still smashing 😀
|
1 2 3 4 |
level5@io:/levels$ ./level05 level5@io:/levels$ ./level05 a a level5@io:/levels$ |
echo one 😀 let’s see the source code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
level5@io:/levels$ cat level05.c #include #include int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } |
level 4 😀
|
1 2 3 4 5 6 7 |
level4@io:~$ cd /levels/ level4@io:/levels$ ./level04 Welcome level5 level4@io:/levels$ ./level04 d Welcome level5 level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024") Welcome level5 |
so i will read the code
|
1 2 3 4 5 6 7 8 |
int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } |
popen to execute whoami
loaded the virtual machine and run netdiscover to get the machine IP
|
1 2 3 4 5 6 7 8 9 10 11 |
oot@n1x:~# netdiscover Currently scanning: 192.168.39.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.1 e8:94:f6:5d:c6:3b 01 060 Unknown vendor 192.168.1.2 00:18:fe:6d:61:27 01 060 Hewlett Packard 192.168.1.100 6c:40:08:98:68:d4 01 060 Unknown vendor 192.168.1.112 00:0c:29:fb:62:53 01 060 VMware, Inc. |
x.112 is  the target so let’s see what ports available
|
1 2 3 4 5 6 7 8 9 10 11 12 |
root@n1x:~# nmap -sSV -p1-9999 192.168.1.112 Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-01 02:49 EST Nmap scan report for 192.168.1.112 Host is up (0.00019s latency). Not shown: 9996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.22 ((Debian)) MAC Address: 00:0C:29:FB:62:53 (VMware) Service Info: Host: Underdist; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
apache is on 😀 so let’s brute-force the directory in the server
pretty good level I learned a few new stuff so lets hit the game
|
1 2 3 4 |
level3@io:/levels$ ./level03 level3@io:/levels$ ./level03 9 level3@io:/levels$ ./level03 $(python -c "print 'a' * 10000 ") Segmentation fault |
fighting with the app till it crashes and hell yeah we start from fault 😀 so we need to see what’s going on
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
level3@io:/levels$ gdb ./level03 (gdb) disassemble main Dump of assembler code for function main: 0x080484c8 <+0>: push %ebp 0x080484c9 <+1>: mov %esp,%ebp 0x080484cb <+3>: sub $0x78,%esp 0x080484ce <+6>: and $0xfffffff0,%esp 0x080484d1 <+9>: mov $0x0,%eax 0x080484d6 <+14>: sub %eax,%esp 0x080484d8 <+16>: movl $0x80484a4,-0xc(%ebp) 0x080484df <+23>: cmpl $0x2,0x8(%ebp) 0x080484e3 <+27>: jne 0x80484fc <main+52> 0x080484e5 <+29>: mov 0xc(%ebp),%eax 0x080484e8 <+32>: add $0x4,%eax 0x080484eb <+35>: mov (%eax),%eax 0x080484ed <+37>: mov %eax,(%esp) 0x080484f0 <+40>: call 0x804839c <strlen@plt> 0x080484f5 <+45>: cmp $0x3,%eax 0x080484f8 <+48>: jbe 0x80484fc <main+52> 0x080484fa <+50>: jmp 0x8048505 <main+61> 0x080484fc <+52>: movl $0x0,-0x5c(%ebp) 0x08048503 <+59>: jmp 0x8048579 <main+177> 0x08048505 <+61>: mov 0xc(%ebp),%eax 0x08048508 <+64>: add $0x4,%eax 0x0804850b <+67>: mov (%eax),%eax 0x0804850d <+69>: mov %eax,(%esp) 0x08048510 <+72>: call 0x804839c <strlen@plt> 0x08048515 <+77>: mov %eax,0x8(%esp) 0x08048519 <+81>: mov 0xc(%ebp),%eax 0x0804851c <+84>: add $0x4,%eax 0x0804851f <+87>: mov (%eax),%eax 0x08048521 <+89>: mov %eax,0x4(%esp) 0x08048525 <+93>: lea -0x58(%ebp),%eax 0x08048528 <+96>: mov %eax,(%esp) 0x0804852b <+99>: call 0x804838c <memcpy@plt> 0x08048530 <+104>: mov 0xc(%ebp),%eax 0x08048533 <+107>: add $0x4,%eax => 0x08048536 <+110>: mov (%eax),%eax 0x08048538 <+112>: mov %eax,(%esp) 0x0804853b <+115>: call 0x804839c <strlen@plt> 0x08048540 <+120>: sub $0x4,%eax 0x08048543 <+123>: mov %eax,0x8(%esp) ---Type <return> to continue, or q <return> to quit--- 0x08048547 <+127>: movl $0x0,0x4(%esp) 0x0804854f <+135>: lea -0x58(%ebp),%eax 0x08048552 <+138>: mov %eax,(%esp) 0x08048555 <+141>: call 0x804835c <memset@plt> 0x0804855a <+146>: mov -0xc(%ebp),%eax 0x0804855d <+149>: mov %eax,0x4(%esp) 0x08048561 <+153>: movl $0x80486c0,(%esp) 0x08048568 <+160>: call 0x80483ac <printf@plt> 0x0804856d <+165>: mov -0xc(%ebp),%eax 0x08048570 <+168>: call *%eax 0x08048572 <+170>: movl $0x0,-0x5c(%ebp) 0x08048579 <+177>: mov -0x5c(%ebp),%eax 0x0804857c <+180>: leave 0x0804857d <+181>: ret End of assembler dump. |
time to play
|
1 2 |
level2@io:/levels$ ./level02 source code is available in level02.c |
let’s read what it says
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
level2@io:/levels$ cat level02.c //a little fun brought to you by bla #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <setjmp.h> void catcher(int a) { setresuid(geteuid(),geteuid(),geteuid()); printf("WIN!\n"); system("/bin/sh"); exit(0); } int main(int argc, char **argv) { puts("source code is available in level02.c\n"); if (argc != 3 || !atoi(argv[2])) return 1; signal(SIGFPE, catcher); return abs(atoi(argv[1])) / atoi(argv[2]); } level2@io:/levels$ |
first function catcher  and it trigger the suid  and drop the bash nice  this is what we want
after login to the ssh server levels located on /levels so let’s play  level1
|
1 2 |
level2@io:/levels$ ls -alh level01 -r-sr-x--- 1 level2 level1 1.2K Jan 13 2014 level01 |
as u notice it had suid permeation  -r-sr-x— for level2  so it will lead us to a user (level2 )
|
1 2 |
level1@io:/levels$ ./level01 Enter the 3 digit passcode to enter: 838 |
I entered any test number and it leads me with no respond 😀 crazy huh! so I decided to look […]