Hello all and welcome to the first posting here at Technolution.
While this blog is supposed to be about computers, networking, security, and all that fun stuff, I feel like a good place to start posting would be with a wargame dissection. For those unfamiliar with wargames, they are basically computers set up for practicing real-world computer security in a controlled and legal environment. This provides hands on experience with the type of situations in which security researchers and hackers have found and exploited computer security vulnerabilities. There are many types of wargames, from web interface based games to linux command-line based games, and anything in between.
Today we will start off with the first level of a linux command-line based game called IO, from the good folks over at SmashTheStack.org.
Reading the IO page, it states that one should use an ssh client to connect to port 2224 of io.smashthestack.org using the login “level1” and the password “level1”. For linux users the command is provided (and hopefully you don’t need it), ssh -p2224 level1@io.smashthestack.org. Windows users I suggest downloading and using PuTTy for your SSH work.
Quick directory listing (ls) gives a bunch of README files. Reading through the README in our language, we learn the programs to exploit to reach the next level are in /levels So, we change directories to /levels (cd /levels) and get a listing (ls). There are lots of files, named level01 – level29, mostly executables and some source files. Most importantly however, we found the file level01. Running ls -la level01 we can see two things.
level1@io:/levels$ ls -la level01
-r-sr-x— 1 level2 level1 7500 Nov 16 2007 level01
One is that the file is owned by user level2 and is set to run as that user, even when someone else runs it (SUID, the “s” in the permissions listing -r-sr-x—). Second is that the group for the file is our current group, level1. This means that we can execute the file since the file permissions grant group reading and executing (the 5,6,7 column in the permissions string, r-x). Excellent! Now we just need to exploit the file!
First we want to see what the file does, so try to run it.
level1@io:/levels$ ./level01
Usage: ./level01 <password>
level1@io:/levels$ ./level01 somepassword
Fail.
Ok. We believe the program takes one argument, a password. It also probably checks the input-password being equal to something (how else would it know if we input the correct thing?) So the first thing we want to do is see if the program stores any constant strings. Luckily in linux, there is a tool to do this and we don’t have to binarily dissect the file ourselves. The tool provided is called, dun dun dun, strings. It’s use is straight forward, strings <filename>. So lets see what happens when we run our level01 program through strings, looking for hard-coded, constant strings.
level1@io:/levels$ strings level01
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
printf
execl
puts
strncmp
_IO_stdin_used
__libc_start_main
GLIBC_2.0
PTRh
0Y_]
[^_]
[^_]
omgpassword
Usage: %s <password>
Win.
/bin/sh
Fail.
We see what we’d expect, a few hard-coded strings for libraries and for function names from libs. But further down, towards the end, we see the strings “omgpassword” “Usage: %s <password>” “Win.” “/bin/sh” and “Fail.” We’ve already seen the program use the Usage string and the Fail. string. Obviously we probably want to see the program use the Win string and execute the /bin/sh string. Now, it’s probably obvious we want to try all the strings as possible passwords, through the real password is jumping out at us (I think?). So let’s try it, omgpassword:
level1@io:/levels$ ./level01 omgpassword
Win.
sh-4.1$ id
uid=1001(level1) gid=1001(level1) euid=1002(level2) groups=1002(level2),1001(level1),1029(nosu)
sh-4.1$
Bam. Shell as level02.
Moral of the story? Hard-coded strings are readable if the file is readable. Doesn’t matter if you have to use strings <filename> or dissect the binary data of the file, reading each sequence of bytes as chars, or anything else. Plain text is plain text. Constant, hard-coded strings are stored in plain text. Thus, it’s not secure. It may be a deterrent, but it’s not secure.
Well that does it for Level 1 of IO, and the first post here at Technolution. Remember to always ask why and how something works, and if no one wants to talk about it, there’s probably a problem with it! Also, if anyone is making new wargames, or has something fresh to approach, please leave a comment!