Home > Bash, C, Linux, SmashTheStack.Org, Wargames > [SmashTheStack – IO] Level 1

[SmashTheStack – IO] Level 1


It’s a wargame, so I just don’t need to tell you again about this.

In order to play this game, try to use a SSH client to connect to play like Putty, SSH Secure Shell Client, SecureCRT, Open SSH,…etc..please try Googling to get and learn how to use them.

I personally use Putty and SSH Secure Shell Client for connection.

Ok let’s start.

Game: SmashTheStack – IO

Homepage: http://io.smashthestack.org:84/

Level: 1 (the very first)

The connection information:

Login: ssh -p2224 level1@io.smashthestack.org
Password: level1

Ok, this is the screen when you log in:

 ____ ____
||i |||o || Welcome at IO and smashthestack!
||__|||__||
|/__\|/__\| If you have problems connecting please contact us on IRC. (irc.smashthestack.org +6697)

 ______   _____
/\__  _\ /\  __`\       Levels are in /levels
\/_/\ \/ \ \ \/\ \      Passes are in ~/.pass
   \ \ \  \ \ \ \ \     Readmes in /home/level1
    \_\ \__\ \ \_\ \
    /\_____\\ \_____\   Server admin: bla (bla@smashthestack.org)
    \/_____/ \/_____/

        1. No DoS, local or otherwise
        2. Do not try to connect to remote systems from this box
        3. Quotas, watch resources usage, max 2 connections per IP

                                (29 levels)

- you can add feedback/leave email in the append only non-readable
  files leastlikedlevel.list and email.list in /home

- Feel free to look around and admire the Higgs field.

+ cleaned /tmp
  made a backup, if you really want something back, ask on irc
  backup will be destroyed in a couple of days
level1@io:~$

Let’s find some useful information for the first level.

level1@io:~$ ls
README     README.de  README.id  README.pl  README.se  tags
README.ar  README.es  README.it  README.ro  README.sk
README.cn  README.fr  README.no  README.ru  README.sr
level1@io:~$ pwd
/home/level1
level1@io:~$

Well, cat the README file for anything useful here.

How to get started
------------------

Right now I will talk you through the first level. Currently you are "level1" user.
This means you can access only files that are owned by level1, or are accessible
by everybody.

  level1@io:~# cd /levels
  level1@io:/levels# ls -las level01
  8 -r-sr-x--- 1 level2 level1 7500 Nov 16  2007 level01

When you run it will ask you for a password. Which you must somehow find. And
when you supply it you will get a new shell which has level2 rights. Using this
shell you can read the file

  level1@io:/levels$ ./level01 [something you have to figure out goes here]
  Win.
  level1@io:/levels$ id
  uid=1001(level1) gid=1001(level1) euid=1002(level2) groups=1001(level1),1029(nosu)

as you can see, by the output of the "id" command you now have euid (effective user id)
of level2. You can now read files that belong to level2. The point is to use this right
to read the password file for the next level.

  level1@io:/levels$ cat /home/level2/.pass
  [BINGO YOU DID IT]

Now you have the level2 password. You can now login as level2. Disconnect the current
connection. Login as level2 and use the password you just found. When you do this
You'll notice that you are level2. At this point you may want to tell the world of
your achievement. And you can do so by adding your tag, comment, or pretty much
anything you want to the tags file. For example by using the following command
  level2@io:~$ echo "<p>superleetzor was here and pwnd level1</p>" >> tags

Game specifics
--------------

- levels are in the directory /levels
- passwords are stored in the home directory for the level, in a file called .pass.
  for example /home/level2/.pass contains the password for the user "level2"
- Chat:
        There is a chatroom at our irc network irc.smashthestack.org, ssl port 6697
        You can also use the webclient to connect http://www.smashthestack.org/cgiirc/
- forum:
        at our website http://forum.smashthestack.org/ though using the chat room will
        probably help you out quicker and better.

- aslr is off and most levels have an executable stack

well, since there are a lot of information so I just post some necessary part, that we need for playing.

Let’s find some good info for the 1st level

level1@io:~$ cd /levels
level1@io:/levels$ ls
beta           level06           level10.c         level16        level22
level01        level06.c         level10_alt       level16.c      level23
level02        level06_alt       level10_alt.c     level16.pass   level23.c
level02.c      level06_alt.c     level10_alt.pass  level17        level24
level02_alt    level06_alt.pass  level11           level17.c      level25
level02_alt.c  level07           level11.c         level17_alt    level25.c
level03        level07.c         level12           level17_alt.c  level26
level03.c      level07_alt       level12.c         level18        level26.l
level04        level07_alt.c     level12.pass      level18.c      level26.y
level04.c      level08           level13           level18_cross  level27
level04_alt    level08.cpp       level13.c         level19        level27.c
level04_alt.c  level08_alt       level14           level19.c      level27.pass
level05        level08_alt.cpp   level14.c         level20        level28
level05.c      level09           level15           level20.asm    level28.c
level05_alt    level09.c         level15.c         level20.pass   level29
level05_alt.c  level10           level15.pass      level21        level29.c

Try running level01 then,

level1@io:/levels$ ./level01
Usage: ./level01 <password>

Send a sample password, like “123

level1@io:/levels$ ./level01 123
Fail.

The target is to make it print string: “Win.”
So let’s load this binary to gdb, I assume you’ve already familiar with it.

level1@io:/levels$ gdb level01
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /levels/level01...done.
(gdb) r 123
Starting program: /levels/level01 123
Fail.

Program exited normally.
(gdb)

Ok, for analysis, it should have a main() function and then since program needs user to input password, it must compare the password somewhere or process the input password into a correct format, evaluation or equation…that’s first.
Disassemble the main() function to see what happen inside.

(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>:    lea    0x4(%esp),%ecx
0x080483f8 <main+4>:    and    $0xfffffff0,%esp
0x080483fb <main+7>:    pushl  -0x4(%ecx)
0x080483fe <main+10>:   push   %ebp
0x080483ff <main+11>:   mov    %esp,%ebp
0x08048401 <main+13>:   push   %edi
0x08048402 <main+14>:   push   %ecx
0x08048403 <main+15>:   sub    $0x30,%esp
0x08048406 <main+18>:   mov    %ecx,-0x20(%ebp)
0x08048409 <main+21>:   movl   $0x80485c8,-0xc(%ebp)
0x08048410 <main+28>:   mov    -0x20(%ebp),%eax
0x08048413 <main+31>:   cmpl   $0x2,(%eax)
0x08048416 <main+34>:   je     0x8048439 <main+69>
0x08048418 <main+36>:   mov    -0x20(%ebp),%edx
0x0804841b <main+39>:   mov    0x4(%edx),%eax
0x0804841e <main+42>:   mov    (%eax),%eax
0x08048420 <main+44>:   mov    %eax,0x4(%esp)
0x08048424 <main+48>:   movl   $0x80485d4,(%esp)
0x0804842b <main+55>:   call   0x804832c <printf@plt>
0x08048430 <main+60>:   movl   $0x1,-0x1c(%ebp)
0x08048437 <main+67>:   jmp    0x80484b2 <main+190>
0x08048439 <main+69>:   mov    -0xc(%ebp),%eax
0x0804843c <main+72>:   mov    $0xffffffff,%ecx
0x08048441 <main+77>:   mov    %eax,-0x24(%ebp)
0x08048444 <main+80>:   mov    $0x0,%al
0x08048446 <main+82>:   cld
0x08048447 <main+83>:   mov    -0x24(%ebp),%edi
0x0804844a <main+86>:   repnz scas %es:(%edi),%al
0x0804844c <main+88>:   mov    %ecx,%eax
0x0804844e <main+90>:   not    %eax
0x08048450 <main+92>:   lea    -0x1(%eax),%edx
0x08048453 <main+95>:   mov    -0x20(%ebp),%ecx
0x08048456 <main+98>:   mov    0x4(%ecx),%eax
0x08048459 <main+101>:  add    $0x4,%eax
0x0804845c <main+104>:  mov    (%eax),%ecx
0x0804845e <main+106>:  mov    %edx,0x8(%esp)
0x08048462 <main+110>:  mov    -0xc(%ebp),%eax
0x08048465 <main+113>:  mov    %eax,0x4(%esp)
0x08048469 <main+117>:  mov    %ecx,(%esp)
0x0804846c <main+120>:  call   0x804830c <strncmp@plt>
0x08048471 <main+125>:  test   %eax,%eax
0x08048473 <main+127>:  jne    0x804849f <main+171>
0x08048475 <main+129>:  movl   $0x80485ea,(%esp)
0x0804847c <main+136>:  call   0x80482fc <puts@plt>
0x08048481 <main+141>:  movl   $0x0,0x8(%esp)
0x08048489 <main+149>:  movl   $0x80485ef,0x4(%esp)
0x08048491 <main+157>:  movl   $0x80485f2,(%esp)

After looking through, it has a compare function strncmp(), so it should be a clue.
Making a guess on register, either EAX or ECX contains our input password or correct password. Check it by set breakpoint at <main+117>

(gdb) b *main+117
Breakpoint 3 at 0x8048469
(gdb) r 123
Starting program: /levels/level01 123

Breakpoint 3, 0x08048469 in main ()
(gdb)

Let’s lookup the register for EAX, ECX

(gdb) info reg
eax            0x80485c8        134514120
ecx            0xbfffdea2       -1073750366
edx            0xb      11
ebx            0xd7eff4 14151668
esp            0xbfffdca0       0xbfffdca0
ebp            0xbfffdcd8       0xbfffdcd8
esi            0x0      0
edi            0x80485d4        134514132
eip            0x8048469        0x8048469 <main+117>
eflags         0x200282 [ SF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/s $eax
0x80485c8:       "omgpassword"
(gdb) x/s $ecx
0xbfffdea2:      "123"
(gdb)

Wow, amazing! So it means it compares the input password with a correct password: “omgpassword“.
Let’s try it …

level1@io:/levels$ ./level01 omgpassword
Win.
sh-4.1$

Oh yeah..

sh-4.1$ id
uid=1001(level1) gid=1001(level1) euid=1002(level2) groups=1002(level2),1001(level1),1029(nosu)
sh-4.1$ ls /home
anonymousfeedback     level1   level15  level20  level26  level4  melissa
beach                 level10  level16  level21  level27  level5  nnp
beta                  level11  level17  level22  level28  level6
bla                   level12  level18  level23  level29  level7
email.list            level13  level19  level24  level3   level8
leastlikedlevel.list  level14  level2   level25  level30  level9
sh-4.1$ cat /home/level2/.pass
WE5aVWRwY***
sh-4.1$

Finally get the password for level 2. Now try logging into level 2..
Hope you enjoy the game, dude!

Cheers,
Pete Houston

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: