SmashTheStack - IO Level01
Recently I have been attempting to improve my programming knowledge by trying to grasp a deeper understanding of the memory allocations and getting deeper into the ways the computer handles it’s processes. I figured a great way to do this would be to look more into exploitation, and so I picked up the book “The Art of Exploitation” which was an excellent read and I recomend it to any programmer looking to take the red pill and see all the mess and loopholes that can be created when ignorantly hacking together programs in high level languages.
While reading this book and getting closer to the “hacker” community I found more about wargames, which is how I wound up at SmashTheStack.org and writing these tutorials as I’ve conquered them one at a time.I would like to point out that this is definitely not the first tract of wargames I have done, but it is the first I will try to document and explain as I go through, both for myself and anyone who happens upon this.
The obvious first step would be to investigate the file and find out what needs to be done:
level1@io:/levels$ ./level01 Enter the 3 digit passcode to enter: 123 level1@io:/level$ ./level01 Enter the 3 digit passcode to enter: hello
The program does not offer any hints, but we can assume that if we enter the right code it will either print the password to level2 or drop us into a shell with permissions to read the password to the next level. I also tried to break the program by enter bad data to see if it would return anything funky, though it didn’t help.
The next step I tried was to run a simple “strings” command on the file, though since we are looking for a number this was unlikely to help.
level1@io:/levels$ strings -a level01 ,0< w Enter the 3 digit passcode to enter: Congrats you found it, now read the password for level2 from /home/level2/.pass /bin/sh .symtab .strtab .shstrtab .text .lib .data level01.asm fscanf skipwhite doit exitscanf YouWin exit puts main prompt1 prompt2 shell _start __bss_start _edata _end
Now, we must plunge deeper into the mysterious world of machine code by looking at the assembly instructions located inside of the executable.
level1@io:/levels$ objdump -d level01 level01: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 68 28 91 04 08 push $0x8049128 8048085: e8 85 00 00 00 call 804810f <puts> 804808a: e8 10 00 00 00 call 804809f <fscanf> 804808f: 3d 0f 01 00 00 cmp $0x10f,%eax 8048094: 0f 84 42 00 00 00 je 80480dc <YouWin> 804809a: e8 64 00 00 00 call 8048103 <exit>
From this objdump we see that there is a comparison at 0x804808f, which most likely is comparing the user input to the correct password.
I then started debugging the file with gdb to locate the password, that should be stored at 0x10f.
level1@io:/levels$ gdb -q ./level01 Reading symbols from /levels/level01...(no debugging symbols found)...done. (gdb) break main Breakpoint 1 at 0x8048080 (gdb) print 0x10f $1 = [3 DIGITS]
After investigating and printing the value at that location we see a three digit number! This is then plugged in and a shell is opened and we are able to read the .pass file.
level1@io:/levels$ ./level01 Enter the 3 digit passcode to enter: [3 DIGITS] Congrats you found it, now read the password for level2 from /home/level2/.pass sh-4.2$ cat /home/level2/.pass [LEVELPASS]
I hope people find this walkthrough helpful. I will continue through these levels and try to post write ups as I get further. I hope my noobie attempts at these levels will help people of a more amateur experience level understand what to do and how to navigate these commands. Happy smashing!