IO Smash the stack level 01
Posted on
A colleague of mine recommended playing wargames so I started on io.smashthestack.org and will write my findings. Please notice that I do not write the passwords for levels and you should really not just try to copy but understand the challanges yourself. You will only be cheating yourself of fun :)
Level01
level1@io:~$ cd /levels/
level1@io:/levels$ ls -latr level01*
-r-sr-x--- 1 level2 level1 1184 Jan 13 2014 level01
No source provided so lets try to start it
level1@io:/levels$ ./level01
Enter the 3 digit passcode to enter: 123
Its a passcode and I cleary didn’t get 123 right. Lets fire it up in GDB and look at the source
level1@io:/levels$ gdb -q ./level01
Reading symbols from /levels/level01...(no debugging symbols found)...done.
(gdb) disassemble
YouWin __bss_start _edata _end _start doit exit exitscanf fscanf main prompt1 prompt2 puts shell skipwhite
(gdb) disassemble main
Dump of assembler code for function main:
0x08048080 <+0>: push $0x8049128
0x08048085 <+5>: call 0x804810f <puts>
0x0804808a <+10>: call 0x804809f <fscanf>
0x0804808f <+15>: cmp $0x10f,%eax <------------ compare input with value
0x08048094 <+20>: je 0x80480dc <YouWin>
0x0804809a <+26>: call 0x8048103 <exit>
End of assembler dump.
(gdb) !echo "ibase=16; 10F"|bc
XXX
(gdb) r
Starting program: /levels/level01
Enter the 3 digit passcode to enter: XXX
Congrats you found it, now read the password for level2 from /home/level2/.pass
process 15848 is executing new program: /bin/bash
sh-4.2$ whoami
level1
It worked except that since I’m within GDB I didn’t get the SUID. Running it outside GDB.
level1@io:/levels$ ./level01
Enter the 3 digit passcode to enter: XXX
Congrats you found it, now read the password for level2 from /home/level2/.pass
sh-4.2$ whoami
level2
sh-4.2$ cat /home/level2/.pass
XXXXXXXXXXXXXXXX