http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8595 [º¹»ç]
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ ssh leviathan1@leviathan.labs.overthewire.org -p2223
_ _ _ _
| | _____ _(_) __ _| |_| |__ __ _ _ __
| |/ _ \ \ / / |/ _` | __| '_ \ / _` | '_ \
| | __/\ V /| | (_| | |_| | | | (_| | | | |
|_|\___| \_/ |_|\__,_|\__|_| |_|\__,_|_| |_|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
leviathan1@leviathan.labs.overthewire.org's password:
Permission denied, please try again.
leviathan1@leviathan.labs.overthewire.org's password:
Permission denied, please try again.
leviathan1@leviathan.labs.overthewire.org's password:
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few useful tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /opt/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
leviathan1@gibson:~$ ls -al
total 36
drwxr-xr-x 2 root root 4096 Sep 19 07:07 .
drwxr-xr-x 83 root root 4096 Sep 19 07:09 ..
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-r-sr-x--- 1 leviathan2 leviathan1 15080 Sep 19 07:07 check
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
check ÆÄÀÏÀÌ ÀÖ´Ù.
SetUID°¡ °É·Á ÀÖÀ¸¸ç ÇÁ·Î¼¼½º°¡ ½ÇÇà Áß¿¡´Â
leviathan2 ±ÇÇÑÀ¸·Î ½ÇÇàµÇ°Ú±Ý µÇ¾îÀÖ´Ù°í »ý°¢ÇÏ¸é µÇ°Ú´Ù.
leviathan1@gibson:~$ ./check
password: aaaaaaa
Wrong password, Good Bye ...
Æнº¿öµå¸¦ ÀÔ·ÂÇ϶ó°í ³ª¿À´Âµ¥... ¾Æ¹« °Å³ª ÀÔ·ÂÇغ¸´Ï
À߸øµÈ Æнº¿öµå¶ó°í ¶á´Ù.
leviathan1@gibson:~$ find / -user leviathan2 2>/dev/null
/home/leviathan1/check
/etc/leviathan_pass/leviathan2
leviathan1@gibson:~$ cd /etc/leviathan_pass
leviathan1@gibson:/etc/leviathan_pass$ ls
leviathan0 leviathan1 leviathan2 leviathan3 leviathan4 leviathan5 leviathan6 leviathan7
leviathan1@gibson:/etc/leviathan_pass$ ls -al
total 48
drwxr-xr-x 2 root root 4096 Sep 19 07:07 .
drwxr-xr-x 124 root root 12288 Dec 21 16:42 ..
-r-------- 1 leviathan0 leviathan0 11 Sep 19 07:07 leviathan0
-r-------- 1 leviathan1 leviathan1 11 Sep 19 07:07 leviathan1
-r-------- 1 leviathan2 leviathan2 11 Sep 19 07:07 leviathan2
-r-------- 1 leviathan3 leviathan3 11 Sep 19 07:07 leviathan3
-r-------- 1 leviathan4 leviathan4 11 Sep 19 07:07 leviathan4
-r-------- 1 leviathan5 leviathan5 11 Sep 19 07:07 leviathan5
-r-------- 1 leviathan6 leviathan6 11 Sep 19 07:07 leviathan6
-r-------- 1 leviathan7 leviathan7 11 Sep 19 07:07 leviathan7
leviathan1@gibson:/etc/leviathan_pass$ ./leviathan2
-bash: ./leviathan2: Permission denied
leviathan1@gibson:/etc/leviathan_pass$ ./leviathan1
-bash: ./leviathan1: Permission denied
leviathan1@gibson:/etc/leviathan_pass$ cd /home/leviathan1
leviathan1@gibson:~$ ls -al
total 36
drwxr-xr-x 2 root root 4096 Sep 19 07:07 .
drwxr-xr-x 83 root root 4096 Sep 19 07:09 ..
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-r-sr-x--- 1 leviathan2 leviathan1 15080 Sep 19 07:07 check
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
find¸í·É¾î·Î -user¸¦ leviathan1À¸·Î °Ë»öÇؼ µÚÁ®ºÁµµ º° Á¤º¸¸¦ °ÇÁú °Ô ¾ø¾ú´Ù.
¿©±â¼ ÇÊÀÚ´Â °ø·«À» º¸¾Ò´Ù.
ltrace¶ó´Â ¸í·É¾î°¡ Àִµ¥ strace´Â ¾Ë°í ÀÖ¾ú´Âµ¥
ltrace¶ó´Â °Íµµ ÀÖ´Â ÁÙ ¸ô¶ú´Ù.
ltrace¿Í strace´Â ¹«¾ùÀϱî?
strace´Â ½Ã½ºÅÛ ÄÝÀ» ÃßÀûÇÏ´Â ÇÁ·Î±×·¥À̸ç
ltrace´Â ¶óÀ̺귯¸® ÇÔ¼ö¸¦ ÃßÀûÇÏ´Â ÇÁ·Î±×·¥ÀÌ´Ù.
...´õ ÀÌ»ó ±íÀº ¼³¸íÀº »ý·«ÇÑ´Ù.
¿©±â¼ ±íÀÌ ÀÌÇØÇÏ·Á´Â °ÍÀº º° µµ¿òÀÌ µÇÁö ¾Ê´Â´Ù°í »ý°¢ÇÏ¿´±â ¶§¹®ÀÌ´Ù.
½Ã½ºÅÛ ÄÝ°ú ¶óÀ̺귯¸® ÇÔ¼öÀÇ °³³äÀº
°¢°¢ ÀÎÅÍ·´Æ®(int 0x80...)³ª ÇÁ·Î±×·¡¹ÖÀÇ °³³äÀ̱⠶§¹®¿¡
leviathan ·¹º§¿¡¼± ÀÚ¼¼ÇÑ ¼³¸íÀ» ÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù.
leviathan1@gibson:~$ ltrace -i check
Can't execute `check': Permission denied
failed to initialize process 3387972: No such file or directory
couldn't open program 'check': No such file or directory
leviathan1@gibson:~$ ltrace -i ./check
[0x80490e8] __libc_start_main(0x80490ed, 1, 0xffffd464, 0 <unfinished ...>
[0x8049227] printf("password: ") = 10
[0x804922f] getchar(0, 0, 0x786573, 0x646f67password:
) = 10
[0x8049237] getchar(0, 10, 0x786573, 0x646f67
) = 10
[0x804923f] getchar(0, 2570, 0x786573, 0x646f67
) = 10
[0x8049256] strcmp("\n\n\n", "sex") = -1
[0x8049295] puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
) = 29
[0xffffffffffffffff] +++ exited (status 0) +++
¿©±â¼ ¿ì¸®´Â ¹®ÀÚ¿À» ºñ±³ÇÏ´Â ÇÔ¼öÀÎ strcmp¸¦ º¼ ¼ö ÀÖ´Ù.
ÀÔ·ÂµÈ °ª°ú "sex"°¡ ÀÏÄ¡ÇÏ¸é µÇ´Â °É·Î ºÁ¼± "sex"°¡ Æнº¿öµåÀÏ ¼öµµ ÀÖ°Ú´Ù ½Í¾ú´Ù.
p.s. °©ÀÚ±â sexÇÏ°í ½Í... ¾Æ´Ï´Ù... -_-;;
leviathan1@gibson:~$ ./check
password: sex
$ whoami
leviathan2
$ ls -al\
> ^Z
total 36
drwxr-xr-x 2 root root 4096 Sep 19 07:07 .
drwxr-xr-x 83 root root 4096 Sep 19 07:09 ..
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-r-sr-x--- 1 leviathan2 leviathan1 15080 Sep 19 07:07 check
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
$ ls -al
total 36
drwxr-xr-x 2 root root 4096 Sep 19 07:07 .
drwxr-xr-x 83 root root 4096 Sep 19 07:09 ..
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-r-sr-x--- 1 leviathan2 leviathan1 15080 Sep 19 07:07 check
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN
$
Æнº¿öµå´Â "NsN1HwFoyN"ÀÌ´Ù |
Hit : 146 Date : 2025/01/14 01:21
|