Tags: bash 

Rating:

# Static ain't always noise
## Category - General Skills
## Author - SYREAL

### Description:
Can you look at the data in this binary: static? This BASH script might help!

### Solution:
The challenge gives us a link to download a shell script (ltdis.sh) and a binary executable file (static). Looking at the code in the shell script:
```
#!/bin/bash

echo "Attempting disassembly of $1 ..."

#This usage of "objdump" disassembles all (-D) of the first file given by
#invoker, but only prints out the ".text" section (-j .text) (only section
#that matters in almost any compiled program...

objdump -Dj .text $1 > $1.ltdis.x86_64.txt

#Check that $1.ltdis.x86_64.txt is non-empty
#Continue if it is, otherwise print error and eject

if [ -s "$1.ltdis.x86_64.txt" ]
then
echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"

echo "Ripping strings from binary with file offsets..."
strings -a -t x $1 > $1.ltdis.strings.txt
echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"

else
echo "Disassembly failed!"
echo "Usage: ltdis.sh <program-file>"
echo "Bye!"
fi
```
we see that it performs dissassembly of a binary by running the "objdump -d" and "strings" commands on that binary. Running this with our given binary we get the following output:
```
zerodaytea@DESKTOP-QLQGDSV:/mnt/c/Coding/CTFs/PicoCTF2021/GeneralSkills$ ./ltdis.sh static
Attempting disassembly of static ...
Disassembly successful! Available at: static.ltdis.x86_64.txt
Ripping strings from binary with file offsets...
Any strings found in static have been written to static.ltdis.strings.txt with file offset
```
Assuming that the flag may have been a static string in the binary we look at the static.ltdis.strings.txt and get the flag
```
zerodaytea@DESKTOP-QLQGDSV:/mnt/c/Coding/CTFs/PicoCTF2021/GeneralSkills$ cat static.ltdis.x86_64.txt
238 /lib64/ld-linux-x86-64.so.2
361 libc.so.6
36b puts
370 __cxa_finalize
37f __libc_start_main
391 GLIBC_2.2.5
39d _ITM_deregisterTMCloneTable
3b9 __gmon_start__
3c8 _ITM_registerTMCloneTable
660 AWAVI
667 AUATL
6ba []A\A]A^A_
6e8 Oh hai! Wait what? A flag? Yes, it's around here somewhere!
7c7 ;*3$"
1020 picoCTF{d15a5m_t34s3r_f6c48608}
1040 GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
1671 crtstuff.c
167c deregister_tm_clones
1691 __do_global_dtors_aux
16a7 completed.7698
16b6 __do_global_dtors_aux_fini_array_entry
16dd frame_dummy
16e9 __frame_dummy_init_array_entry
1708 static.c
1711 __FRAME_END__
171f __init_array_end
1730 _DYNAMIC
1739 __init_array_start
174c __GNU_EH_FRAME_HDR
175f _GLOBAL_OFFSET_TABLE_
1775 __libc_csu_fini
1785 _ITM_deregisterTMCloneTable
17a1 puts@@GLIBC_2.2.5
17b3 _edata
17ba __libc_start_main@@GLIBC_2.2.5
17d9 __data_start
17e6 __gmon_start__
17f5 __dso_handle
1802 _IO_stdin_used
1811 __libc_csu_init
1821 __bss_start
182d main
1832 __TMC_END__
183e _ITM_registerTMCloneTable
1858 flag
185d __cxa_finalize@@GLIBC_2.2.5
187a .symtab
1882 .strtab
188a .shstrtab
1894 .interp
189c .note.ABI-tag
18aa .note.gnu.build-id
18bd .gnu.hash
18c7 .dynsym
18cf .dynstr
18d7 .gnu.version
18e4 .gnu.version_r
18f3 .rela.dyn
18fd .rela.plt
1907 .init
190d .plt.got
1916 .text
191c .fini
1922 .rodata
192a .eh_frame_hdr
1938 .eh_frame
1942 .init_array
194e .fini_array
195a .dynamic
1963 .data
1969 .bss
196e .comment
```
Alternatively the challenge could have also been solved by simply running the strings command on the binary file with:
```
strings static
```

### Flag:
```
picoCTF{d15a5m_t34s3r_f6c48608}
```

Original writeup (https://github.com/ZeroDayTea/PicoCTF-2021-Killer-Queen-Writeups/blob/main/GeneralSkills/StaticAintAlwaysNoise.md).