Description
A stripped binary named ret hides a password in plain sight. Retrieve it via static inspection.
Setup
Triage the binary first: file ret tells you the architecture, checksec lists mitigations.
If it looks executable, scan strings with a length filter and grep for pico.
If strings comes up empty, switch to ltrace or gdb (the flag may be built at runtime).
wget https://artifacts.picoctf.net/c/270/retfile ret && checksec --file=retstrings -n 8 ret | grep picoSolution
Walk me through it- Step 1Triage with file and checksecfile confirms it is an ELF you can inspect, and checksec tells you which mitigations are present. Both run in a fraction of a second and decide your next move.bash
file retbashchecksec --file=retLearn more
Leading with
fileandchecksecis the habit that prevents wasted effort.file retreports architecture, bitness, dynamic vs static, and stripped vs not. If file says "data" instead of ELF, the challenge is probably a packaged blob (zip, tar, custom container) and you are about to waste 10 minutes on the wrong tool.checksec --file=retlists ASLR, stack canaries, NX, PIE, RELRO; even when the challenge is just static recovery, knowing the mitigations is useful for the follow-on challenges. - Step 2Filter strings with -n 8 and grepstrings -n 8 drops short noise like 4-byte symbol fragments. Most flags are at least 12 characters, so an 8-character cutoff keeps real candidates without hiding anything useful.bash
strings ret | wc -lbashstrings -n 8 ret | wc -lbashstrings -n 8 ret | grep picoLearn more
Static analysis examines a binary without executing it. The cheapest static tool is
strings, which extracts printable runs from a binary file. C string literals live in.rodataverbatim, so any hard-coded password, URL, error message, or flag shows up directly instringsoutput.A stripped binary has had its symbol table and debug info removed (via
stripor-s). Stripping hides function names and variable names, but it does not affect string literals stored in the data section. That is whystringsstill works: the flag is a string constant the linker placed in.rodataregardless of whether the binary is stripped.The
-nflag sets the minimum string length (default 4). The before/after counts make the noise reduction concrete: at the default the output is filled with 4-byte fragments from compiler-generated tables; at-n 8only meaningful runs survive, and the flag jumps straight to your eye.-e lhandles 16-bit little-endian (Windows binaries);-e bhandles big-endian. - Step 3Decision tree if strings is emptyWhen strings | grep pico returns nothing, the flag is built at runtime. Use ltrace to catch the comparison, or gdb to break before the strcmp.bash
ltrace -e strcmp ./retbashltrace ./retLearn more
When
stringsshows nothing useful, the binary is constructing the flag dynamically: XOR-decoding it from another buffer, building it character-by-character on the stack, or comparing against a hash. Real flags still have to exist in memory at the moment of comparison.ltrace intercepts library calls and prints arguments.
ltrace -e strcmp ./retfilters down tostrcmpcalls; on a typical "guess the password" binary you will seestrcmp("your_input", "real_flag")printed plainly. That is the entire reversal effort, eliminated by knowing which library function the binary uses to compare.When ltrace cannot see the comparison (statically linked binary, custom comparison loop, or stripped symbols), drop into gdb: break on the call to
strcmpor the inline comparison address, run the program with a placeholder input, and read the second argument register on x86_64 (x/s $rsi). Ghidra is the heaviest tool but gives you a decompiled C view of the flag-building logic when the others fall short.
Flag
picoCTF{3lf_r...f62bc8}
No reversing tools beyond strings are required for this warm-up.