For this challenge there are no source code to inspect.
The level 0 is pretty easy.
The vulnerable executable /behemoth/behemoth0 asks for a password
If we search with strings command we find some interesting things but none of them is working:
behemoth0@behemoth:~$ strings /behemoth/behemoth0 ... unixisbetterthanwindows followthewhiterabbit pacmanishighoncrack ... behemoth0@behemoth:~$ /behemoth/behemoth0 Password: unixisbetterthanwindows Access denied.. behemoth0@behemoth:~$ /behemoth/behemoth0 Password: followthewhiterabbit Access denied.. behemoth0@behemoth:~$ /behemoth/behemoth0 Password: followthewhiterabbit Access denied..
So let's try with ltrace:
behemoth0@behemoth:~$ ltrace /behemoth/behemoth0 __libc_start_main(0x80485b1, 1, 0xffffd784, 0x8048680 <unfinished ...> printf("Password: ") = 10 __isoc99_scanf(0x804874c, 0xffffd68b, 0xf7fc5000, 13Password: AAA ) = 1 strlen("OK^GSYBEX^Y") = 11 strcmp("AAA", "eatmyshorts") = -1 puts("Access denied.."Access denied.. ) = 16 +++ exited (status 0) +++
The vulnerable program compares the input with the string eatmyshorts.
Now use it and get a privileged (level 1) shell:
behemoth0@behemoth:~$ /behemoth/behemoth0 Password: eatmyshorts Access granted.. $ id uid=13001(behemoth1) gid=13000(behemoth0) groups=13000(behemoth0) $ cat /etc/behemoth_pass/behemoth1 a********v
$
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.