Theme Layout

Boxed or Wide or Framed

Wide

Theme Translation

Display Featured Slider

Featured Slider Styles

Display Grid Slider

yes

Grid Slider Styles

Display Trending Posts

Display Author Bio

Display Instagram Footer

off

Dark or Light Style

Light
Powered by Blogger.
Navigation Menu

All rights reserved
komorebi 2016

Tuesday, January 31, 2017

[Hacker School] FTZ Level11 ( Ver. Eng )

10:35:00 PM
to Read (
Words)





Level11


Use the password “ what!@#$? ” to access level11 account and check the hint.


I think of it as the source code of attackme. Because the  content of hint is only source code. This attack exists FSB and BOF vulnerability. I solve this problem using the BOF vulnerability. To try RTL ( Return To Libc ), I first check the ASLR of libc


When I check the ASLR using ldd command, This program does not apply ASLR.Next, I use gdb to figure out the stack.



After that, I find the address of the System function and the address where “/bin/sh” is located. and then, I create a separate file and find the address of the system function. Because I still do not have level12 permission.



Then, create the following code to find the address where “/bin/sh” is located:


So, I acquire all the materials to try RTL. The attack method is as follows.



The completed payload is as follows.. `perl -e ‘print “A”x268,”\xc0\xf2\x03\x42”,”AAAA”,”\xa4\x73\x12\x42”’When I type the payload, level12 shell is executed, and I get the password of level12.


QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level10. ( Ver. Eng )

8:13:00 PM
to Read (
Words)


Level10


Use the level10 password “interesting to hack” to access the level10 account and check the hint.


Since there is no information on the attack target file in the hint, I used the find command to search for the existence of the file with level11 privilege.



but, the file is not founded. Also, there is a directory called program in the home directory of level10, but it can not be checked because it is owned by root.



I checked the rc.local file because there might be a setting in the file that registers the program to start automatically when the system starts.



I can see that there is a program named level10. I tried the ps command to see if it is a running process.



Since there are no running process named level10, This program is a simple process, not a daemon type. A daemon is a process that runs repeatedly, and a simple process is a process that runs only once.The shared memory in the hint is used in the following way:



When I write the code using the conditions in question, I can write as follows.
 

When I compile the file and run it, I can get the level11 password as follows.


QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level9 ( Ver. Eng )

7:50:00 PM
to Read (
Words)




Level9

Use the level9 password “apple” to access the level9 account. and check the hint.



In this bof program, when the string ‘go’ is entered in the fist 2 bytes of bur2 array, the shell is executed with the permission of level10. To solve the problem, we created a program in tmp Directory that is identical to the source of bof, and we figured out the 
stack structure. 



The total size of the stack is 40 bytes. Next, I tried to add the following code to see the distance between bug and buf2.


The distance between buf and buf2 is 0x10 (16bytes) apart. Based on this, the stack can be represented as:


When I create a payload based on the stack structure, it is likely that a level10 shell will be executed if i fill in characters by 16bytes first, then fill the next  2bytes with the ‘go’ string.


When I type the payload, I can see the password of level10 account.
QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level8 ( Ver. Eng )

7:35:00 PM
to Read (
Words)

Level8


Use “level8” Password “break the world” to access level8 account and check the hint.


I use the find command to find the file.Also, When looking the hint, the capacity of file is 2700. But I do not know which unit is  a unit, I use several unit options such as block and byte to find it.

When I search for -size2700c, I can see that file called found.txt exists in /etc/rc.d. From 
the contents of the file, I can see that it is a level9 Shadow file.

I used John the Ripper Tool to crack the file.

 As a result, we can confirm that password of level9 is apple.



QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level7 ( Ver. Eng )

3:00:00 PM
to Read (
Words)


Level7


I access the leve7 account and check  the hint. the contents of hint are as follows.



If you run /bin/level7, the output looks like this:



In my system, The /bin/wrong.txt file did not exist int /bin, so I checked it through the internet.


It is said that this output. 
one of the hint is “Can you change the binary number to decimal number?” 
So I think that - is equal to 1 and _ is equal to 0.  then,   --_--_- --____- ---_-__ —__-_- is equal to 1101101 1100001 1110100 1100101.then  changing to the decimal number, I get 4 numbers “ 109, 97, 116, 101 ”.  
When i refer to ASCII code table and look for the character corresponding to each number, I get the word “mate”.

 After executing the program, I can get the level 8 password by typing mate.

QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level6. ( Ver. Eng )

2:43:00 PM
to Read (
Words)


Level6


 When accessing the level6 account, Level6 is connected to hint output immediately. When I enter a command, the program is terminated, when I enter another character, the BBS connection menu is available.


When I try to connect, the connection is terminated because no response is received. In the hint window, When I type “ctrl + c” before entering the telnet access service to stop flow of the program., Level6 Shell is executed.




When I open the password file, I can check the level7 Password “ come together ”.


QuickEdit
Unknown
0 Comments
Share This Post :

[Hacker School] FTZ Level5 ( Ver. Eng )

2:30:00 PM
to Read (
Words)





Level5.

Use "level5" password "what is your name?" to access level5 account and check the hint.


After running level5 program, go to /tmp directory and check the level5.tmp. But the file does not exist. The algorithm of the program that I think is as follows.

It seems that the intention of the examiner is Race Condition.
Symbolic link was used to solve the problem. If I create level5.tmp file and run level5 program, new contents will be created in level5.tmp Even if the program is terminated and the file is deleted, I will be able to check the contents through the linked file.




I can check the level6 password “ what the hell ”.
QuickEdit
Unknown
0 Comments
Share This Post :

Sunday, January 29, 2017

[Hacker School] FTZ Level4. ( Ver. Eng )

6:16:00 PM
to Read (
Words)


Level4.

Use "level4" Password "suck my brain" to access level4 account and check the hint.

Since a backdoor is in /etc/xinetd.d/ , I look up the this directory using the ls command.


The contents of the backdoor using the cat command are as follows.

You can see that backdoor uses level5 permissions to us the service finger to run /home/level4/tmp/backdoor. I have looked into the /etc/services file because I need to know which port finger is using.


Please refer to the picture. You can confirm that finger is using port 79. I checked that the port is open to the server so that it can be used.


Port 79 is open. Finally, I used the ls command to check if /home/level4/tmp/backdoor exists.


Since the file does not exists, So I created a new file for our purposes.


After that, I tried to run backdoor with finger service, so I could check password of level4.








QuickEdit
Unknown
0 Comments
Share This Post :
Subscribe to: Posts (Atom)

Follow @SunriseSunsetBlog