Month: December 2014
SMASH THE STACK LEVEL 5
still smashing 😀
|
1 2 3 4 |
level5@io:/levels$ ./level05 level5@io:/levels$ ./level05 a a level5@io:/levels$ |
echo one 😀 let’s see the source code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
level5@io:/levels$ cat level05.c #include #include int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } |
SMASH THE STACK LEVEL4
level 4 😀
|
1 2 3 4 5 6 7 |
level4@io:~$ cd /levels/ level4@io:/levels$ ./level04 Welcome level5 level4@io:/levels$ ./level04 d Welcome level5 level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024") Welcome level5 |
so i will read the code
|
1 2 3 4 5 6 7 8 |
int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } |
popen to execute whoami
underc0de 3 WalkThrough
loaded the virtual machine and run netdiscover to get the machine IP
|
1 2 3 4 5 6 7 8 9 10 11 |
oot@n1x:~# netdiscover Currently scanning: 192.168.39.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.1 e8:94:f6:5d:c6:3b 01 060 Unknown vendor 192.168.1.2 00:18:fe:6d:61:27 01 060 Hewlett Packard 192.168.1.100 6c:40:08:98:68:d4 01 060 Unknown vendor 192.168.1.112 00:0c:29:fb:62:53 01 060 VMware, Inc. |
x.112 is  the target so let’s see what ports available
|
1 2 3 4 5 6 7 8 9 10 11 12 |
root@n1x:~# nmap -sSV -p1-9999 192.168.1.112 Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-01 02:49 EST Nmap scan report for 192.168.1.112 Host is up (0.00019s latency). Not shown: 9996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.22 ((Debian)) MAC Address: 00:0C:29:FB:62:53 (VMware) Service Info: Host: Underdist; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
apache is on 😀 so let’s brute-force the directory in the server
SMASH THE STACK LEVEL3
pretty good level I learned a few new stuff so lets hit the game
|
1 2 3 4 |
level3@io:/levels$ ./level03 level3@io:/levels$ ./level03 9 level3@io:/levels$ ./level03 $(python -c "print 'a' * 10000 ") Segmentation fault |
fighting with the app till it crashes and hell yeah we start from fault 😀 so we need to see what’s going on
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
level3@io:/levels$ gdb ./level03 (gdb) disassemble main Dump of assembler code for function main: 0x080484c8 <+0>: push %ebp 0x080484c9 <+1>: mov %esp,%ebp 0x080484cb <+3>: sub $0x78,%esp 0x080484ce <+6>: and $0xfffffff0,%esp 0x080484d1 <+9>: mov $0x0,%eax 0x080484d6 <+14>: sub %eax,%esp 0x080484d8 <+16>: movl $0x80484a4,-0xc(%ebp) 0x080484df <+23>: cmpl $0x2,0x8(%ebp) 0x080484e3 <+27>: jne 0x80484fc <main+52> 0x080484e5 <+29>: mov 0xc(%ebp),%eax 0x080484e8 <+32>: add $0x4,%eax 0x080484eb <+35>: mov (%eax),%eax 0x080484ed <+37>: mov %eax,(%esp) 0x080484f0 <+40>: call 0x804839c <strlen@plt> 0x080484f5 <+45>: cmp $0x3,%eax 0x080484f8 <+48>: jbe 0x80484fc <main+52> 0x080484fa <+50>: jmp 0x8048505 <main+61> 0x080484fc <+52>: movl $0x0,-0x5c(%ebp) 0x08048503 <+59>: jmp 0x8048579 <main+177> 0x08048505 <+61>: mov 0xc(%ebp),%eax 0x08048508 <+64>: add $0x4,%eax 0x0804850b <+67>: mov (%eax),%eax 0x0804850d <+69>: mov %eax,(%esp) 0x08048510 <+72>: call 0x804839c <strlen@plt> 0x08048515 <+77>: mov %eax,0x8(%esp) 0x08048519 <+81>: mov 0xc(%ebp),%eax 0x0804851c <+84>: add $0x4,%eax 0x0804851f <+87>: mov (%eax),%eax 0x08048521 <+89>: mov %eax,0x4(%esp) 0x08048525 <+93>: lea -0x58(%ebp),%eax 0x08048528 <+96>: mov %eax,(%esp) 0x0804852b <+99>: call 0x804838c <memcpy@plt> 0x08048530 <+104>: mov 0xc(%ebp),%eax 0x08048533 <+107>: add $0x4,%eax => 0x08048536 <+110>: mov (%eax),%eax 0x08048538 <+112>: mov %eax,(%esp) 0x0804853b <+115>: call 0x804839c <strlen@plt> 0x08048540 <+120>: sub $0x4,%eax 0x08048543 <+123>: mov %eax,0x8(%esp) ---Type <return> to continue, or q <return> to quit--- 0x08048547 <+127>: movl $0x0,0x4(%esp) 0x0804854f <+135>: lea -0x58(%ebp),%eax 0x08048552 <+138>: mov %eax,(%esp) 0x08048555 <+141>: call 0x804835c <memset@plt> 0x0804855a <+146>: mov -0xc(%ebp),%eax 0x0804855d <+149>: mov %eax,0x4(%esp) 0x08048561 <+153>: movl $0x80486c0,(%esp) 0x08048568 <+160>: call 0x80483ac <printf@plt> 0x0804856d <+165>: mov -0xc(%ebp),%eax 0x08048570 <+168>: call *%eax 0x08048572 <+170>: movl $0x0,-0x5c(%ebp) 0x08048579 <+177>: mov -0x5c(%ebp),%eax 0x0804857c <+180>: leave 0x0804857d <+181>: ret End of assembler dump. |
SMASH THE STACK LEVEL2
time to play
|
1 2 |
level2@io:/levels$ ./level02 source code is available in level02.c |
let’s read what it says
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
level2@io:/levels$ cat level02.c //a little fun brought to you by bla #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <setjmp.h> void catcher(int a) { setresuid(geteuid(),geteuid(),geteuid()); printf("WIN!\n"); system("/bin/sh"); exit(0); } int main(int argc, char **argv) { puts("source code is available in level02.c\n"); if (argc != 3 || !atoi(argv[2])) return 1; signal(SIGFPE, catcher); return abs(atoi(argv[1])) / atoi(argv[2]); } level2@io:/levels$ |
first function catcher  and it trigger the suid  and drop the bash nice  this is what we want
SMASH THE STACK Level1
after login to the ssh server levels located on /levels so let’s play  level1
|
1 2 |
level2@io:/levels$ ls -alh level01 -r-sr-x--- 1 level2 level1 1.2K Jan 13 2014 level01 |
as u notice it had suid permeation  -r-sr-x— for level2  so it will lead us to a user (level2 )
|
1 2 |
level1@io:/levels$ ./level01 Enter the 3 digit passcode to enter: 838 |
I entered any test number and it leads me with no respond 😀 crazy huh! so I decided to look