Tyler St. Onge

SmashTheStack - IO Level01

Recently I have been attempting to improve my programming knowledge by trying to grasp a deeper understanding of the memory allocations and getting deeper into the ways the computer handles it’s processes. I figured a great way to do this would be to look more into exploitation, and so I picked up the book “The Art of Exploitation” which was an excellent read and I recomend it to any programmer looking to take the red pill and see all the mess and loopholes that can be created when ignorantly hacking together programs in high level languages.

While reading this book and getting closer to the “hacker” community I found more about wargames, which is how I wound up at SmashTheStack.org and writing these tutorials as I’ve conquered them one at a time.I would like to point out that this is definitely not the first tract of wargames I have done, but it is the first I will try to document and explain as I go through, both for myself and anyone who happens upon this.


The obvious first step would be to investigate the file and find out what needs to be done:

level1@io:/levels$ ./level01
Enter the 3 digit passcode to enter: 123
level1@io:/level$ ./level01
Enter the 3 digit passcode to enter: hello

The program does not offer any hints, but we can assume that if we enter the right code it will either print the password to level2 or drop us into a shell with permissions to read the password to the next level. I also tried to break the program by enter bad data to see if it would return anything funky, though it didn’t help.


The next step I tried was to run a simple “strings” command on the file, though since we are looking for a number this was unlikely to help.

level1@io:/levels$ strings -a level01
,0<     w
Enter the 3 digit passcode to enter: Congrats you found it, now read the password for level2 from /home/level2/.pass
/bin/sh
.symtab
.strtab
.shstrtab
.text
.lib
.data
level01.asm
fscanf
skipwhite
doit
exitscanf
YouWin
exit
puts
main
prompt1
prompt2
shell
_start
__bss_start
_edata
_end

Now, we must plunge deeper into the mysterious world of machine code by looking at the assembly instructions located inside of the executable.

level1@io:/levels$ objdump -d level01

level01:     file format elf32-i386


Disassembly of section .text:

08048080 <_start>:
 8048080:       68 28 91 04 08          push   $0x8049128
 8048085:       e8 85 00 00 00          call   804810f <puts>
 804808a:       e8 10 00 00 00          call   804809f <fscanf>
 804808f:       3d 0f 01 00 00          cmp    $0x10f,%eax
 8048094:       0f 84 42 00 00 00       je     80480dc <YouWin>
 804809a:       e8 64 00 00 00          call   8048103 <exit>

From this objdump we see that there is a comparison at 0x804808f, which most likely is comparing the user input to the correct password.


I then started debugging the file with gdb to locate the password, that should be stored at 0x10f.

level1@io:/levels$ gdb -q ./level01
Reading symbols from /levels/level01...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x8048080
(gdb) print 0x10f
$1 = [3 DIGITS]

After investigating and printing the value at that location we see a three digit number! This is then plugged in and a shell is opened and we are able to read the .pass file.

level1@io:/levels$ ./level01
Enter the 3 digit passcode to enter: [3 DIGITS]
Congrats you found it, now read the password for level2 from /home/level2/.pass
sh-4.2$ cat /home/level2/.pass
[LEVELPASS]

I hope people find this walkthrough helpful. I will continue through these levels and try to post write ups as I get further. I hope my noobie attempts at these levels will help people of a more amateur experience level understand what to do and how to navigate these commands. Happy smashing!

<< Older