Strace and the utumno0 CTF
I'm trying to figure out the "utumno0" Capture The Flag (it can be found
here[1]).
No success so far, but trying to solve this exercise I decided to read
the strace(1) manpage thoroughly, to understand if it could be a valuable
tool.
I find strace(1) to be really a valuable tool for reverse engineering and
computer forensics! I collected a few flags that I find interesting in my
"Today I Learned"[2] list, and I'll report them here too.
[1]
https://overthewire.org/wargames/
[2]
gopher://dacav.org/0/textfiles/til.txt
...
Useful strace(1) options
The -e flag can be used for a variety of things:
- To filter the systemcall. It supports classe of syscalls, e.g.
`strace -e %file x` is equivalent to
`strace -e trace=open,stat,chmod,unlink,... x`.
Hidden jems in the available classes.
- To dump the data of the read/write operations.
- To decode information about the file descriptors (e.g path of the files)
(see also -y / -yy / -Y)
- To inject syscall behaviours.
The -c flag shows a table of statistics on invoked syscalls.
The -z/-Z flags filter successful and faulty syscalls respectively.
The -r/-T flags measure times between and within syscalls respectively.
Possibly useful for a rough performance assessment.