Posts tagged leviathan

Intruded Nº4

0
618 jours
by in Linux, OS, Security

For the 4th one, we remeber that there was a program called
« level4″ in the /wargame folder, let’s go to it.

first run :

level4@leviathan:/wargame$ ./level4
Enter the password> lol
bzzzzzzzzap. WRONG
level4@leviathan:/wargame$

interesting .. it looks like the 2 challenge, let’s disassemble the main part : 

(gdb) disassemble main
Dump of assembler code for function main:
0x08048523 :	lea    0x4(%esp),%ecx
0x08048527 :	and    $0xfffffff0,%esp
0x0804852a :	pushl  0xfffffffc(%ecx)
0x0804852d :	push   %ebp
0x0804852e :	mov    %esp,%ebp
0x08048530 :	push   %ecx
0x08048531 :	sub    $0x44,%esp
0x08048534 :	mov    0x8048757,%eax
0x08048539 :	mov    %eax,0xfffffff1(%ebp)
0x0804853c :	movzwl 0x804875b,%eax
0x08048543 :	mov    %ax,0xfffffff5(%ebp)
0x08048547 :	movzbl 0x804875d,%eax
0x0804854e :	mov    %al,0xfffffff7(%ebp)
0x08048551 :	mov    0x804875e,%eax
0x08048556 :	mov    %eax,0xffffffe7(%ebp)
0x08048559 :	mov    0x8048762,%eax
0x0804855e :	mov    %eax,0xffffffeb(%ebp)
0x08048561 :	movzwl 0x8048766,%eax
0x08048568 :	mov    %ax,0xffffffef(%ebp)
0x0804856c :	mov    0x8048768,%eax
0x08048571 :	mov    %eax,0xffffffe0(%ebp)
0x08048574 :	movzwl 0x804876c,%eax
0x0804857b :	mov    %ax,0xffffffe4(%ebp)
0x0804857f :	movzbl 0x804876e,%eax
0x08048586 :	mov    %al,0xffffffe6(%ebp)
0x08048589 :	mov    0x804876f,%eax
0x0804858e :	mov    %eax,0xffffffd9(%ebp)
0x08048591 :	movzwl 0x8048773,%eax
0x08048598 :	mov    %ax,0xffffffdd(%ebp)
0x0804859c :	movzbl 0x8048775,%eax
0x080485a3 :	mov    %al,0xffffffdf(%ebp)
0x080485a6 :	mov    0x8048776,%eax
0x080485ab :	mov    %eax,0xffffffcf(%ebp)
0x080485ae :	mov    0x804877a,%eax
0x080485b3 :	mov    %eax,0xffffffd3(%ebp)
0x080485b6 :	movzwl 0x804877e,%eax
0x080485bd :	mov    %ax,0xffffffd7(%ebp)
0x080485c1 :	lea    0xffffffd9(%ebp),%eax
0x080485c4 :	mov    %eax,0x4(%esp)
0x080485c8 :	lea    0xffffffe0(%ebp),%eax
0x080485cb :	mov    %eax,(%esp)
0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de 
0x080485d7 :	movl   $0x1,0xfffffff8(%ebp)
0x080485de :	movl   $0x8048742,(%esp)
0x080485e5 :	call   0x80483bc

0x080485ea :	call   0x8048484 
0x080485ef :	add    $0x44,%esp
0x080485f2 :	pop    %ecx
0x080485f3 :	pop    %ebp
0x080485f4 :	lea    0xfffffffc(%ecx),%esp
0x080485f7 :	ret
---Type  to continue, or q  to quit---q
Quit

Again, we can take the interesting part :

0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de

let’s make a break point on it, and run it until it ask the password : 

reakpoint 1 at 0x804835c
(gdb) r
Starting program: /wargame/level4 

Breakpoint 1, 0x0804835c in strcmp@plt ()
(gdb) s
Single stepping until exit from function strcmp@plt,
which has no line number information.
0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) s
Single stepping until exit from function strcmp,
which has no line number information.
0x080485d3 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Enter the password> test

/!\ there is an interesting thing, I had to push 3 times « s » to arrive to my break point
( I should analyse this, anyway let’s continue ) /!\

let’s see what’s happening when we analyse $esp 

(gdb) x/2x $esp
0xbffff8bc:	0x080484e6	0xbffff8dd
(gdb) x/s 0xbffff8dd
0xbffff8dd:	 "test\n"

Ok, we got our password back, so, let’s go a bit further

(gdb) x/3x $esp
0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd
(gdb) x/s 0xbffff9dd
0xbffff9dd: « snlprintf\n »
(gdb)

ok .. here there is a little trick "snlprintf" is the password we are searching for,
they just put a " C " name as string. the clue is "\n" at the end of snlprintf ;)

let's try the password :

level4@leviathan:/wargame$ ./level4
Enter the password> snlprintf
[You've got shell]!
sh-3.1$

yeah let's go to the next lvl ;)

Intruded Nº3

0
619 jours
by in Linux, OS, Security

Hi,

ready for the challenge number 3 ?

let’s connect to it 


ssh level3@leviathan.intruded.net -p 10101
*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level3@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686

level3@leviathan:~$

Let’s directly go to the Wargame folder 

level3@leviathan:~$ cd /wargame/
level3@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx

let’s try one by one the programs, to see what’s our.

level3@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx
level3@leviathan:/wargame$ ./level4
-bash: ./level4: Permission denied
level3@leviathan:/wargame$ ./printfile
-bash: ./printfile: Permission denied
level3@leviathan:/wargame$ ./sphinx
-bash: ./sphinx: Permission denied
level3@leviathan:/wargame$ ./prog
Cannot find /tmp/file.log
level3@leviathan:/wargame$

It looks like we have to use ./prog

we have to read /home/level4/.passwd …
and ./prog is reading the file /tmp/file.log and printing the content … so let’s link both 

level3@leviathan:/wargame$ ln -s /home/level4/.passwd /tmp/file.log
level3@leviathan:/wargame$ ./prog
R0gBtSP5
level3@leviathan:/wargame$

Yeah … got it !!

ok, next challenges tomorrow :)

Intruded nº2

0
619 jours
by in Linux, OS, Security

Now that we succeeded the first level, let’s go for the second one.

Once connected to the second level you get this :

ssh level2@leviathan.intruded.net -p 10101
*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level2@leviathan.intruded.net's password:
Permission denied, please try again.
level2@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686
level2@leviathan:~$

let’s see what files are available :

level2@leviathan:~$ ls -a
.  ..  .bash_history  .bash_logout  .bash_profile  .bashrc  .passwd
level2@leviathan:~$

Hmm nothing interesting let’s get one folder above,

level2@leviathan:/home$ ls -a
.  ..  level1  level2  level3  level4  level5  level6  level7  level8
level2@leviathan:/home$ cd level3/
-bash: cd: level3/: Permission denied
level2@leviathan:/home$

Hmm we cannot go to the level3 … let’s get to one folder above again

level2@leviathan:/$ ls -a
.    boot   etc     initrd.img  media  proc  srv  usr      wargame
..   cdrom  home    lib         mnt    root  sys  var
bin  dev    initrd  lost+found  opt    sbin  tmp  vmlinuz
level2@leviathan:/$

Haaa , there is a wargame folder, let’s try this one

level2@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx
level2@leviathan:/wargame$

ok, let’s try the first program :

level2@leviathan:/wargame$ ./check
password: test
Wrong password, Good Bye ...
level2@leviathan:/wargame$

Hmmm it looks like it’s a strcmp in C … if you remember I wrote an article about that,
how to get a password with GDB ( here )

let’s try it here :

 level2@leviathan:/wargame$ gdb  ./check
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

Let’s disassemble the main function :

(gdb) disassemble main
Dump of assembler code for function main:
0x08048464 :	lea    0x4(%esp),%ecx
0x08048468 :	and    $0xfffffff0,%esp
0x0804846b :	pushl  0xfffffffc(%ecx)
0x0804846e :	push   %ebp
0x0804846f :	mov    %esp,%ebp
0x08048471 :	push   %ecx
0x08048472 :	sub    $0x34,%esp
0x08048475 :	mov    0x8048668,%eax
0x0804847a :	mov    %eax,0xfffffff3(%ebp)
0x0804847d :	mov    0x804866c,%eax
0x08048482 :	mov    %eax,0xffffffec(%ebp)
0x08048485 :	movzwl 0x8048670,%eax
0x0804848c :	mov    %ax,0xfffffff0(%ebp)
0x08048490 :	movzbl 0x8048672,%eax
0x08048497 :	mov    %al,0xfffffff2(%ebp)
0x0804849a :	mov    0x8048673,%eax
0x0804849f :	mov    %eax,0xffffffe8(%ebp)
0x080484a2 :	mov    0x8048677,%eax
0x080484a7 :	mov    %eax,0xffffffe3(%ebp)
0x080484aa :	movzbl 0x804867b,%eax
0x080484b1 :	mov    %al,0xffffffe7(%ebp)
0x080484b4 :	movl   $0x8048638,(%esp)
0x080484bb :	call   0x8048398

0x080484c0 :	call   0x8048338
0x080484c5 :	mov    %al,0xfffffff7(%ebp)
0x080484c8 :	call   0x8048338
0x080484cd :	mov    %al,0xfffffff8(%ebp)
0x080484d0 :	call   0x8048338
0x080484d5 :	mov    %al,0xfffffff9(%ebp)
0x080484d8 :	movb   $0x0,0xfffffffa(%ebp)
0x080484dc :	lea    0xfffffff3(%ebp),%eax
0x080484df :	mov    %eax,0x4(%esp)
0x080484e3 :	lea    0xfffffff7(%ebp),%eax
0x080484e6 :	mov    %eax,(%esp)
0x080484e9 :	call   0x8048348
0x080484ee :	test   %eax,%eax
0x080484f0 :	jne    0x804850c
0x080484f2 :	movl   $0x3ea,(%esp)
0x080484f9 :	call   0x8048358
0x080484fe :	movl   $0x8048643,(%esp)
0x08048505 :	call   0x8048368
0x0804850a :	jmp    0x8048518
0x0804850c :	movl   $0x804864b,(%esp)
0x08048513 :	call   0x8048378

0x08048518 :	add    $0x34,%esp
0x0804851b :	pop    %ecx
0x0804851c :	pop    %ebp
0x0804851d :	lea    0xfffffffc(%ecx),%esp
0x08048520 :	ret
0x08048521 :	nop
0x08048522 :	nop
0x08048523 :	nop
0x08048524 :	nop
0x08048525 :	nop
0x08048526 :	nop
0x08048527 :	nop
0x08048528 :	nop
0x08048529 :	nop
0x0804852a :	nop
0x0804852b :	nop
0x0804852c :	nop
0x0804852d :	nop
0x0804852e :	nop
0x0804852f :	nop
End of assembler dump.

as we can see :

0x080484e9 :	call   0x8048348
0x080484ee :	test   %eax,%eax
0x080484f0 :	jne    0x804850c

this is the interesting part, let’s make a break point on the call and analyse it with x/x

(gdb) b * 0x8048348
Breakpoint 1 at 0x8048348
(gdb) r
Starting program: /wargame/check
password: test

Breakpoint 1, 0x08048348 in strcmp@plt ()
(gdb) x/x $esp
0xbffff9fc:	0x080484ee

as we can see it’s giving us, what is on this moment in the stack, let’s go further,
we are gonna print the stack with x/s and see what happens.

(gdb) x/s 0x080484ee
0x80484ee :	 "\205?u\032?\004$?\003"

it looks not normal let’s try a bit more

(gdb) x/2x $esp
0xbffff9fc:	0x080484ee	0xbffffa2f
(gdb) x/s 0xbffffa2f
0xbffffa2f:	 "tes"

Haaa this is OUR « tes » we can already conclude that the password is only 3 chars, let’s get more inside it
again

(gdb) x/3x $esp
0xbffff9fc:	0x080484ee	0xbffffa2f	0xbffffa2b
(gdb) x/s 0xbffffa2b
0xbffffa2b:	 "sex"
(gdb)

Got it …

let’s run again, tadaaa new shell

level2@leviathan:/wargame$ ./check
password: sex
sh-3.1$

anyway another solution could have been to use the ltrace command:

level2@leviathan:/wargame$ ltrace ./check
__libc_start_main(0x8048464, 1, 0xbffffad4, 0x8048580, 0x8048530
printf("password: ")                                                                                                         = 10
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4password: test
)                                                            = 116
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4)                                                            = 101
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4)                                                            = 115
strcmp("tes", "sex")                                                                                                         = 1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)                                                                                         = 29
+++ exited (status 29) +++
level2@leviathan:/wargame$

let’s go to the next level ;) 

sh-3.1$ cat /home/level3/.passwd
oc7vaCOg
sh-3.1$

Intruded nº1

0
619 jours
by in Linux, OS, Security

Today I tried the Intruded Leviathan wargame ( the first levels ),

I will explain how to resolve them easily.

Let’s try the first one.

  1. open a terminal
  2. type « ssh level1@leviathan.intruded.net -p 10101″
  3. type the password  leviathan

and then you should get something like this :

*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level1@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686

Now that we are connected, we should try the first command to see

ls -a = to list the folders even the hidden one

level1@leviathan:~$ ls -a
.  ..  .backup  .bash_history  .bash_logout  .bash_profile  .bashrc  .passwd

Hmmm there is a « backup » folder hidden, let’s enter in it, and list it.

level1@leviathan:~$ cd ./.backup
level1@leviathan:~/.backup$ ls -a
bookmarks.html

Ok, bookmarks let’s see if there are some « passwords »

level1@leviathan:~/.backup$ cat ./bookmarks.html |grep pass
<DT><A HREF="http://nahtaivel.intruded.net/passwordus.html" TEMP: "AFeSdWEf"ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to level2</A>
level1@leviathan:~/.backup$

Easy … we got it

let’s meet at the next level :)

Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top