Today’s sample was one of the RE challenges during CSAW 2019. CSAW is a beginner-friendly CTF, but I found this challenge was not so simple.

Running file reveals that this is a 64-bit position-independent ELF executable,and that it is stripped. This means debugging information has been removed, as well as symbols and other stuff that would help us reverse this sample :(

file beleaf
beleaf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped

As we can see from readelf, the symbol table has been removed: