This was an exploit challenge that serves as a nice introduction to the concept of Stack Smashing Protector leaking.

$ file checker 
checker: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=93df47896b068ea44ddcd0b97780375cd589987e, not stripped

Category: Forensics Points: 50 Solves: Description:

 

Is kill can fix? Sign the autopsy file?

 

In this challenge we get a file named "kill.pcapng". However, running wireshark on will not open it:

This reversing challenge is a good example of how you can solve a problem a few different ways. I initially solved this challenge symbolically (which i believe is the easiest way, actually). However, the challenge can also be solved dynamically which is what the authors intended. I will go over both solutions here.

 

$ file neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029 
neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=f382dd94583c7310bc8b3dd538e9e604f5a6ee38, stripped

Many users of Android devices will eventually root their device for one reason or another. The term root in this case means to gain root privileges on your device. Android, like most other phone operating systems, prefers you to not have root control over your device. Presumably this is for your own protection, but the question of why they don't want you having root is for a different discussion. I had the opportunity to study an application that was refusing to run on my device and only displaying a vague error message informing me that my device was not supported. What follows is a brief summary of what I discovered about root checks, and how I bypassed them for the purposes of interoperability.

$ file tyro_heap_29d1e9341f35f395475bf16aa988e29b 
tyro_heap_29d1e9341f35f395475bf16aa988e29b: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=b9cc5866c5aacc7a4c92657f5c2b14a95eae68cb, not stripped

 

Looks like a nice 32-bit executable, symbols still intact. Given the name, this has something to do with exploiting a heap bug. Best thing to do is just play with the binary.