summaryrefslogtreecommitdiff
path: root/source/_posts/2014-09-28-smashthestack-level01.md
diff options
context:
space:
mode:
Diffstat (limited to 'source/_posts/2014-09-28-smashthestack-level01.md')
-rw-r--r--source/_posts/2014-09-28-smashthestack-level01.md108
1 files changed, 108 insertions, 0 deletions
diff --git a/source/_posts/2014-09-28-smashthestack-level01.md b/source/_posts/2014-09-28-smashthestack-level01.md
new file mode 100644
index 0000000..8a05a7e
--- /dev/null
+++ b/source/_posts/2014-09-28-smashthestack-level01.md
@@ -0,0 +1,108 @@
+---
+title: SmashTheStack - IO Level01
+tags: security
+date: 2014-09-28
+---
+
+Recently I have been attempting to improve my programming knowledge by trying to grasp a deeper understanding of the memory allocations and getting deeper into the ways the computer handles it's processes.
+I figured a great way to do this would be to look more into exploitation, and so I picked up the book "The Art of Exploitation" which was an excellent read and I recomend it to any programmer looking to take the red
+pill and see all the mess and loopholes that can be created when ignorantly hacking together programs in high level languages.
+
+While reading this book and getting closer to the "hacker" community I found more about
+wargames, which is how I wound up at SmashTheStack.org and writing these tutorials as I've conquered them one at a time.I would like to point out that this is definitely not the first tract of wargames I have done, but it is the first I will try to document and explain as I go through, both for myself and anyone who happens upon this.
+
+---
+
+The obvious first step would be to investigate the file and find out what needs to be done:
+
+```sh
+level1@io:/levels$ ./level01
+Enter the 3 digit passcode to enter: 123
+level1@io:/level$ ./level01
+Enter the 3 digit passcode to enter: hello
+```
+
+The program does not offer any hints, but we can assume that if we enter the right code it will either print the password to level2 or drop us into a shell with permissions to read the password to the next level.
+I also tried to break the program by enter bad data to see if it would return anything funky, though it didn't help.
+
+---
+
+The next step I tried was to run a simple "strings" command on the file, though since we are looking for a number this was unlikely to help.
+
+```sh
+level1@io:/levels$ strings -a level01
+,0< w
+Enter the 3 digit passcode to enter: Congrats you found it, now read the password for level2 from /home/level2/.pass
+/bin/sh
+.symtab
+.strtab
+.shstrtab
+.text
+.lib
+.data
+level01.asm
+fscanf
+skipwhite
+doit
+exitscanf
+YouWin
+exit
+puts
+main
+prompt1
+prompt2
+shell
+_start
+__bss_start
+_edata
+_end
+```
+
+- - -
+Now, we must plunge deeper into the mysterious world of machine code by looking at the assembly instructions located inside of the executable.
+
+```sh
+level1@io:/levels$ objdump -d level01
+
+level01: file format elf32-i386
+
+
+Disassembly of section .text:
+
+08048080 <_start>:
+ 8048080: 68 28 91 04 08 push $0x8049128
+ 8048085: e8 85 00 00 00 call 804810f <puts>
+ 804808a: e8 10 00 00 00 call 804809f <fscanf>
+ 804808f: 3d 0f 01 00 00 cmp $0x10f,%eax
+ 8048094: 0f 84 42 00 00 00 je 80480dc <YouWin>
+ 804809a: e8 64 00 00 00 call 8048103 <exit>
+```
+
+From this objdump we see that there is a comparison at 0x804808f, which most likely is comparing the user input to the correct password.
+
+- - -
+
+I then started debugging the file with gdb to locate the password, that should be stored at 0x10f.
+```sh
+level1@io:/levels$ gdb -q ./level01
+Reading symbols from /levels/level01...(no debugging symbols found)...done.
+(gdb) break main
+Breakpoint 1 at 0x8048080
+(gdb) print 0x10f
+$1 = [3 DIGITS]
+```
+
+- - -
+
+After investigating and printing the value at that location we see a three digit number! This is then plugged in and a shell is opened and we are able to read the .pass file.
+
+```sh
+level1@io:/levels$ ./level01
+Enter the 3 digit passcode to enter: [3 DIGITS]
+Congrats you found it, now read the password for level2 from /home/level2/.pass
+sh-4.2$ cat /home/level2/.pass
+[LEVELPASS]
+```
+
+I hope people find this walkthrough helpful. I will continue through these levels and try to post write ups as I get further. I hope my noobie attempts at these levels will help people of a more
+amateur experience level understand what to do and how to navigate these commands. Happy smashing!
generated by cgit v1.1 at 2024-05-17 08:18:50 +0000