This is a basic Ping Script : It first pings the 192.168.1.1 then pings the 192.168.2.1 after that it pings the 8.8.8.8 and finally pings the www.google.com address Why does it pings 1.1 and 2.1 ? Because my friend wanted to use it in different areas, ( he his not familiar with the shell ) […]
Tagged bash, ping, script, shellToday I was playing with some forensic challenges and I got surprised by one of them. We had to analyse an image. My first guess was to use some steganography tools, but after an hour, I decided to move on and to research how to hide data on Mac OS X (because the challenge specified that […]
Tagged attributes, challenge, extended, forensic, python, xattrLevel four :
|
1 2 3 4 |
level4@leviathan:/wargame$ ./level4 Enter the password> lol bzzzzzzzzap. WRONG level4@leviathan:/wargame$ |
It looks like the second challenge, but, let’s have a closer look to the inside :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
(gdb) disassemble main Dump of assembler code for function main: 0x08048523 : lea 0x4(%esp),%ecx 0x08048527 : and $0xfffffff0,%esp 0x0804852a : pushl 0xfffffffc(%ecx) 0x0804852d : push %ebp 0x0804852e : mov %esp,%ebp 0x08048530 : push %ecx 0x08048531 : sub $0x44,%esp 0x08048534 : mov 0x8048757,%eax 0x08048539 : mov %eax,0xfffffff1(%ebp) 0x0804853c : movzwl 0x804875b,%eax 0x08048543 : mov %ax,0xfffffff5(%ebp) 0x08048547 : movzbl 0x804875d,%eax 0x0804854e : mov %al,0xfffffff7(%ebp) 0x08048551 : mov 0x804875e,%eax 0x08048556 : mov %eax,0xffffffe7(%ebp) 0x08048559 : mov 0x8048762,%eax 0x0804855e : mov %eax,0xffffffeb(%ebp) 0x08048561 : movzwl 0x8048766,%eax 0x08048568 : mov %ax,0xffffffef(%ebp) 0x0804856c : mov 0x8048768,%eax 0x08048571 : mov %eax,0xffffffe0(%ebp) 0x08048574 : movzwl 0x804876c,%eax 0x0804857b : mov %ax,0xffffffe4(%ebp) 0x0804857f : movzbl 0x804876e,%eax 0x08048586 : mov %al,0xffffffe6(%ebp) 0x08048589 : mov 0x804876f,%eax 0x0804858e : mov %eax,0xffffffd9(%ebp) 0x08048591 : movzwl 0x8048773,%eax 0x08048598 : mov %ax,0xffffffdd(%ebp) 0x0804859c : movzbl 0x8048775,%eax 0x080485a3 : mov %al,0xffffffdf(%ebp) 0x080485a6 : mov 0x8048776,%eax 0x080485ab : mov %eax,0xffffffcf(%ebp) 0x080485ae : mov 0x804877a,%eax 0x080485b3 : mov %eax,0xffffffd3(%ebp) 0x080485b6 : movzwl 0x804877e,%eax 0x080485bd : mov %ax,0xffffffd7(%ebp) 0x080485c1 : lea 0xffffffd9(%ebp),%eax 0x080485c4 : mov %eax,0x4(%esp) 0x080485c8 : lea 0xffffffe0(%ebp),%eax 0x080485cb : mov %eax,(%esp) 0x080485ce : call 0x804835c 0x080485d3 : test %eax,%eax 0x080485d5 : jne 0x80485de 0x080485d7 : movl $0x1,0xfffffff8(%ebp) 0x080485de : movl $0x8048742,(%esp) 0x080485e5 : call 0x80483bc 0x080485ea : call 0x8048484 0x080485ef : add $0x44,%esp 0x080485f2 : pop %ecx 0x080485f3 : pop %ebp 0x080485f4 : lea 0xfffffffc(%ecx),%esp 0x080485f7 : ret ---Type to continue, or q to quit---q Quit |
After isolation of the important instructions :
|
1 2 3 |
0x080485ce : call 0x804835c 0x080485d3 : test %eax,%eax 0x080485d5 : jne 0x80485de |
I used brake points :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
reakpoint 1 at 0x804835c (gdb) r Starting program: /wargame/level4 Breakpoint 1, 0x0804835c in strcmp@plt () (gdb) s Single stepping until exit from function strcmp@plt, which has no line number information. 0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6 (gdb) s Single stepping until exit from function strcmp, which has no line number information. 0x080485d3 in main () (gdb) s Single stepping until exit from function main, which has no line number information. Enter the password> test |
Let’s have a closer look to $esp
|
1 2 3 4 |
(gdb) x/2x $esp 0xbffff8bc: 0x080484e6 0xbffff8dd (gdb) x/s 0xbffff8dd 0xbffff8dd: "test\n" |
This was the password I typed in, let’s see further
|
1 2 3 4 5 |
(gdb) x/3x $esp 0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd (gdb) x/s 0xbffff9dd 0xbffff9dd: "snlprintf\n" (gdb) |
Seems […]
Tagged hack, intruded, leviathan, SecurityLet’s connect to the server :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ssh level3@leviathan.intruded.net -p 10101 ************************************************* * Welcome to Intruded.net Wargame Server * * * * * You are playing "Leviathan" * * * Most levels can be found in /wargame * * * Login: level1:leviathan * * * Support: irc.intruded.net #wargames * * * * * * ! Server is restarted every 12 hours * * ! Server is cleaned every reboot * * ! /tmp direcotry is writable * * * * * ************************************************* level3@leviathan.intruded.net's password: Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686 level3@leviathan:~$ |
Let’s directly go to the Wargame folder
|
1 2 3 |
level3@leviathan:~$ cd /wargame/ level3@leviathan:/wargame$ ls check level4 printfile prog sphinx |
Multiple small program, let’s try them all :
|
1 2 3 4 5 6 7 8 9 10 11 |
level3@leviathan:/wargame$ ls check level4 printfile prog sphinx level3@leviathan:/wargame$ ./level4 -bash: ./level4: Permission denied level3@leviathan:/wargame$ ./printfile -bash: ./printfile: Permission denied level3@leviathan:/wargame$ ./sphinx -bash: ./sphinx: Permission denied level3@leviathan:/wargame$ ./prog Cannot find /tmp/file.log level3@leviathan:/wargame$ |
It looks like we have to use ./prog we have to read /home/level4/.passwd … and ./prog is reading the file /tmp/file.log and printing the content … so let’s link both
|
1 2 3 4 |
level3@leviathan:/wargame$ ln -s /home/level4/.passwd /tmp/file.log level3@leviathan:/wargame$ ./prog R0gBtSP5 level3@leviathan:/wargame$ |
[…]
Tagged hacking, intruded, leviathan, Security, wargameNow that we succeeded the first level, let’s go for the second one. Once connected to the second level you see this :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
ssh level2@leviathan.intruded.net -p 10101 ************************************************* * Welcome to Intruded.net Wargame Server * * * * * You are playing "Leviathan" * * * Most levels can be found in /wargame * * * Login: level1:leviathan * * * Support: irc.intruded.net #wargames * * * * * * ! Server is restarted every 12 hours * * ! Server is cleaned every reboot * * ! /tmp direcotry is writable * * * * * ************************************************* level2@leviathan.intruded.net's password: Permission denied, please try again. level2@leviathan.intruded.net's password: Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686 level2@leviathan:~$ |
let’s see the available files and directories :
|
1 2 3 |
level2@leviathan:~$ ls -a . .. .bash_history .bash_logout .bash_profile .bashrc .passwd level2@leviathan:~$ |
Let’s explore a bit further :
|
1 2 3 4 5 |
level2@leviathan:/home$ ls -a . .. level1 level2 level3 level4 level5 level6 level7 level8 level2@leviathan:/home$ cd level3/ -bash: cd: level3/: Permission denied level2@leviathan:/home$ |
and a bit further
|
1 2 3 4 5 |
level2@leviathan:/$ ls -a . boot etc initrd.img media proc srv usr wargame .. cdrom home lib mnt root sys var bin dev initrd lost+found opt sbin tmp vmlinuz level2@leviathan:/$ |
Finally, a wargame folder
|
1 2 3 |
level2@leviathan:/wargame$ ls check level4 printfile prog sphinx level2@leviathan:/wargame$ |
Let’s run the small program […]
Tagged gdb, intruded, leviathan, ltrace, Security, wargameToday I tried the Intruded Leviathan wargame. This resolves the first challenge : open a terminal type “ssh level1@leviathan.intruded.net -p 10101” type the password leviathan Connect to the remote web server :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
************************************************* * Welcome to Intruded.net Wargame Server * * * * * You are playing "Leviathan" * * * Most levels can be found in /wargame * * * Login: level1:leviathan * * * Support: irc.intruded.net #wargames * * * * * * ! Server is restarted every 12 hours * * ! Server is cleaned every reboot * * ! /tmp direcotry is writable * * * * * ************************************************* level1@leviathan.intruded.net's password: Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686 |
First thing to do, evaluate the situation with the following command :
|
1 2 |
level1@leviathan:~$ ls -a . .. .backup .bash_history .bash_logout .bash_profile .bashrc .passwd |
As we can see there is a .backup […]
Tagged hack, intruded, leviathan, SecurityYesterday we where still working on some attacks on our bench test and we tried some exploits on IP phones that we found on the internet. Most of them where making DOS or DDOS on the phones, this means that the phones were basically freezing. Then we made some modification to a C UDP flooder […]
Tagged 3825, 3845, 7940, c, cisco, ddos, ephone, flood, hack, Security, udp.c, voipThis code was just a challenge, I wanted to create a simple image file with BMP headers. The following code simply generate pink pixel . There is actually a pixel on this post somewhere there —>
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
#include int main(void){ FILE *f; int filesize = 54 + 3*1*1; unsigned char bmpfileheader[14] = {'B','M', 0,0,0,0, 0,0,0,0, 54,0,0,0}; unsigned char bmpinfoheader[40] = {40,0,0,0, 0,0,0,0, 0,0,0,0, 1,0, 24,0}; unsigned char bmpcontent[6] = {0,0,255}; unsigned char bmppad[3] = {0,0,0}; /* Construct header with filesize part */ bmpfileheader[ 2] = (unsigned char)(filesize ); bmpfileheader[ 3] = (unsigned char)(filesize>> 8); bmpfileheader[ 4] = (unsigned char)(filesize>>16); bmpfileheader[ 5] = (unsigned char)(filesize>>24); /* Construct header with width and height part */ bmpinfoheader[ 4] = (unsigned char)( 1 ); bmpinfoheader[ 8] = (unsigned char)( 1 ); f = fopen("test.bmp","wb"); fwrite(bmpfileheader,1,14,f); fwrite(bmpinfoheader,1,40,f); fwrite(bmpcontent,3,6,f); fclose(f); return 1; } |
The code is pretty simple, however has not been commented, for more information have a look to the […]
Tagged bmp, c, image, pixel, programming, red, uselessTo know who’s connected on your computer use the following commands : Commands : who : show the connected users : Linux/Mac last : show last connexion (passed ) : Linux / Mac lastb : show last connexion (failed) : Linux These files may also contain clues :
|
1 2 3 4 5 |
/etc/passwd : local users /etc/group : local groups /etc/log/wtmp : binary file with all connexion log ( Only Linux ) /var/log/utmp : binray file with all user actually connected ( Only Linux) /var/log/btmp : Binary file with all failed connexion ( Only Linux ) |
