diff options
Diffstat (limited to 'source/_posts/2014-09-28-smashthestack-level01.md')
-rw-r--r-- | source/_posts/2014-09-28-smashthestack-level01.md | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/source/_posts/2014-09-28-smashthestack-level01.md b/source/_posts/2014-09-28-smashthestack-level01.md new file mode 100644 index 0000000..8a05a7e --- /dev/null +++ b/source/_posts/2014-09-28-smashthestack-level01.md @@ -0,0 +1,108 @@ +--- +title: SmashTheStack - IO Level01 +tags: security +date: 2014-09-28 +--- + +Recently I have been attempting to improve my programming knowledge by trying to grasp a deeper understanding of the memory allocations and getting deeper into the ways the computer handles it's processes. +I figured a great way to do this would be to look more into exploitation, and so I picked up the book "The Art of Exploitation" which was an excellent read and I recomend it to any programmer looking to take the red +pill and see all the mess and loopholes that can be created when ignorantly hacking together programs in high level languages. + +While reading this book and getting closer to the "hacker" community I found more about +wargames, which is how I wound up at SmashTheStack.org and writing these tutorials as I've conquered them one at a time.I would like to point out that this is definitely not the first tract of wargames I have done, but it is the first I will try to document and explain as I go through, both for myself and anyone who happens upon this. + +--- + +The obvious first step would be to investigate the file and find out what needs to be done: + +```sh +level1@io:/levels$ ./level01 +Enter the 3 digit passcode to enter: 123 +level1@io:/level$ ./level01 +Enter the 3 digit passcode to enter: hello +``` + +The program does not offer any hints, but we can assume that if we enter the right code it will either print the password to level2 or drop us into a shell with permissions to read the password to the next level. +I also tried to break the program by enter bad data to see if it would return anything funky, though it didn't help. + +--- + +The next step I tried was to run a simple "strings" command on the file, though since we are looking for a number this was unlikely to help. + +```sh +level1@io:/levels$ strings -a level01 +,0< w +Enter the 3 digit passcode to enter: Congrats you found it, now read the password for level2 from /home/level2/.pass +/bin/sh +.symtab +.strtab +.shstrtab +.text +.lib +.data +level01.asm +fscanf +skipwhite +doit +exitscanf +YouWin +exit +puts +main +prompt1 +prompt2 +shell +_start +__bss_start +_edata +_end +``` + +- - - +Now, we must plunge deeper into the mysterious world of machine code by looking at the assembly instructions located inside of the executable. + +```sh +level1@io:/levels$ objdump -d level01 + +level01: file format elf32-i386 + + +Disassembly of section .text: + +08048080 <_start>: + 8048080: 68 28 91 04 08 push $0x8049128 + 8048085: e8 85 00 00 00 call 804810f <puts> + 804808a: e8 10 00 00 00 call 804809f <fscanf> + 804808f: 3d 0f 01 00 00 cmp $0x10f,%eax + 8048094: 0f 84 42 00 00 00 je 80480dc <YouWin> + 804809a: e8 64 00 00 00 call 8048103 <exit> +``` + +From this objdump we see that there is a comparison at 0x804808f, which most likely is comparing the user input to the correct password. + +- - - + +I then started debugging the file with gdb to locate the password, that should be stored at 0x10f. +```sh +level1@io:/levels$ gdb -q ./level01 +Reading symbols from /levels/level01...(no debugging symbols found)...done. +(gdb) break main +Breakpoint 1 at 0x8048080 +(gdb) print 0x10f +$1 = [3 DIGITS] +``` + +- - - + +After investigating and printing the value at that location we see a three digit number! This is then plugged in and a shell is opened and we are able to read the .pass file. + +```sh +level1@io:/levels$ ./level01 +Enter the 3 digit passcode to enter: [3 DIGITS] +Congrats you found it, now read the password for level2 from /home/level2/.pass +sh-4.2$ cat /home/level2/.pass +[LEVELPASS] +``` + +I hope people find this walkthrough helpful. I will continue through these levels and try to post write ups as I get further. I hope my noobie attempts at these levels will help people of a more +amateur experience level understand what to do and how to navigate these commands. Happy smashing! |