Security Archives - Page 3 of 3

By Ahmad
Posted on December 3, 2014
Posted in Security, tech

SMASH THE STACK LEVEL 5

still smashing 😀

level5@io:/levels$ ./level05
level5@io:/levels$ ./level05 a
a
level5@io:/levels$

level5@io:/levels$ ./level05

level5@io:/levels$ ./level05 a

level5@io:/levels$

echo one 😀 let’s see the source code

level5@io:/levels$ cat level05.c
#include 
#include

int main(int argc, char **argv) {

char buf[128];

if(argc < 2) return 1;

strcpy(buf, argv[1]);

printf("%s\n", buf);

return 0;
}

level5@io:/levels$ cat level05.c

#include

int main(int argc, char **argv) {

char buf[128];

if(argc < 2) return 1;

strcpy(buf, argv[1]);

printf("%s\n", buf);

return 0;

}

By Ahmad
Posted on December 3, 2014
Posted in Linux, Security, tech

SMASH THE STACK LEVEL4

level 4 😀

level4@io:~$ cd /levels/
level4@io:/levels$ ./level04
Welcome level5
level4@io:/levels$ ./level04 d
Welcome level5
level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024")
Welcome level5

level4@io:~$ cd /levels/

level4@io:/levels$ ./level04

Welcome level5

level4@io:/levels$ ./level04 d

Welcome level5

level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024")

Welcome level5

so i will read the code

int main() {
        char username[1024];
        FILE* f = popen("whoami","r");
        fgets(username, sizeof(username), f);
        printf("Welcome %s", username);

        return 0;
}

int main() {

char username[1024];

FILE* f = popen("whoami","r");

fgets(username, sizeof(username), f);

printf("Welcome %s", username);

return 0;

}

popen to execute whoami

By Ahmad
Posted on December 3, 2014
Posted in Python, Security, tech, Uncategorized, Web

underc0de 3 WalkThrough

loaded the virtual machine and run netdiscover to get the machine IP

oot@n1x:~# netdiscover
 Currently scanning: 192.168.39.0/16   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor
 -----------------------------------------------------------------------------
 192.168.1.1     e8:94:f6:5d:c6:3b    01    060   Unknown vendor
 192.168.1.2     00:18:fe:6d:61:27    01    060   Hewlett Packard
 192.168.1.100   6c:40:08:98:68:d4    01    060   Unknown vendor
 192.168.1.112   00:0c:29:fb:62:53    01    060   VMware, Inc.

oot@n1x:~# netdiscover

Currently scanning: 192.168.39.0/16 | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor

-----------------------------------------------------------------------------

192.168.1.1 e8:94:f6:5d:c6:3b 01 060 Unknown vendor

192.168.1.2 00:18:fe:6d:61:27 01 060 Hewlett Packard

192.168.1.100 6c:40:08:98:68:d4 01 060 Unknown vendor

192.168.1.112 00:0c:29:fb:62:53 01 060 VMware, Inc.

x.112 is the target so let’s see what ports available

root@n1x:~# nmap -sSV -p1-9999 192.168.1.112

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-01 02:49 EST
Nmap scan report for 192.168.1.112
Host is up (0.00019s latency).
Not shown: 9996 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
25/tcp open  smtp    Postfix smtpd
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
MAC Address: 00:0C:29:FB:62:53 (VMware)
Service Info: Host:  Underdist; OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@n1x:~# nmap -sSV -p1-9999 192.168.1.112

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-01 02:49 EST

Nmap scan report for 192.168.1.112

Host is up (0.00019s latency).

Not shown: 9996 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)

25/tcp open smtp Postfix smtpd

80/tcp open http Apache httpd 2.2.22 ((Debian))

MAC Address: 00:0C:29:FB:62:53 (VMware)

Service Info: Host: Underdist; OS: Linux; CPE: cpe:/o:linux:linux_kernel

apache is on 😀 so let’s brute-force the directory in the server

By Ahmad
Posted on December 1, 2014
Posted in Security, tech

SMASH THE STACK LEVEL3

pretty good level I learned a few new stuff so lets hit the game

level3@io:/levels$ ./level03
level3@io:/levels$ ./level03 9
level3@io:/levels$ ./level03 $(python -c "print 'a' * 10000 ")
Segmentation fault

level3@io:/levels$ ./level03

level3@io:/levels$ ./level03 9

level3@io:/levels$ ./level03 $(python -c "print 'a' * 10000 ")

Segmentation fault

fighting with the app till it crashes and hell yeah we start from fault 😀 so we need to see what’s going on

level3@io:/levels$ gdb ./level03
(gdb) disassemble main
Dump of assembler code for function main:
   0x080484c8 <+0>:	push   %ebp
   0x080484c9 <+1>:	mov    %esp,%ebp
   0x080484cb <+3>:	sub    $0x78,%esp
   0x080484ce <+6>:	and    $0xfffffff0,%esp
   0x080484d1 <+9>:	mov    $0x0,%eax
   0x080484d6 <+14>:	sub    %eax,%esp
   0x080484d8 <+16>:	movl   $0x80484a4,-0xc(%ebp)
   0x080484df <+23>:	cmpl   $0x2,0x8(%ebp)
   0x080484e3 <+27>:	jne    0x80484fc <main+52>
   0x080484e5 <+29>:	mov    0xc(%ebp),%eax
   0x080484e8 <+32>:	add    $0x4,%eax
   0x080484eb <+35>:	mov    (%eax),%eax
   0x080484ed <+37>:	mov    %eax,(%esp)
   0x080484f0 <+40>:	call   0x804839c <strlen@plt>
   0x080484f5 <+45>:	cmp    $0x3,%eax
   0x080484f8 <+48>:	jbe    0x80484fc <main+52>
   0x080484fa <+50>:	jmp    0x8048505 <main+61>
   0x080484fc <+52>:	movl   $0x0,-0x5c(%ebp)
   0x08048503 <+59>:	jmp    0x8048579 <main+177>
   0x08048505 <+61>:	mov    0xc(%ebp),%eax
   0x08048508 <+64>:	add    $0x4,%eax
   0x0804850b <+67>:	mov    (%eax),%eax
   0x0804850d <+69>:	mov    %eax,(%esp)
   0x08048510 <+72>:	call   0x804839c <strlen@plt>
   0x08048515 <+77>:	mov    %eax,0x8(%esp)
   0x08048519 <+81>:	mov    0xc(%ebp),%eax
   0x0804851c <+84>:	add    $0x4,%eax
   0x0804851f <+87>:	mov    (%eax),%eax
   0x08048521 <+89>:	mov    %eax,0x4(%esp)
   0x08048525 <+93>:	lea    -0x58(%ebp),%eax
   0x08048528 <+96>:	mov    %eax,(%esp)
   0x0804852b <+99>:	call   0x804838c <memcpy@plt>
   0x08048530 <+104>:	mov    0xc(%ebp),%eax
   0x08048533 <+107>:	add    $0x4,%eax
=> 0x08048536 <+110>:	mov    (%eax),%eax
   0x08048538 <+112>:	mov    %eax,(%esp)
   0x0804853b <+115>:	call   0x804839c <strlen@plt>
   0x08048540 <+120>:	sub    $0x4,%eax
   0x08048543 <+123>:	mov    %eax,0x8(%esp)
---Type <return> to continue, or q <return> to quit---
   0x08048547 <+127>:	movl   $0x0,0x4(%esp)
   0x0804854f <+135>:	lea    -0x58(%ebp),%eax
   0x08048552 <+138>:	mov    %eax,(%esp)
   0x08048555 <+141>:	call   0x804835c <memset@plt>
   0x0804855a <+146>:	mov    -0xc(%ebp),%eax
   0x0804855d <+149>:	mov    %eax,0x4(%esp)
   0x08048561 <+153>:	movl   $0x80486c0,(%esp)
   0x08048568 <+160>:	call   0x80483ac <printf@plt>
   0x0804856d <+165>:	mov    -0xc(%ebp),%eax
   0x08048570 <+168>:	call   *%eax
   0x08048572 <+170>:	movl   $0x0,-0x5c(%ebp)
   0x08048579 <+177>:	mov    -0x5c(%ebp),%eax
   0x0804857c <+180>:	leave
   0x0804857d <+181>:	ret
End of assembler dump.

level3@io:/levels$ gdb ./level03

(gdb) disassemble main

Dump of assembler code for function main:

0x080484c8 <+0>: push %ebp

0x080484c9 <+1>: mov %esp,%ebp

0x080484cb <+3>: sub $0x78,%esp

0x080484ce <+6>: and $0xfffffff0,%esp

0x080484d1 <+9>: mov $0x0,%eax

0x080484d6 <+14>: sub %eax,%esp

0x080484d8 <+16>: movl $0x80484a4,-0xc(%ebp)

0x080484df <+23>: cmpl $0x2,0x8(%ebp)

0x080484e3 <+27>: jne 0x80484fc <main+52>

0x080484e5 <+29>: mov 0xc(%ebp),%eax

0x080484e8 <+32>: add $0x4,%eax

0x080484eb <+35>: mov (%eax),%eax

0x080484ed <+37>: mov %eax,(%esp)

0x080484f0 <+40>: call 0x804839c <strlen@plt>

0x080484f5 <+45>: cmp $0x3,%eax

0x080484f8 <+48>: jbe 0x80484fc <main+52>

0x080484fa <+50>: jmp 0x8048505 <main+61>

0x080484fc <+52>: movl $0x0,-0x5c(%ebp)

0x08048503 <+59>: jmp 0x8048579 <main+177>

0x08048505 <+61>: mov 0xc(%ebp),%eax

0x08048508 <+64>: add $0x4,%eax

0x0804850b <+67>: mov (%eax),%eax

0x0804850d <+69>: mov %eax,(%esp)

0x08048510 <+72>: call 0x804839c <strlen@plt>

0x08048515 <+77>: mov %eax,0x8(%esp)

0x08048519 <+81>: mov 0xc(%ebp),%eax

0x0804851c <+84>: add $0x4,%eax

0x0804851f <+87>: mov (%eax),%eax

0x08048521 <+89>: mov %eax,0x4(%esp)

0x08048525 <+93>: lea -0x58(%ebp),%eax

0x08048528 <+96>: mov %eax,(%esp)

0x0804852b <+99>: call 0x804838c <memcpy@plt>

0x08048530 <+104>: mov 0xc(%ebp),%eax

0x08048533 <+107>: add $0x4,%eax

=> 0x08048536 <+110>: mov (%eax),%eax

0x08048538 <+112>: mov %eax,(%esp)

0x0804853b <+115>: call 0x804839c <strlen@plt>

0x08048540 <+120>: sub $0x4,%eax

0x08048543 <+123>: mov %eax,0x8(%esp)

---Type <return> to continue, or q <return> to quit---

0x08048547 <+127>: movl $0x0,0x4(%esp)

0x0804854f <+135>: lea -0x58(%ebp),%eax

0x08048552 <+138>: mov %eax,(%esp)

0x08048555 <+141>: call 0x804835c <memset@plt>

0x0804855a <+146>: mov -0xc(%ebp),%eax

0x0804855d <+149>: mov %eax,0x4(%esp)

0x08048561 <+153>: movl $0x80486c0,(%esp)

0x08048568 <+160>: call 0x80483ac <printf@plt>

0x0804856d <+165>: mov -0xc(%ebp),%eax

0x08048570 <+168>: call *%eax

0x08048572 <+170>: movl $0x0,-0x5c(%ebp)

0x08048579 <+177>: mov -0x5c(%ebp),%eax

0x0804857c <+180>: leave

0x0804857d <+181>: ret

End of assembler dump.

By Ahmad
Posted on December 1, 2014
Posted in Security, tech

SMASH THE STACK LEVEL2

time to play

level2@io:/levels$ ./level02
source code is available in level02.c

1 2	level2@io:/levels$ ./level02 source code is available in level02.c

let’s read what it says

level2@io:/levels$ cat level02.c
//a little fun brought to you by bla

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <setjmp.h>

void catcher(int a)
{
        setresuid(geteuid(),geteuid(),geteuid());
	printf("WIN!\n");
        system("/bin/sh");
        exit(0);
}

int main(int argc, char **argv)
{
	puts("source code is available in level02.c\n");

        if (argc != 3 || !atoi(argv[2]))
                return 1;
        signal(SIGFPE, catcher);
        return abs(atoi(argv[1])) / atoi(argv[2]);
}

level2@io:/levels$

level2@io:/levels$ cat level02.c

//a little fun brought to you by bla

#include <stdio.h>

#include <stdlib.h>

#include <signal.h>

#include <setjmp.h>

void catcher(int a)

{

setresuid(geteuid(),geteuid(),geteuid());

printf("WIN!\n");

system("/bin/sh");

exit(0);

}

int main(int argc, char **argv)

{

puts("source code is available in level02.c\n");

if (argc != 3 || !atoi(argv[2]))

return 1;

signal(SIGFPE, catcher);

return abs(atoi(argv[1])) / atoi(argv[2]);

}

level2@io:/levels$

first function catcher and it trigger the suid and drop the bash nice this is what we want

By Ahmad
Posted on December 1, 2014
Posted in Security, tech

SMASH THE STACK Level1

after login to the ssh server levels located on /levels so let’s play level1

level2@io:/levels$ ls -alh level01
-r-sr-x--- 1 level2 level1 1.2K Jan 13  2014 level01

1 2	level2@io:/levels$ ls -alh level01 -r-sr-x--- 1 level2 level1 1.2K Jan 13 2014 level01

as u notice it had suid permeation -r-sr-x— for level2 so it will lead us to a user (level2 )

level1@io:/levels$ ./level01
Enter the 3 digit passcode to enter: 838

1 2	level1@io:/levels$ ./level01 Enter the 3 digit passcode to enter: 838

I entered any test number and it leads me with no respond 😀 crazy huh! so I decided to look

By Ahmad
Posted on November 24, 2014
Posted in Linux, Security

GPG = Gnu Privacy Guard To secure file from unauthorised access with the password in Linux/Unix is very simple method 🙂 lets assume we have a secure file with some financials stuff called orders.xls and we want to email it to our partners and we want to get sure just he is the only one

Ahmad Mahfouz

Category: Security

SMASH THE STACK LEVEL 5

SMASH THE STACK LEVEL4

underc0de 3 WalkThrough

SMASH THE STACK LEVEL3

SMASH THE STACK LEVEL2

SMASH THE STACK Level1

Files Encrypt with GPG