{"id":22,"date":"2012-07-19T12:22:20","date_gmt":"2012-07-19T19:22:20","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=22"},"modified":"2012-08-02T00:13:49","modified_gmt":"2012-08-02T07:13:49","slug":"blackbox-level1","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=22","title":{"rendered":"BlackBox Level1 – Welcome to the GDB"},"content":{"rendered":"

Welcome. \u00a0This blog will be about the BlackBox<\/a> wargame on the SmashTheStack Network<\/a>. Today we will be starting off the wargame with Level1. \u00a0Since BlackBox is a more advanced wargame, basic ssh and linux experience will be assumed. \u00a0Also, the actual password for the next level will be replaced on this page with a string Y’s. \u00a0If you want to do the level, do it.<\/p>\n

According to the BlackBox webpage, level1 can be accessed via username\/password level1\/level1 on blackbox.smashthestack.org port 2225. \u00a0Upon logging in a quick directory listing shows a SUID program for user level2 group level1, named login2. \u00a0This must be the program we’re going to exploit. \u00a0A quick run of the program gives the following<\/p>\n

level1@blackbox:~$ .\/login2
\nUsername: level1
\nPassword: level1
\nInvalid username or password
\nlevel1@blackbox:~$ .\/login2
\nUsername: level2
\nPassword: level2
\nInvalid username or password<\/p><\/blockquote>\n

Now we know the program probably isn’t linked directly to \/etc\/passwd or \/etc\/shadow since level1\/level1 wasn’t valid. \u00a0Additionally the simple attempt of level2\/level2 didn’t work, so more digging is needed. \u00a0First to notice, no source code is available. \u00a0Thus, we’ll have to resort to other attempts to reverse engineer the program. \u00a0First we’ll start with determining the file type of the program with the file command:<\/p>\n

level1@blackbox:~$ file login2
\nlogin2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU\/Linux 2.4.1, statically linked, for GNU\/Linux 2.4.1, not stripped<\/p><\/blockquote>\n

Now we know we have an executable. \u00a0Quick attack for static strings would be to run strings on the program and testing each result as a username\/password. \u00a0This will result in n^2 attempts where n is the number of strings returned from the strings command. \u00a0Unfortunately, running strings and taking the number of lines (strings login2 | wc -l), we see that there are 2279 lines and with the n^2 algorithm that would be aprox 2*10^7652, or a number far to large to check. \u00a0IF we could test 1 million (1*10^6) login\/pass combo’s per second, it would still take [(2*10^7652)\/(1*10^6) ] seconds to test all of those combos (which is still 2.3*10^7641 DAYS, I don’t know if we have a term for how large that number is). \u00a0So, we need a better approach.<\/p>\n

The approach we will take has to do with reverse engineering. \u00a0We will try to figure out specifically which string the program tests as the username and password. \u00a0To do this we will use the command line debugging tool gdb. \u00a0To load the program use the command “gdb <program to debug>”. \u00a0In our case, from the home directory, “gdb login2”. \u00a0From here the first two commands we need to know are the “run” command, which starts the loaded program, and the “disass” command which disassembles and shows the assembly code of a function or memory address. \u00a0Type “run” to test that the program runs correctly in gdb, then disassemble the main function to attempt to understand the program with the “disass main” command. \u00a0(For a gdb cheat sheet head on over to darkdust.net<\/a>\u00a0or google.) \u00a0Since main is a little long, I will assume you can follow along on your own screen.<\/p>\n

One easy way to get an idea of what is happening in the assembly is to look at the call instructions. \u00a0These are where functions were called in the original program. \u00a0Our asm code has the following calls:<\/p>\n

0x08048292 <main+24>: call 0x8072ec0 <_ZNSsC1Ev>
\n0x0804829d <main+35>: call 0x8072ec0 <_ZNSsC1Ev>
\n0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>
\n0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E>
\n0x080482d8 <main+94>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>
\n0x080482eb <main+113>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E>
\n0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_>
\n0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_>
\n0x08048343 <main+201>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>
\n0x08048353 <main+217>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
\n0x0804835f <main+229>: call 0x80b5ab0 <system>
\n0x08048375 <main+251>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>
\n0x08048385 <main+267>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
\n0x08048390 <main+278>: call 0x8074e40 <_ZNSsD1Ev>
\n0x080483a3 <main+297>: call 0x8074e40 <_ZNSsD1Ev>
\n0x080483b3 <main+313>: call 0x8074e40 <_ZNSsD1Ev>
\n0x080483ce <main+340>: call 0x8074e40 <_ZNSsD1Ev>
\n0x080483dc <main+354>: call 0x80a5180 <_Unwind_Resume><\/p><\/blockquote>\n

At this point we can google the mangled function names, such as\u00a0<_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>, and figure out which function it was in c, in this case it’s the printf function. \u00a0Additionally, <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E> is get line from user and\u00a0<_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_> is string compare!<\/p>\n

Great! \u00a0Now, knowing what we do we can assume the first set of print\/getline get’s the username and the second set of print\/getline get’s the password. \u00a0We also then see two string compares, one at main+132 and one at main+157. \u00a0First we’ll look at the username, then we’ll do the password.<\/p>\n

0x080482a2 <main+40>: movl $0x80ffe48,0x4(%esp)
\n0x080482aa <main+48>: movl $0x8130f60,(%esp)
\n0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc><\/p><\/blockquote>\n

So what is happening here? \u00a0Well, when a function is called, it’s parameters are often put on the stack. \u00a0So in the first case of the printf function, two parameters are moved in, both are memory addresses, the first of a string and the second of an int. \u00a0We see the use of printf(string, stringlen);. \u00a0If we want to examine memory in gdb we use the “x” command. \u00a0The usage we will use is “x\/1s 0x080ffe48”. \u00a0This means examine one string at memory 0x080ffe48 (the memory address passed as a string to printf). \u00a0We get the following:<\/p>\n

(gdb) x\/1s 0x080ffe48
\n0x80ffe48 <_IO_stdin_used+4>: “Username: “<\/p><\/blockquote>\n

Just what we expected! \u00a0The first string printed by the program was “Username: “, and that is what we have found through reverse engineering the assembly. \u00a0Now for the input.<\/p>\n

0x080482b6 <main+60>: lea 0xfffffff4(%ebp),%eax
\n0x080482b9 <main+63>: mov %eax,0x4(%esp)
\n0x080482bd <main+67>: movl $0x8130ec0,(%esp)
\n0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E><\/p><\/blockquote>\n

Now what is happening here is only slightly more involved due to the lea command. \u00a0But what is happening is lea is loading the address of a variable declared in the program (such as char inputUserName[128];) and putting it on the stack as the first parameter. \u00a0The second movl command is just supplying another memory address, in this case a number, the length of the array. \u00a0This is fine and dandy, but let’s move on to the string compare for username:<\/p>\n

0x080482f0 <main+118>: movl $0x80ffe5e,0x4(%esp)
\n0x080482f8 <main+126>: lea 0xfffffff4(%ebp),%eax
\n0x080482fb <main+129>: mov %eax,(%esp)
\n0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_><\/p><\/blockquote>\n

We know string comparing needs two strings strcmp(s1, s2) and returns a value. \u00a0We see the setup here,\u00a0movl $0x80ffe5e,0x4(%esp) loads in one of the strings. \u00a0So let’s examine that memory value, looking for 1 string<\/p>\n

(gdb) x\/1s 0x080ffe5e
\n0x80ffe5e <_IO_stdin_used+26>: “level2”<\/p><\/blockquote>\n

Well what do you know, a string. \u00a0Looks like this is the user name. \u00a0Can double check by examining the other value loaded in but you can see the way it is referenced (lea from ebp) that it’s a variable from within the C program, the same one getline used for getting user input. \u00a0Alright! \u00a0We have the username, now onto the password! \u00a0It’s all the same for the password:<\/p>\n

0x08048309 <main+143>: movl $0x80ffe65,0x4(%esp)
\n0x08048311 <main+151>: lea 0xfffffff0(%ebp),%eax
\n0x08048314 <main+154>: mov %eax,(%esp)
\n0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_><\/p>\n

…<\/p>\n

(gdb) x\/1s 0x080ffe65
\n0x80ffe65 <_IO_stdin_used+33>: “YYYYYYYY”<\/p><\/blockquote>\n

And there we have it. \u00a0Run the program (from the shell, not gdb, otherwise your privileges won’t be escalated) and use the username\/password we found above.<\/p>\n

level1@blackbox:~$ .\/login2
\nUsername: level2
\nPassword: YYYYYYYY
\nWelcome, level 2!
\nsh-3.1$ whoami
\nlevel2<\/p><\/blockquote>\n

So that long assembly primer was BlackBox Level1 from SmashTheStack.org. \u00a0Assembly is extremely important to know if you want to truly understand how computers are working, and understand security. \u00a0For security, strcmp is not a secure function. \u00a0You cannot use string compare without providing two strings and when your strings are in plain text, not only can your program see them, but so can the person controlling your program, and users are always in control of their system. \u00a0Remember, nothing to do with computers is magic, it’s all very well defined.\u00a0\u00a0Every bit on a computer means nothing without context, but in the correct context all is understood.<\/p>\n","protected":false},"excerpt":{"rendered":"

Welcome. \u00a0This blog will be about the BlackBox wargame on the SmashTheStack Network. Today we will be starting off the wargame with Level1. \u00a0Since BlackBox is a more advanced wargame, basic ssh and linux experience will be assumed. \u00a0Also, the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,6,4],"tags":[48,12,10,9,11,47],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/22"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22"}],"version-history":[{"count":6,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":171,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions\/171"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}