Our EXPLOIT THIS CTF is tailored to those hackers and enthusiasts alike, that share a passion for all things embedded, IoT or hardware related.
The Elves Magic is a 50 point CTF challenge brought to you by Exploit Security. This and other CTF challenges can be found https://exploitthis.ctfd.io.
This blog post will look to step through this simple challenge using a systematic methodology, which helps to build technical capability when applying such knowledge to real-world technical challenges.
Task: The participant is tasked with examining a given file, with the caption, "Flag is found when unlocking the elf's magic".
Like most cyber security concepts it is first wise to start with your intuition and using this intuition it pays to play close attention to the wording of the challenge in order to build out a plan of attack. In this instance the participant should notice that the caption mentions "elf's" magic and it is with this we can intuit that the file that we are most likely dealing with is an elf file type.
A great all round utility, frequently used within CTF challenges, is the *nix FILE utility. The file utility is a *nix command line tool that can be used to ascertain a files type e.g. PE (Windows Portable Executable), ELF (Linux Executable and Linkable Format).
Using the file utility, we ascertain that, the file format of the given CTF challenge does not bear any resemblance to a known format, but instead a generic "data" file type.
The file utility uses three sets of tests, performed in this order: filesystem tests, magic tests, and language tests with the first test that succeeds causes the file type to be printed.
File Type
The type printed will usually contain one of the words:
text (the file contains only printing characters and a few common control characters and is probably safe to read on an ASCII terminal)
executable (the file contains the result of compiling a program in a form understandable to some UNIX kernel or another), or
data meaning anything else (data is usually “binary” or non-printable).
Test Type
The filesystem tests are based on examining the return from a stat(2) system call.
The magic tests are used to check for files with data in particular fixed formats. These files have a “magic number” stored in a particular place near the be‐ginning of the file that tells the UNIX operating system that the file is a binary executable.
Language test examined to see if it the file seems to be a text file. ASCII, ISO-8859-x, non-ISO 8-bit extended-ASCII character sets (such as those used on Macintosh and IBM PC systems), UTF-8-encoded Unicode, UTF-16-encoded Unicode, and EBCDIC character sets can be distinguished by the different ranges and sequences of bytes that constitute printable text in each set. If a file passes any of these tests, its character set is reported. ASCII, ISO-8859-x, UTF-8, and extended-ASCII files are identified as “text” because they will be mostly readable on nearly any terminal.
Any file that cannot be identified as having been written in any of the character sets listed above is simply said to be “data”.
Taking a closer look at the file this time using the strings utility, we notice a few interesting entries within the output of the command. One entry worth a mention is the libc.so.6 entry. The existence of libc.so.6 and GCC strongly infers that the file/executable was compiled using the GNU C Compiler, linking the standard C Library at compile time.
This small piece of information alongside the ELF theme mentioned throughout the blog post, would lead us to believe that this file is most likely an elf executable, so why is it then that we are not able to execute it at the command line ?
To help us answer this question we turn to another *nix utility, namely the readelf utility. The readelf utility is used to display various pieces of information about ELF files, including things like Class, Data, Version, Machine Architecture and Magic Number. It is the later information, i.e. the Magic Number that helps determine the file type itself as mentioned in the above post.
Let's look at the output as shown by readelf when we run it against our challenge file.
As can be seen readelf does not classify this challenge file as a verified ELF due to the incorrect "magic bytes" at the beginning of the file header.
Let's look at what these magic bytes are supposed to look like !
As can be seen the correct format should resemble something like the above i.e 0x7f 0x45 0x4c 0x46 0x02
If we examine our challenge file using the hexdump utility we notice that our file does not resemble this in the slightest !
Lets turn to another utility hexeditor to assist in rectifying this problem for us, taking into consideration the CLASS (32 or 64bit), Endianness (Little or Big) and Version. The hexeditor utility allows for us to editor the binary hex using a somewhat intuitive editor interface.
Now when the file utility is run across the challenge file we receive the following output, which indicates we may have resolved our issue.
We can now successfully execute the challenge file to reveal the flag !
The Security Team at Exploit Security hope that this simple walk-through has illuminated some concepts that will be useful for you !