1. Checksec detection file protection mechanism:
As you can see from the picture above, this is a 64-bit program with NX protection turned on (the stack is not executable)
In the code:
·Relro: Full Relro (relocation table read-only)
Relocation Read Only, relocation table read-only. The relocation tables are the .got and .plt tables.
·Stack: No Canary found (can stack overflow)
·NX: NX enable (non-executable memory)
Non-Executable Memory, non-executable memory.
·PIE: PIE enable (turn on ASLR address randomization)
Address space layout randomization, address space layout randomization. Prevent attacks by placing data randomly.
2. Static analysis, open the file with IDA
Press shift+f12, open the string window, and find /bin/sh
Double-click /bin/sh, Ctrl+X, and find that the address of /bin/sh is in the main function
Press f5 and find that the main function is a simple system function. /bin/sh is called directly, so just nc according to the question prompt.
3. Return to Linux and do the questions directly using nc
Usage of nc: nc -help
The full name of nc is netcat. Its main purpose is to establish and monitor any TCP and UDP connections, and supports ipv4 and ipv6. Therefore, it can be used for network debugging, port scanning, etc.Usage format: nc ip address ip port
After connecting to the target machine, ls finds the flag and cat gets the flag.
Result: flag{1254c31d-7233-4897-a931-1da7ad2a073d}