###### tags: `HackTheBox` `round 2` # CyberSanta Sleigh ``` The Elves have messed up with Santa's sleigh! Without it, he will not be able to deliver any gifts!! Help him repair it and save the holidays! Эльфы напортачили с санями Санты! Без него он не сможет доставить подарки !! Помогите ему отремонтировать и спасти праздники! ``` ## File description LF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1ad11f3bacb267e6e5667523bca200ab68a1683c, not stripped ## File code ``` ──(kali㉿kali)-[~] └─$ readelf -a sleigh 1 ⨯ ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 **???????????** Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Position-Independent Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x830 Start of program headers: 64 (bytes into file) Start of section headers: 15280 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 9 Size of section headers: 64 (bytes) Number of section headers: 29 Section header string table index: 28 Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align [ 0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0 [ 1] .interp PROGBITS 0000000000000238 00000238 000000000000001c 0000000000000000 A 0 0 1 [ 2] .note.ABI-tag NOTE 0000000000000254 00000254 0000000000000020 0000000000000000 A 0 0 4 [ 3] .note.gnu.bu[...] NOTE 0000000000000274 00000274 0000000000000024 0000000000000000 A 0 0 4 [ 4] .gnu.hash GNU_HASH 0000000000000298 00000298 0000000000000028 0000000000000000 A 5 0 8 [ 5] .dynsym DYNSYM 00000000000002c0 000002c0 00000000000001b0 0000000000000018 A 6 1 8 [ 6] .dynstr STRTAB 0000000000000470 00000470 00000000000000bf 0000000000000000 A 0 0 1 [ 7] .gnu.version VERSYM 0000000000000530 00000530 0000000000000024 0000000000000002 A 5 0 2 [ 8] .gnu.version_r VERNEED 0000000000000558 00000558 0000000000000020 0000000000000000 A 6 1 8 [ 9] .rela.dyn RELA 0000000000000578 00000578 00000000000000f0 0000000000000018 A 5 0 8 [10] .rela.plt RELA 0000000000000668 00000668 00000000000000f0 0000000000000018 AI 5 22 8 [11] .init PROGBITS 0000000000000758 00000758 0000000000000017 0000000000000000 AX 0 0 4 [12] .plt PROGBITS 0000000000000770 00000770 00000000000000b0 0000000000000010 AX 0 0 16 [13] .plt.got PROGBITS 0000000000000820 00000820 0000000000000008 0000000000000008 AX 0 0 8 [14] .text PROGBITS 0000000000000830 00000830 0000000000000442 0000000000000000 AX 0 0 16 [15] .fini PROGBITS 0000000000000c74 00000c74 0000000000000009 0000000000000000 AX 0 0 4 [16] .rodata PROGBITS 0000000000000c80 00000c80 0000000000001523 0000000000000000 A 0 0 8 [17] .eh_frame_hdr PROGBITS 00000000000021a4 000021a4 000000000000006c 0000000000000000 A 0 0 4 [18] .eh_frame PROGBITS 0000000000002210 00002210 00000000000001c8 0000000000000000 A 0 0 8 [19] .init_array INIT_ARRAY 0000000000202d70 00002d70 0000000000000008 0000000000000008 WA 0 0 8 [20] .fini_array FINI_ARRAY 0000000000202d78 00002d78 0000000000000008 0000000000000008 WA 0 0 8 [21] .dynamic DYNAMIC 0000000000202d80 00002d80 00000000000001f0 0000000000000010 WA 6 0 8 [22] .got PROGBITS 0000000000202f70 00002f70 0000000000000090 0000000000000008 WA 0 0 8 [23] .data PROGBITS 0000000000203000 00003000 0000000000000010 0000000000000000 WA 0 0 8 [24] .bss NOBITS 0000000000203010 00003010 0000000000000020 0000000000000000 WA 0 0 16 [25] .comment PROGBITS 0000000000000000 00003010 0000000000000029 0000000000000001 MS 0 0 1 [26] .symtab SYMTAB 0000000000000000 00003040 0000000000000780 0000000000000018 27 43 8 [27] .strtab STRTAB 0000000000000000 000037c0 00000000000002ee 0000000000000000 0 0 1 [28] .shstrtab STRTAB 0000000000000000 00003aae 00000000000000fe 0000000000000000 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), D (mbind), l (large), p (processor specific) There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x00000000000001f8 0x00000000000001f8 R 0x8 INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238 0x000000000000001c 0x000000000000001c R 0x1 [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2] LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000000023d8 0x00000000000023d8 R E 0x200000 LOAD 0x0000000000002d70 0x0000000000202d70 0x0000000000202d70 0x00000000000002a0 0x00000000000002c0 RW 0x200000 DYNAMIC 0x0000000000002d80 0x0000000000202d80 0x0000000000202d80 0x00000000000001f0 0x00000000000001f0 RW 0x8 NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254 0x0000000000000044 0x0000000000000044 R 0x4 GNU_EH_FRAME 0x00000000000021a4 0x00000000000021a4 0x00000000000021a4 0x000000000000006c 0x000000000000006c R 0x4 GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 0x10 GNU_RELRO 0x0000000000002d70 0x0000000000202d70 0x0000000000202d70 0x0000000000000290 0x0000000000000290 R 0x1 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame 03 .init_array .fini_array .dynamic .got .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 .eh_frame_hdr 07 08 .init_array .fini_array .dynamic .got Dynamic section at offset 0x2d80 contains 27 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] 0x000000000000000c (INIT) 0x758 0x000000000000000d (FINI) 0xc74 0x0000000000000019 (INIT_ARRAY) 0x202d70 0x000000000000001b (INIT_ARRAYSZ) 8 (bytes) 0x000000000000001a (FINI_ARRAY) 0x202d78 0x000000000000001c (FINI_ARRAYSZ) 8 (bytes) 0x000000006ffffef5 (GNU_HASH) 0x298 0x0000000000000005 (STRTAB) 0x470 0x0000000000000006 (SYMTAB) 0x2c0 0x000000000000000a (STRSZ) 191 (bytes) 0x000000000000000b (SYMENT) 24 (bytes) 0x0000000000000015 (DEBUG) 0x0 0x0000000000000003 (PLTGOT) 0x202f70 0x0000000000000002 (PLTRELSZ) 240 (bytes) 0x0000000000000014 (PLTREL) RELA 0x0000000000000017 (JMPREL) 0x668 0x0000000000000007 (RELA) 0x578 0x0000000000000008 (RELASZ) 240 (bytes) 0x0000000000000009 (RELAENT) 24 (bytes) 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE 0x000000006ffffffe (VERNEED) 0x558 0x000000006fffffff (VERNEEDNUM) 1 0x000000006ffffff0 (VERSYM) 0x530 0x000000006ffffff9 (RELACOUNT) 3 0x0000000000000000 (NULL) 0x0 Relocation section '.rela.dyn' at offset 0x578 contains 10 entries: Offset Info Type Sym. Value Sym. Name + Addend 000000202d70 000000000008 R_X86_64_RELATIVE 930 000000202d78 000000000008 R_X86_64_RELATIVE 8f0 000000203008 000000000008 R_X86_64_RELATIVE 203008 000000202fd8 000100000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_deregisterTM[...] + 0 000000202fe0 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0 000000202fe8 000800000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0 000000202ff0 000d00000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_registerTMCl[...] + 0 000000202ff8 000e00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize@GLIBC_2.2.5 + 0 000000203010 001000000005 R_X86_64_COPY 0000000000203010 stdout@GLIBC_2.2.5 + 0 000000203020 001100000005 R_X86_64_COPY 0000000000203020 stdin@GLIBC_2.2.5 + 0 Relocation section '.rela.plt' at offset 0x668 contains 10 entries: Offset Info Type Sym. Value Sym. Name + Addend 000000202f88 000200000007 R_X86_64_JUMP_SLO 0000000000000000 puts@GLIBC_2.2.5 + 0 000000202f90 000300000007 R_X86_64_JUMP_SLO 0000000000000000 alarm@GLIBC_2.2.5 + 0 000000202f98 000400000007 R_X86_64_JUMP_SLO 0000000000000000 read@GLIBC_2.2.5 + 0 000000202fa0 000600000007 R_X86_64_JUMP_SLO 0000000000000000 srand@GLIBC_2.2.5 + 0 000000202fa8 000700000007 R_X86_64_JUMP_SLO 0000000000000000 fprintf@GLIBC_2.2.5 + 0 000000202fb0 000900000007 R_X86_64_JUMP_SLO 0000000000000000 time@GLIBC_2.2.5 + 0 000000202fb8 000a00000007 R_X86_64_JUMP_SLO 0000000000000000 setvbuf@GLIBC_2.2.5 + 0 000000202fc0 000b00000007 R_X86_64_JUMP_SLO 0000000000000000 atoi@GLIBC_2.2.5 + 0 000000202fc8 000c00000007 R_X86_64_JUMP_SLO 0000000000000000 exit@GLIBC_2.2.5 + 0 000000202fd0 000f00000007 R_X86_64_JUMP_SLO 0000000000000000 rand@GLIBC_2.2.5 + 0 No processor specific unwind information to decode Symbol table '.dynsym' contains 18 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...] 2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2) 3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND alarm@GLIBC_2.2.5 (2) 4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND read@GLIBC_2.2.5 (2) 5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2) 6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND srand@GLIBC_2.2.5 (2) 7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2) 8: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND time@GLIBC_2.2.5 (2) 10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2) 11: 0000000000000000 0 FUNC GLOBAL DEFAULT UND atoi@GLIBC_2.2.5 (2) 12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.2.5 (2) 13: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMC[...] 14: 0000000000000000 0 FUNC WEAK DEFAULT UND [...]@GLIBC_2.2.5 (2) 15: 0000000000000000 0 FUNC GLOBAL DEFAULT UND rand@GLIBC_2.2.5 (2) 16: 0000000000203010 8 OBJECT GLOBAL DEFAULT 24 [...]@GLIBC_2.2.5 (2) 17: 0000000000203020 8 OBJECT GLOBAL DEFAULT 24 stdin@GLIBC_2.2.5 (2) Symbol table '.symtab' contains 80 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000238 0 SECTION LOCAL DEFAULT 1 .interp 2: 0000000000000254 0 SECTION LOCAL DEFAULT 2 .note.ABI-tag 3: 0000000000000274 0 SECTION LOCAL DEFAULT 3 .note.gnu.build-id 4: 0000000000000298 0 SECTION LOCAL DEFAULT 4 .gnu.hash 5: 00000000000002c0 0 SECTION LOCAL DEFAULT 5 .dynsym 6: 0000000000000470 0 SECTION LOCAL DEFAULT 6 .dynstr 7: 0000000000000530 0 SECTION LOCAL DEFAULT 7 .gnu.version 8: 0000000000000558 0 SECTION LOCAL DEFAULT 8 .gnu.version_r 9: 0000000000000578 0 SECTION LOCAL DEFAULT 9 .rela.dyn 10: 0000000000000668 0 SECTION LOCAL DEFAULT 10 .rela.plt 11: 0000000000000758 0 SECTION LOCAL DEFAULT 11 .init 12: 0000000000000770 0 SECTION LOCAL DEFAULT 12 .plt 13: 0000000000000820 0 SECTION LOCAL DEFAULT 13 .plt.got 14: 0000000000000830 0 SECTION LOCAL DEFAULT 14 .text 15: 0000000000000c74 0 SECTION LOCAL DEFAULT 15 .fini 16: 0000000000000c80 0 SECTION LOCAL DEFAULT 16 .rodata 17: 00000000000021a4 0 SECTION LOCAL DEFAULT 17 .eh_frame_hdr 18: 0000000000002210 0 SECTION LOCAL DEFAULT 18 .eh_frame 19: 0000000000202d70 0 SECTION LOCAL DEFAULT 19 .init_array 20: 0000000000202d78 0 SECTION LOCAL DEFAULT 20 .fini_array 21: 0000000000202d80 0 SECTION LOCAL DEFAULT 21 .dynamic 22: 0000000000202f70 0 SECTION LOCAL DEFAULT 22 .got 23: 0000000000203000 0 SECTION LOCAL DEFAULT 23 .data 24: 0000000000203010 0 SECTION LOCAL DEFAULT 24 .bss 25: 0000000000000000 0 SECTION LOCAL DEFAULT 25 .comment 26: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c 27: 0000000000000860 0 FUNC LOCAL DEFAULT 14 deregister_tm_clones 28: 00000000000008a0 0 FUNC LOCAL DEFAULT 14 register_tm_clones 29: 00000000000008f0 0 FUNC LOCAL DEFAULT 14 __do_global_dtors_aux 30: 0000000000203028 1 OBJECT LOCAL DEFAULT 24 completed.7698 31: 0000000000202d78 0 OBJECT LOCAL DEFAULT 20 __do_global_dtor[...] 32: 0000000000000930 0 FUNC LOCAL DEFAULT 14 frame_dummy 33: 0000000000202d70 0 OBJECT LOCAL DEFAULT 19 __frame_dummy_in[...] 34: 0000000000000000 0 FILE LOCAL DEFAULT ABS sleigh.c 35: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c 36: 00000000000023d4 0 OBJECT LOCAL DEFAULT 18 __FRAME_END__ 37: 0000000000000000 0 FILE LOCAL DEFAULT ABS 38: 0000000000202d78 0 NOTYPE LOCAL DEFAULT 19 __init_array_end 39: 0000000000202d80 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC 40: 0000000000202d70 0 NOTYPE LOCAL DEFAULT 19 __init_array_start 41: 00000000000021a4 0 NOTYPE LOCAL DEFAULT 17 __GNU_EH_FRAME_HDR 42: 0000000000202f70 0 OBJECT LOCAL DEFAULT 22 _GLOBAL_OFFSET_TABLE_ 43: 0000000000000c70 2 FUNC GLOBAL DEFAULT 14 __libc_csu_fini 44: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...] 45: 0000000000203010 8 OBJECT GLOBAL DEFAULT 24 stdout@@GLIBC_2.2.5 46: 0000000000203000 0 NOTYPE WEAK DEFAULT 23 data_start 47: 000000000000093a 51 FUNC GLOBAL DEFAULT 14 convert 48: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@@GLIBC_2.2.5 49: 0000000000203020 8 OBJECT GLOBAL DEFAULT 24 stdin@@GLIBC_2.2.5 50: 0000000000203010 0 NOTYPE GLOBAL DEFAULT 23 _edata 51: 0000000000000c74 0 FUNC GLOBAL DEFAULT 15 _fini 52: 0000000000000000 0 FUNC GLOBAL DEFAULT UND alarm@@GLIBC_2.2.5 53: 0000000000000a7b 81 FUNC GLOBAL DEFAULT 14 sleigh 54: 000000000000096d 193 FUNC GLOBAL DEFAULT 14 banner 55: 0000000000000000 0 FUNC GLOBAL DEFAULT UND read@@GLIBC_2.2.5 56: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_mai[...] 57: 0000000000000000 0 FUNC GLOBAL DEFAULT UND srand@@GLIBC_2.2.5 58: 0000000000203000 0 NOTYPE GLOBAL DEFAULT 23 __data_start 59: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fprintf@@GLIBC_2.2.5 60: 0000000000000b9a 48 FUNC GLOBAL DEFAULT 14 goodbye 61: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 62: 0000000000203008 0 OBJECT GLOBAL HIDDEN 23 __dso_handle 63: 0000000000000c80 4 OBJECT GLOBAL DEFAULT 16 _IO_stdin_used 64: 0000000000000000 0 FUNC GLOBAL DEFAULT UND time@@GLIBC_2.2.5 65: 0000000000000acc 206 FUNC GLOBAL DEFAULT 14 repair 66: 0000000000000c00 101 FUNC GLOBAL DEFAULT 14 __libc_csu_init 67: 0000000000203030 0 NOTYPE GLOBAL DEFAULT 24 _end 68: 0000000000000830 43 FUNC GLOBAL DEFAULT 14 _start 69: 0000000000203010 0 NOTYPE GLOBAL DEFAULT 24 __bss_start 70: 0000000000000bca 43 FUNC GLOBAL DEFAULT 14 main 71: 0000000000000000 0 FUNC GLOBAL DEFAULT UND setvbuf@@GLIBC_2.2.5 72: 0000000000000000 0 FUNC GLOBAL DEFAULT UND atoi@@GLIBC_2.2.5 73: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@@GLIBC_2.2.5 74: 0000000000203010 0 OBJECT GLOBAL HIDDEN 23 __TMC_END__ 75: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMC[...] 76: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@@[...] 77: 0000000000000758 0 FUNC GLOBAL DEFAULT 11 _init 78: 0000000000000000 0 FUNC GLOBAL DEFAULT UND rand@@GLIBC_2.2.5 79: 0000000000000a2e 77 FUNC GLOBAL DEFAULT 14 setup Histogram for `.gnu.hash' bucket list length (total of 2 buckets): Length Number % of total Coverage 0 0 ( 0.0%) 1 2 (100.0%) 100.0% Version symbols section '.gnu.version' contains 18 entries: Addr: 0x0000000000000530 Offset: 0x000530 Link: 5 (.dynsym) 000: 0 (*local*) 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 004: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 008: 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 00c: 2 (GLIBC_2.2.5) 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 010: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) Version needs section '.gnu.version_r' contains 1 entry: Addr: 0x0000000000000558 Offset: 0x000558 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.2.5 Flags: none Version: 2 Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: 1ad11f3bacb267e6e5667523bca200ab68a1683c ``` ## elf files article https://habr.com/ru/post/480642/ ## program output ┌──(kali㉿kali)-[~] └─$ ./sleigh 69 ⨯ 🎵 ❄ Dashing through the snow.. ❄ 🎵 1. Repair ⚒ 2. Abandon 🏃 > 1 [!] There is something written underneath the sleigh: [0x7ffd855fba90] [*] This might help the repair team to fix it. What shall they do? ## Program debug  ## action ``` echo "1" |./sleight Выбирается repair ```