Tags: bruteforce
Rating:
## 102 ELF Crumble ##
(warmup)
**Files provided**
- `broken`
- `fragment_1.dat`
- `fragment_2.dat`
- `fragment_3.dat`
- `fragment_4.dat`
- `fragment_5.dat`
- `fragment_6.dat`
- `fragment_7.dat`
- `fragment_8.dat`
**Description**
We were given an executable, `broken`, which has a big hole in the middle, filled with X's. The size of the hole is the same as all the fragment sizes added up, so it was quite clear we were meant to assemble the fragments into the binary in the correct order.
**Solution**
Certainly inspecting the fragments would be helpful, checking alignment and instructions. But, since the CTF started at 1am for me and I wanted to sleep before starting for real, the lazy (but computer-time-intensive) solution is to just assemble the binary in every possible way, then run them all. Script:
#!/bin/bash
# `broken` parts before and after the hole
dd bs=1 count=1453 if=broken of=broken_pre
dd bs=1 skip=2260 if=broken of=broken_post
echo "prefix and postfix created ..."
# permutation function, from https://stackoverflow.com/a/3846321
function perm() {
local fragments="$1"
local order="$2"
local i
[[ "$fragments" == "" ]] && echo "$order" && return
for (( i=0; i<${#fragments}; i++ )); do
perm "${fragments:0:i}${fragments:i+1}" "$order${fragments:i:1}"
done
}
# assemble all permutations into binaries
mkdir -p perm
fragments="12345678"
perm "$fragments" | while read order; do
((count++))
echo "$count: $order"
(
cat broken_pre
for (( i=0; i<${#order}; i++ )); do
cat "fragment_${order:i:1}.dat"
done
cat broken_post
) > "perm/$order"
chmod +x "perm/$order"
done
echo "binaries generated ..."
# run all binaries in parallel, record output in out
mkdir -p out
for f in perm/*; do
( ("$f" 2>&1 >"out/"`basename $f`".txt") &)
done
echo "binaries executed ..."
# find unique outputs
printf "flag: "
find out -type file -not -empty -exec cat {} \;
After some time, prints out `welcOOOme`.
