Here’s a writeup of another side quest that required some light reversing of an ELF binary.

Side Quest: Linux Process Investigation

Linux Process Investigation Objective

We’re given an ELF binary that seems to be missing a registration file. No other errors are shown so we’ll need to start tracing the process using a couple tools: strace and ltrace.

With strace, we can view the system calls. Special flags can filter the output but, to keep it basic, I ran it without any parameters.

strace command

In the output, we can see the openat syscall for a registration.json file.

strace output - openat

Just for kicks, I created an empty file named registration.json to see if it worked or if any useful errors could be found. But no such luck!

Try #1

Syscalls can only get you so far so we’ll need to pull out ltrace for more information. With ltrace, we can view library calls. From this initial run, we can see the strstr function comparing the file contents with the expected value (in this case, the keyword Registration).

ltrace output - #1

Now it’s just a process of running ltrace to see what values it expects and adding those values to the registration.json file.

ltrace output - #2

ltrace output - #3

ltrace output - #4

Unfortunately, I wasn’t able to get a screenshot of a successful run because, once you are able to run make_the_candy, ascii art starts to flow across the screen. However, to recap, the answer is to create the file registration.json with the contents

Registration:True

To see my other writeups for this CTF, check out the tag #kringlecon-2021.

References