This was an exploit challenge that serves as a nice introduction to the concept of Stack Smashing Protector leaking.

$ file checker 
checker: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=93df47896b068ea44ddcd0b97780375cd589987e, not stripped

Category: Forensics Points: 50 Solves: Description:

 

Is kill can fix? Sign the autopsy file?

 

In this challenge we get a file named "kill.pcapng". However, running wireshark on will not open it:

This reversing challenge is a good example of how you can solve a problem a few different ways. I initially solved this challenge symbolically (which i believe is the easiest way, actually). However, the challenge can also be solved dynamically which is what the authors intended. I will go over both solutions here.

 

$ file neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029 
neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=f382dd94583c7310bc8b3dd538e9e604f5a6ee38, stripped

$ file tyro_heap_29d1e9341f35f395475bf16aa988e29b 
tyro_heap_29d1e9341f35f395475bf16aa988e29b: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=b9cc5866c5aacc7a4c92657f5c2b14a95eae68cb, not stripped

 

Looks like a nice 32-bit executable, symbols still intact. Given the name, this has something to do with exploiting a heap bug. Best thing to do is just play with the binary.