Now that we succeeded the first level, let’s go for the second one.
Once connected to the second level you see this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
ssh level2@leviathan.intruded.net -p 10101 ************************************************* * Welcome to Intruded.net Wargame Server * * * * * You are playing "Leviathan" * * * Most levels can be found in /wargame * * * Login: level1:leviathan * * * Support: irc.intruded.net #wargames * * * * * * ! Server is restarted every 12 hours * * ! Server is cleaned every reboot * * ! /tmp direcotry is writable * * * * * ************************************************* level2@leviathan.intruded.net's password: Permission denied, please try again. level2@leviathan.intruded.net's password: Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686 level2@leviathan:~$ |
let’s see the available files and directories :
1 2 3 |
level2@leviathan:~$ ls -a . .. .bash_history .bash_logout .bash_profile .bashrc .passwd level2@leviathan:~$ |
Let’s explore a bit further :
1 2 3 4 5 |
level2@leviathan:/home$ ls -a . .. level1 level2 level3 level4 level5 level6 level7 level8 level2@leviathan:/home$ cd level3/ -bash: cd: level3/: Permission denied level2@leviathan:/home$ |
and a bit further
1 2 3 4 5 |
level2@leviathan:/$ ls -a . boot etc initrd.img media proc srv usr wargame .. cdrom home lib mnt root sys var bin dev initrd lost+found opt sbin tmp vmlinuz level2@leviathan:/$ |
Finally, a wargame folder
1 2 3 |
level2@leviathan:/wargame$ ls check level4 printfile prog sphinx level2@leviathan:/wargame$ |
Let’s run the small program :
1 2 3 4 |
level2@leviathan:/wargame$ ./check password: test Wrong password, Good Bye ... level2@leviathan:/wargame$ |
Let’s use GDB how the software compare the string :
1 2 3 4 5 6 7 8 |
level2@leviathan:/wargame$ gdb ./check GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". |
Let’s disassemble the main function :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
(gdb) disassemble main Dump of assembler code for function main: 0x08048464 : lea 0x4(%esp),%ecx 0x08048468 : and $0xfffffff0,%esp 0x0804846b : pushl 0xfffffffc(%ecx) 0x0804846e : push %ebp 0x0804846f : mov %esp,%ebp 0x08048471 : push %ecx 0x08048472 : sub $0x34,%esp 0x08048475 : mov 0x8048668,%eax 0x0804847a : mov %eax,0xfffffff3(%ebp) 0x0804847d : mov 0x804866c,%eax 0x08048482 : mov %eax,0xffffffec(%ebp) 0x08048485 : movzwl 0x8048670,%eax 0x0804848c : mov %ax,0xfffffff0(%ebp) 0x08048490 : movzbl 0x8048672,%eax 0x08048497 : mov %al,0xfffffff2(%ebp) 0x0804849a : mov 0x8048673,%eax 0x0804849f : mov %eax,0xffffffe8(%ebp) 0x080484a2 : mov 0x8048677,%eax 0x080484a7 : mov %eax,0xffffffe3(%ebp) 0x080484aa : movzbl 0x804867b,%eax 0x080484b1 : mov %al,0xffffffe7(%ebp) 0x080484b4 : movl $0x8048638,(%esp) 0x080484bb : call 0x8048398 0x080484c0 : call 0x8048338 0x080484c5 : mov %al,0xfffffff7(%ebp) 0x080484c8 : call 0x8048338 0x080484cd : mov %al,0xfffffff8(%ebp) 0x080484d0 : call 0x8048338 0x080484d5 : mov %al,0xfffffff9(%ebp) 0x080484d8 : movb $0x0,0xfffffffa(%ebp) 0x080484dc : lea 0xfffffff3(%ebp),%eax 0x080484df : mov %eax,0x4(%esp) 0x080484e3 : lea 0xfffffff7(%ebp),%eax 0x080484e6 : mov %eax,(%esp) 0x080484e9 : call 0x8048348 0x080484ee : test %eax,%eax 0x080484f0 : jne 0x804850c 0x080484f2 : movl $0x3ea,(%esp) 0x080484f9 : call 0x8048358 0x080484fe : movl $0x8048643,(%esp) 0x08048505 : call 0x8048368 0x0804850a : jmp 0x8048518 0x0804850c : movl $0x804864b,(%esp) 0x08048513 : call 0x8048378 0x08048518 : add $0x34,%esp 0x0804851b : pop %ecx 0x0804851c : pop %ebp 0x0804851d : lea 0xfffffffc(%ecx),%esp 0x08048520 : ret 0x08048521 : nop 0x08048522 : nop 0x08048523 : nop 0x08048524 : nop 0x08048525 : nop 0x08048526 : nop 0x08048527 : nop 0x08048528 : nop 0x08048529 : nop 0x0804852a : nop 0x0804852b : nop 0x0804852c : nop 0x0804852d : nop 0x0804852e : nop 0x0804852f : nop End of assembler dump. |
as we can see :
1 2 3 |
0x080484e9 : call 0x8048348 0x080484ee : test %eax,%eax 0x080484f0 : jne 0x804850c |
this is the interesting part, let’s make a break point on the call and analyse it with x/x
1 2 3 4 5 6 7 8 9 |
(gdb) b * 0x8048348 Breakpoint 1 at 0x8048348 (gdb) r Starting program: /wargame/check password: test Breakpoint 1, 0x08048348 in strcmp@plt () (gdb) x/x $esp 0xbffff9fc: 0x080484ee |
We should definitely print the stack :
1 2 |
(gdb) x/s 0x080484ee 0x80484ee : "\205?u\032?\004$?\003" |
This looks like our answer
1 2 3 4 |
(gdb) x/2x $esp 0xbffff9fc: 0x080484ee 0xbffffa2f (gdb) x/s 0xbffffa2f 0xbffffa2f: "tes" |
We might (Not always) conclude that the password is only 3 chars, let’s continue the exploration :
1 2 3 4 5 |
(gdb) x/3x $esp 0xbffff9fc: 0x080484ee 0xbffffa2f 0xbffffa2b (gdb) x/s 0xbffffa2b 0xbffffa2b: "sex" (gdb) |
Got it …
And see what happens :
1 2 3 |
level2@leviathan:/wargame$ ./check password: sex sh-3.1$ |
anyway another solution could have been to use the ltrace command:
1 2 3 4 5 6 7 8 9 10 11 12 |
level2@leviathan:/wargame$ ltrace ./check __libc_start_main(0x8048464, 1, 0xbffffad4, 0x8048580, 0x8048530 printf("password: ") = 10 getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4password: test ) = 116 getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4) = 101 getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4) = 115 strcmp("tes", "sex") = 1 puts("Wrong password, Good Bye ..."Wrong password, Good Bye ... ) = 29 +++ exited (status 29) +++ level2@leviathan:/wargame$ |
let’s go to the next level 😉
1 2 3 |
sh-3.1$ cat /home/level3/.passwd oc7vaCOg sh-3.1$ |
Post a Comment