Skip to content

Strace, Ltrace, Retrace Terminal Challenge

Elf Introduction

Help Tinsel Upatree in the Kitchen

Hiya hiya, I'm Tinsel Upatree!
Say, do you know what's going on next door?
I'm a bit worried about the whole FrostFest event.
It feels a bit... ill-conceived, somehow. Nasty even.
Well, regardless – and more to the point, what do you know about tracing processes in Linux?
We rebuilt this here Cranberry Pi that runs the cotton candy machine, but we seem to be missing a file.
Do you think you can use strace or ltrace to help us rebuild the missing config?
We'd like to help some of our favorite children enjoy the sweet spun goodness again!
And, if you help me with this, I’ll give you some hints about using Wireshark filters to look for unusual options that might help you achieve Objectives here at the North Pole.

Hints and Other Resources

Other Resources

How to use strace and ltrace commands in Linux
https://www.thegeekdiary.com/how-to-use-strace-and-ltrace-commands-in-linux/

Open the Terminal

Open the Strace, Ltrace, Retrace terminal in the Kitchen

Screenshot

Solution

We start by looking at the files available, and find that there is a single executable file named 'make_the_candy'. Running this file gives us an message that it cannot open the configuration file.

Screenshot

Both the strace and ltrace commands can be used to debug the execution of a program. Both commands have their own particular uses, but for this objective we can use ltrace exclusively.

First, run the program while tracing it's execution

ltrace -f ./make_the_candy

Screenshot

The output tells us that the program is trying to open the file registration.json. So, let's create a file with that name containing some random content and run the command again. 

echo Nutmeg > registration.json
ltrace -f ./make_the_candy

Screenshot

Now we see that the program has opened and read 'registration.json', and is next using the strstr function to match the contents against the string 'Registration'. So, we will make that the content of the file and try again. 

echo Registration > registration.json
ltrace -f ./make_the_candy

Screenshot

Now we see that it is using the strchr function to find the ':' character following 'Registration'. Repeating this process we determine that the string the program is looking for in the registration file is 'Registration:True'.

Screenshot

Completion

Talk to Tinsel after getting the candy machine working to receieve hints for Objective 11) Customer Complaint Analysis

I'm sure I can put those skills I just learned from you to good use.
Are you familiar with RFC3514?
Wireshark uses a different name for the Evil Bit: ip.flags.rb.
HTTP responses are often gzip compressed. Fortunately, Wireshark decompresses them for us automatically.
You can search for strings in Wireshark fields using display filters with the contains keyword.