Skip to main content

re.onosend.ai

Tag: Golang

To all tags

0x05 - CSAW 2019 beleaf

Today’s sample was one of the RE challenges during CSAW 2019. CSAW is a beginner-friendly CTF, but I found this challenge was not so simple.

binary beleaf
sha256 bb28a152966bed0a369f30149a912982ea33b408794bfbd82e73c87ff4e184ff

Running file reveals that this is a 64-bit position-independent ELF executable,and that it is stripped. This means debugging information has been removed, as well as symbols and other stuff that would help us reverse this sample :(

file beleaf
beleaf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped

As we can see from readelf, the symbol table has been removed:

/posts/crackme-0x05/ map[name:onosend.ai]

0x03 - rev by helithumper

binary rev
sha256 2b704c51b17fe6ed1461f4068eb7d8824a7a66d37eae56dc9adcf0d2cbd0cce2

This is a very straightforward one by helithumper, called rev. It’s another 64-bit, non-stripped ELF:

❯ file rev
rev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e4dbcb1281821db359d566c68fea7380aeb27378, for GNU/Linux 3.2.0, not stripped

❯ nm rev
0000000000004010 B __bss_start
                 U calloc@@GLIBC_2.2.5
0000000000004010 b completed.7963
                 w __cxa_finalize@@GLIBC_2.2.5
0000000000004000 D __data_start
0000000000004000 W data_start
00000000000010c0 t deregister_tm_clones
0000000000001130 t __do_global_dtors_aux
0000000000003da0 d __do_global_dtors_aux_fini_array_entry
0000000000004008 D __dso_handle
0000000000003da8 d _DYNAMIC
0000000000004010 D _edata
0000000000004018 B _end
0000000000001334 T _fini
0000000000001170 t frame_dummy
0000000000003d98 d __frame_dummy_init_array_entry
00000000000021ec r __FRAME_END__
0000000000003f98 d _GLOBAL_OFFSET_TABLE_
                 w __gmon_start__
0000000000002080 r __GNU_EH_FRAME_HDR
0000000000001000 t _init
0000000000003da0 d __init_array_end
0000000000003d98 d __init_array_start
0000000000002000 R _IO_stdin_used
                 U __isoc99_scanf@@GLIBC_2.7
                 w _ITM_deregisterTMCloneTable
                 w _ITM_registerTMCloneTable
0000000000001330 T __libc_csu_fini
00000000000012d0 T __libc_csu_init
                 U __libc_start_main@@GLIBC_2.2.5
0000000000001175 T main
                 U puts@@GLIBC_2.2.5
00000000000010f0 t register_tm_clones
                 U __stack_chk_fail@@GLIBC_2.4
0000000000001090 T _start
                 U strlen@@GLIBC_2.2.5
0000000000004010 D __TMC_END__
00000000000011ea T validate

Since this binary isn’t stripped, we of course have some symbols available to us. There is a function called validatewhich sounds interesting, and we also have main:

/posts/crackme-0x03/ map[name:onosend.ai]