text Section

This section contains the actual code and logical flow of the program. Use readelf to view the table structure of ELF files

6. Complete a simple CTF challenge

Now that you know something about ELF files, find a CTF topic to try.

Download address of binary file: https://ufile.io/blvpm

Domestic download: www.lanzous.com/i34qg6f

1. Run the program and pass some random characters to it. The result is as follows:

2. Then use strings to look at the strings of the program to see if you can find useful information

We can see that "% c" is a string that prints flag, and the number is 15.

3. We can check the offset of the ".rodata" section to better view these characters.

4. Check the symbol table (Symbols) nm command to view the symbols of the library file

Description:-D or-dynamic: displays dynamic symbols. This option makes sense only for dynamic targets (such as specific types of shared libraries) we can find printf, puts, sprintf, strlen functions. These functions are not defined. 5. Tracking system calls (System Calls) We can use tools such as strace to track the system calls of programs

To better understand, we can use ltrace to decode C++ to track library calls made by function names. We can see that a string length check is in progress.

To better understand, we can use ltrace to decode C++ to track library calls made by function names. We can see that a string length check is in progress.

In this binary, the symbol is not stripped, so we can see the function name, which makes it easier to understand. If you can read the assembly code, you can know exactly what happened. If you can't read the assembly code, let's do some real-time debugging and try to understand it better. 7. Real-time debugging here we use GDB-Peda for real-time debugging. We first check the functions in the binary file. We can see functions such as main,comp_key

Debugging method: first use break main to jump to the main function, and use n to step and ni to execute each instruction

Let's look at the logic of the program, which first tries to compare the number of parameters. It is stored in an ecx register and moved to esi, which is used to compare values with 0x2

The pseudocode looks like this:

The code looks like this:

If you check this code, you can see that there is a loop iterating over each character of the string we enter.

How many characters does it loop? Generally speaking, our password is 7 characters long.

The code looks like this:

As you can see, if the sum of 7 characters equals 801, you can get flag. You can use any character, as long as the sum is 801. When the check is complete, call the comp_key function and print out the flag. For example: 114x6177801 We find that the ASCII character 114 corresponding to the number is'r' 117 is'u'.

Then we take the characters as input and execute the program to get the FLAG

The answer to the question about the reverse introduction to Linux CTF is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.