---------------------------------------------- Let's Play hktrace nickname> hkpco e-mail > hkpco@korea.com homepage> http://hkpco.kr/ ---------------------------------------------- // hktrace source code -> http://hkpco.kr/code/hktrace.c // what is the hktrace? [hkpco@localhost hkpco]$ ./hktrace ==================== hktrace ==================== hktrace is no-read permission binary copying tool target program is needed execute-permission only available system is Linux and FreeBSD create filename is *.hk made by hkpco (ChanAm Park) hkpco@korea.com, http://hkpco.kr/ ================================================= Usage -> ./hktrace [target_binary] // SYSTEM INFO [root@localhost hkpco]# uname -a Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux [root@localhost hkpco]# cat /etc/redhat-release Fedora release 8 (Werewolf) // target source code [root@localhost hkpco]# cat target.c #include #include #include #include int main( int argc , char **argv ) { char buffer[128] = {0x00}; if( argc < 2 ) return -1; printf( "\n====================================\n" ); printf( "HA AK HA AK\n\n" ); /******* // THIS IS BIG HOLE!! *******/ strcpy( buffer , argv[1] ); /******* // THIS IS BIG HOLE!! *******/ printf( "%s!! attack me, touch me\n" , buffer ); printf( "HAAAAAAAAAA AAK HAAAAAAAA AAK\n" ); printf( "====================================\n\n" ); return 0; } // test user [hkpco@localhost hkpco]$ id uid=500(hkpco) gid=500(hkpco) groups=500(hkpco) context=unconfined_u:system_r:unconfined_t:s0 // target is setuid binary [hkpco@localhost hkpco]$ ls -al target -rws-----x 1 root root 5474 2008-05-07 02:23 target ^^^^^^^^^^ // execute [hkpco@localhost hkpco]$ ./target hkpco_test_strings ==================================== HA AK HA AK hkpco_test_strings!! attack me, touch me HAAAAAAAAAA AAK HAAAAAAAA AAK ==================================== // can not DISASSEMBLE and COPY and STRINGS and so on.. [hkpco@localhost hkpco]$ id uid=500(hkpco) gid=500(hkpco) groups=500(hkpco) context=unconfined_u:system_r:unconfined_t:s0 [hkpco@localhost hkpco]$ objdump -d target objdump: target: Permission denied [hkpco@localhost hkpco]$ cp target my_target cp: cannot open `target' for reading: Permission denied [hkpco@localhost hkpco]$ strings target strings: target: Permission denied // hktrace!! [hkpco@localhost hkpco]$ ./hktrace target ==================== hktrace ==================== hktrace is no-read permission binary copying tool target program is needed execute-permission only available system is Linux and FreeBSD create filename is *.hk made by hkpco (ChanAm Park) hkpco@korea.com, http://hkpco.kr/ ================================================= [+] target name - target [+] information - -rws-----x 1 root root 5474 2008-05-07 02:23 target [+] system info - Linux 2.6.23.1-42.fc8 [>] size notice - used file size instead of memory mapping size [+] 0x8048000-0x8049562 copy ok. !! [target.hk] created. !! [target.hk] -rwx------ 1 hkpco hkpco 5474 2008-05-07 02:30 target.hk // target.hk info [hkpco@localhost hkpco]$ ls -al target.hk -rwx------ 1 hkpco hkpco 5474 2008-05-07 02:30 target.hk // execute [hkpco@localhost hkpco]$ ./target.hk hkpco_and_ChanAm_Park ==================================== HA AK HA AK hkpco_and_ChanAm_Park!! attack me, touch me HAAAAAAAAAA AAK HAAAAAAAA AAK ==================================== // STRINGS and DISASSEMBLE is available [hkpco@localhost hkpco]$ strings target.hk /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used strcpy puts printf memset __libc_start_main GLIBC_2.0 PTRh0 QVhT [^_] ==================================== HA AK HA AK %s!! attack me, touch me HAAAAAAAAAA AAK HAAAAAAAA AAK ==================================== // target.hk DISASSEMBLE [hkpco@localhost hkpco]$ objdump -d target.hk . . 80484bc: 8b 95 74 ff ff ff mov -0x8c(%ebp),%edx 80484c2: 8b 42 04 mov 0x4(%edx),%eax 80484c5: 83 c0 04 add $0x4,%eax 80484c8: 8b 00 mov (%eax),%eax 80484ca: 89 44 24 04 mov %eax,0x4(%esp) 80484ce: 8d 85 7c ff ff ff lea -0x84(%ebp),%eax 80484d4: 89 04 24 mov %eax,(%esp) 80484d7: e8 70 fe ff ff call 804834c /******* GREAT!! *******/ // strcpy( ebp-0x84, argv[1] ); . . . now, you can attack!! < BONUS PART! > COMMENT)) ftz.hackerschool.org is very famous wargame server in korea. if you solved the problem, who can get the password for next level through "/bin/my-pass" binary. // SYSTEM INFO [level1@ftz hk]$ uname -a Linux ftz.hackerschool.org 2.4.32 #2 SMP 2006. 01. 17. (È­) 00:18:19 KST i686 i686 i386 GNU/Linux [level1@ftz hk]$ cat /etc/redhat-release Red Hat Linux release 9 (Shrike) // my-pass binary info [level1@ftz hk]$ ls -al /bin/my-pass -rwxr-x--x 1 root root 13919 12¿ù 9 2003 /bin/my-pass ^^^^^^^^^^ // test user [level1@ftz hkpco]$ id uid=3001(level1) gid=3001(level1) groups=3001(level1) // can not COPY and DISASSEMBLE and STRINGS [level1@ftz hk]$ cp /bin/my-pass comeon cp: cannot open `/bin/my-pass' for reading: Permission denied [level1@ftz hk]$ objdump -d /bin/my-pass objdump: /bin/my-pass: Permission denied [level1@ftz hk]$ strings /bin/my-pass strings: /bin/my-pass: Permission denied // hktrace! [level1@ftz hkpco]$ ./hktrace /bin/my-pass ==================== hktrace ==================== hktrace is no-read permission binary copying tool target program is needed execute-permission only available system is Linux and FreeBSD create filename is *.hk made by hkpco (ChanAm Park) hkpco@korea.com, http://hkpco.kr/ ================================================= [+] target name - /bin/my-pass [+] information - -rwxr-x--x 1 root root 13919 12¿ù 9 2003 /bin/my-pass [+] system info - Linux 2.4.32 [>] size notice - used file size instead of memory mapping size [+] 0x8048000-0x804b65f copy ok. !! [my-pass.hk] created. !! [my-pass.hk] -rwx------ 1 level1 level1 13919 5¿ù 6 19:46 my-pass.hk // my-pass.hk info [level1@ftz hkpco]$ ls -al my-pass.hk -rwx------ 1 level1 level1 13919 5¿ù 6 19:46 my-pass.hk // EVERY LEVEL PASSWORD GOT IT!! [level1@ftz hkpco]$ strings my-pass.hk /lib/ld-linux.so.2 libc.so.6 printf geteuid getuid system _IO_stdin_used __libc_start_main __gmon_start__ GLIBC_2.0 PTRh clear Level1 Password is "level1". Level2 Password is "hacker or cracker". Level3 Password is "can you fly?". Level4 Password is "suck my brain". Level5 Password is "what is your name?". Level6 Password is "what the hell". Level7 Password is "come together". Level8 Password is "break the world". Level9 Password is "apple". Level10 Password is "interesting to hack!". Level12 Password is "it is like this". Level13 Password is "have no clue". Level14 Password is "what that nigga want?". Level15 Password is "guess what". Level16 Password is "about to cause mass". Level17 Password is "king poetic". Level18 Password is "why did you do it". Level19 Password is "swimming in pink". Level20 Password is "we are just regular guys". clear Password is "i will come in a minute". admin@hackerschool.org GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) _IO_stdin_used ../sysdeps/i386/elf/start.S /usr/src/build/ /lib/ld-linux.so.2 libc.so.6 printf geteuid getuid system _IO_stdin_used __libc_start_main __gmon_start__ GLIBC_2.0 PTRh clear Level1 Password is "level1". Level2 Password is "hacker or cracker". Level3 Password is "can you fly?". Level4 Password is "suck my brain". Level5 Password is "what is your name?". Level6 Password is "what the hell". Level7 Password is "come together". Level8 Password is "break the world". Level9 Password is "apple". Level10 Password is "interesting to hack!". Level12 Password is "it is like this". Level13 Password is "have no clue". Level14 Password is "what that nigga want?". Level15 Password is "guess what". Level16 Password is "about to cause mass". Level17 Password is "king poetic". Level18 Password is "why did you do it". Level19 Password is "swimming in pink". Level20 Password is "we are just regular guys". clear Password is "i will come in a minute". admin@hackerschool.org