Litao3rd · 2015/03/24 11:51
level 0
This level is a simple introduction to the game, and of course, the account password in clear text. If you open the web page, you can see it.
level 0 -> 1
SSH login to the target machine using the account and password obtained in the previous level.
Under the home directory, we can find a.backup folder. When we go into the folder, we find an HTML file that looks like a browser favorites file. My guess is that the password appears in the file in clear text, and a search using the keyword leviathan immediately returns the password. The password for Leviathan1 is rioGegei8m. This is supposed to familiarize you with the command.
level 1 -> 2
SSH to the next level using the password obtained at the previous level. In this closed home directory, we see a set-uid program named check, execute the program, see the result of the program execution.
The program asks us to enter a password. Okay. I don’t know what to type, so I guess the program will compare our input to some password and then execute it. Just type in any one of these and see what happens.
Open up the GDB artifact and see what’s inside it.
As you can see from the graph, the program calls getChar () three times, guessing that password should be three characters. The STRCMP () function takes one argument to the starting storage address of the character we entered, and the other is 0x18(%esp). The program initially stores the value 0x786573 here, and then passes the two addresses as arguments to STRCMP (), so it is assumed that 0x18(%esp) is the password we need. This value is exactly the hexadecimal format of sex, so the password is sex. Enter the program to get the password for the next level.
level 2 -> 3
In the home directory of this level, there is still a set-uid program, execute the program to get the following result, still use the artifact GDB.
Use GDB to open the program, this program main function disassembly out of the result is a bit long, but seems to see no sub-function call, only one main function.
The program first checks the parameters, prints an error message if no command-line arguments are entered, and exits. Then use access() to check for file permissions. If no permissions are available, print an error message and exit. The /bin/cat fileinput command is then executed using the system() function.
- According to the
access()The manual,access() checks whether the calling process can access the file pathname. If **pathname** is a symbolic link, it is dereferenced.
This means that we cannot use symbolic links to pass this permission check.
From GDB’s disassembly code, we can see that the program constructs the string /bin/cat argv[1] from the input command line arguments and feeds it into the system() function. So I guess to construct the string /bin/cat < /etc/leviathan_pass/leviathan2. This way, you can pass the permission check and get the password.
- Construct a file named
<file - Construct a symbolic link,
file->/etc/leviathan_pass/leviathan2
In this case, the system checks the permission of the
level 3 -> 4
Again, it’s a set-UID program, and the old process goes, opens the program, and sees what little weirdo it is.
Let GDB go.
There is a do_stuff() call in the main() function, and the logic of the whole program should be in this function.
One of the STRCMP () arguments comes from the return of fgets(), and the other argument is stored in -0x117(%ebp). The parameter stored at -0x117(%ebp) is the password to be matched.
Enter the password into the program to get a shell, which in turn gets the password for the next level.
level 4 -> 5
Okay, so this level file is in the.trash folder, so it’s still a familiar process.
From the program output, the password should be converted to binary output, or after encryption to binary output, this is still a GDB artifact to help.
From this loop, we can see that the program outputs each character of the password, starting from the highest bit (symbol bit), one character 0 or one character at a time, so it can be seen that the bin program converts each character of the ciphertext into binary format output. During single-step debugging, the program returns an error when calling fopen(“/etc/leviathan_pass/leviathan5”, “r”), causing debugging to fail. It seems that the direct view of memory to obtain the password method is not possible, can only write a script, processing the output of the program.
#! python #! /usr/bin/env python #coding=utf-8 if __name__ == "__main__": try: fp = open("log.txt", "r") except: print "file open error" for i in range(12): byte = fp.read(9).strip() value = (int(byte, 2)) & 0xFF #print value char = chr(value) print char,Copy the code
pythonThe code is not a little ugly, it is not used much!
The correct password is when you strip the blanks out.
level 5 -> 6
Familiar processes, familiar smells.
It seems that/TMP /file.log is hardcoded into the program, so let’s see what the program does.
It is indeed hard coded into the program, trying to create a symbolic link file pointing to the password file in the path, found unexpectedly successful.
Ok, this level is a bit of a joke…
level 6 -> 7
Haha, this level seems to have a different flavor, although it is still a familiar process.
Here, the set-uid program needs to enter a 4 Digit code, so I’m not going to bother disassembling it with GDB. Let’s just blow it up.
#! python #! /usr/bin/env python #coding=utf-8 import os for pincode in range(10000): cmd = "~/leviathan6 %04d" %(pincode) # for debug #print "test %s" %(cmd) ret = os.popen(cmd).read() if ret.find("Wrong") == -1: print "maybe success in %s" %(cmd)Copy the codeThe program stopped at 7123, and I guess it went into the shell. Tried it, and sure enough it was.
level 7
SSH login to Level 7
Well, I wrote this purely to blend in an invite code. Otherwise I would have followed that rule!
end
Bingo! This is the end of the Wargame, the title is really quite simple, completely for beginners to learn, know how to play Wargames.
For more information about Wargames, see here!