Kids

Oh man I’ve had quite the adventure over the last week + a few days. Without getting into too much detail, my wife and I were the guardians of 3 kids: 16 y/o girl, 11 y/o boy and 18 month boy. And man, was it eye opening and exhausting to do.

I realized a lot about myself and how I relate to others. I’m excited to have more kids too and need to learn to balance my time better. I’m glad that I was able to be a good influence for them for the short time they were with us (they were family, so I’ll see them again).

I haven’t been able to get any personal projects done and it took the whole weekend to catch back up to where I wanted to be with cleaning, etc. One thing I did get done was booted a copy of Windows from a USB M2 drive. Basically, I can take it anywhere I want and boot off of it and the nicer thing is that I loaded up VMware with a handful of VM’s that I would normally run.

I originally wanted to run Linux Mint natively, but after some consideration and troubleshooting, I felt that it would accomplish the same thing by running Windows 10 and then virtualizing the OS’s I wanted to use. For fun, I downloaded GTA5 again and got to relax and play that.

I haven’t gotten everything exactly how I want it, but I like to so far. One OS I wasn’t able to get working was Sigint, it’s like kali, but more focused on signal intelligence. It seems pretty sweet and I’d like to get some hardware so I can play with it more down the road.

GDB + progress

I found out some information that had stumped me for a while. I thought that I had found a solution for narnia0, but it turns out that gdb can’t be used for priv esc, as least as far as root is concerned. I am getting a shell, but it’s as the same user I am. I think that since I’m running the program inside of gdb, it’s keeping the same user and spawning a shell that way. Oh well. I feel like I’ve learned a lot about gdb and now wish that I’d learned more assembly.

I’ve been playing with running the program and throwing random input values at it. I realized it changed which is what I’m needing to change.

Making progress. I got it to take the 0xdeadbeef value, but it’s not doing what I would expect again.

Narnia0

Since I passed the last level in leviathan, I thought I’d take a crack at Narnia. I spent some time on it and I’ll post the screenshots, but I wasn’t able to solve it yet.

The code is included and basically if a pre-set value equals something else, then (from what I can gather), you’ll get a new shell. I loaded it up into gdb, set the layout asm and layout regs option

What I did for this one is locate the part of code that compares something to 0xdeadbeef. The line after that jumps to another part if they are not equal. It gave me a shell, but I was still narnia0

For this one I set the instruction pointer to a part of the code to begin executing. That got me a shell too. I might want to print out or copy the code and go through it more thoroughly because I must be missing something. BUT if I can get the debugger to jump to a specific part of code, I can bypass the comparison and spawn the shell. But the shell is being spawned, so it might be in the setreuid part.

After some trial and error, I was able to set what I think to 0xdeadbeef (used set *(char*)0x8048565=0xde (then incremented the last 2 digits to 0xad, etc). I thought I had these backwards, but I was looking at 62-65 and setting 65 to ef so I thought it was backwards. Anyway, got a shell here, but it wasn’t elevated either.

In doing some digging here here and here I learned how to look at memory values, how to set a memory value. The way that I’m doing it is probably not that efficient and after some troubleshooting it’s backwards (but then again it’s pushed onto the stack so it comes off in a LIFO order).

I know a lot of people probably just look for the answer which is fine, but what I feel you miss is the exploration and journey of learning along the way. I’ll admit, I have looked up some hints, and I’ve learned two things:

  • I was on the right track which is reassuring
  • Most other write ups are pretty straight to the point and don’t offer an in depth walk through. There have been a couple that I’ve stumbled across, but for the most part it’s two screenshots or a line or two of code and that’s it. Either they are super good at this and don’t need the validation or are copying the end result from other solutions they’ve looked up.

All in all, this has been fun, learningful and challenging so far. And based on the notes on the website it’s difficulty is 2/10… yikes.

OTW Leviathan 6 -> 7

This one was pretty easy. Figure out the 4 digit combo on the program. No biggie, right?

So I started off with an initial version of a script, but this was the one that I settled on.

for x in {0000..9999}; do /home/leviathan6/leviathan6 $x >> output.txt; sleep .01s; done

I had a couple versions, one to display the output as it scrolled along with the combo it was on, but that got a little too mind numbing to look at. So why not put the output to a text file and look at it when it’s done?

The text file was basically like after line after line of the word “Wrong”, so all I thought I’d have to do was to grep -v “Wrong” and get the password. But that was an incorrect assumption. Since this was an escalation exercise, it would give me an escalated shell once I got the right combination.

What I noticed was that the script would take forever to run. Way longer than I thought it would. And the file wasn’t getting any bigger. Weird.

So what I thought to do was to connect with another terminal and look at the output (previously I was using CTRL^Z and thought that doing that might be messing with the script somehow). I never found any word besides “Wrong” which isn’t what I expected, so I checked the lines in the file. The number of lines stopped going up, so that was interesting. Since each word was on a new line I had a rough idea of which one it sopped on. So I tried that and ended up getting the combination that way.

It turned out that the script would get the right combo and get dropped into a shell, so it was waiting to get back out to keep brute forcing thus waiting indefinitely. Overall a pretty easy level I’d say.

*** UPDATE ***

Since I was logged in as leviathan7 I thought I’d initially check out the level.

Oops

OTV Leviathan 5 -> 6 + BONUS

I keep over thinking things.

But this time it paid off 🙂

This level was pretty much like the old ones. Let’s dive into it.

ltrace ./leviathan5 | less
objdump -xD ./levianthan5

This is where I spent a good amount of time. That and gdb. The upside is I’ve learned a lot of stuff in gdb (gdb -tui, info registers, ni, start, x/s find, etc), but the downside is it didn’t directly help me solve the level. It did help me discover some cool stuff though.

So I searched for the main function with objdump. It looks like goes through the following functions (but I didn’t trace it out, I’m just reading it).

  • main
  • fopen
  • exit
  • fgetc
  • feof
  • puchar
  • fclose
  • getuid
  • setuid
  • unlink

All of those are what I expected. I guess? Except unlink. That’s interesting.

From what I could gather, the file looks for /tmp/file.log, if the file isn’t there it exits. From the ltrace, I could surmise that it tried to open the file as read only. So let’s see what we can do with it.

Bingo

So the leviathan5 program looks for the /tmp/file.log file, if it exists, then it will display it. But if it’s a symlink to another file, then it will display the contents of file it points to – according to its permissions. So there we have it.

The bonus part is something I found out that I was pretty excited to discover. After I solved the level I googled answers to this level to see if anyone had done it before, and as far as I can tell, no one has.

I noticed that there was an unlink function at the end of the program, and noticed that after leviathan5 was run the /tmp/file.log wasn’t there. I wonder if that happens with everyone.

So I logged in with two terminals. One to get up to the point of getting the contents of the file and the other to run the program to actually get the contents of the file. It worked as I expected. Huh. I wonder. So I wrote a quick script and this happened.

oh man someone is getting messed with
while true; do  cat
/tmp/file.log; /home/leviathan5/leviathan5 | grep -v "Cannot
find"; sleep 1s; echo "Do it non stop and do it again";
done

This was a simple script that wait for 1 second, then run the leviathan5 program over and over and over again. I could tell someone was trying to get the file, but I was stopping it. After a bit of tweaking, I settled on something I liked. Here’s a screenshot of how it played out.

Oh man some people are probably annoyed with me

And here’s the code

links=1
files=1
time=0
while true;
do
if [ -L /tmp/file.log ];
then echo "link exists… killing…" && unlink /tmp/file.log && echo "Links killed: $links" && let "links++";
elif [ -f /tmp/file.log ];
then echo "file exists… here it is" && cat /tmp/file.log && rm -f /tmp/file.log && echo "Files killed: $files" && let "files++";
fi
sleep 1s;
let "time++";
if [ "$time" -gt 200 ];
then echo "200 seconds have passed, just letting you know";
time=0;
fi
done;

All in all, this was a fun and challenging level. Just like the previous ones, I seem to look deeper than what I need to do but the upsides are that I learn new things and feel the focus of frustration and I stumbled across a way I could mess with other players.

OTW Leviathan 4 -> 5

This one was easy.


I guess it wants to be converted to text?

Hmmmm maybe not

Or maybe using su isn’t permitted for our user? Lets try.

Yep. leviathan4 cannot use su to become leviathan5. The password was good.

OTW Leviathan 3 -> 4

This one built off of previous ones and seemed a lot easier, although there were some things that threw me for a loop. I could do one screenshot here, but I’ll break it down into chunks.

Initially looking at the program reveals it similar to ones before it.

This is interesting. It’s doing a string compare before asking for input. Weird, but whatever. Then it asks for the password and compares it to ‘snlprintf’. Let’s try that.

Oh cool, that was easy. Wait. I’m still level 3. Hmmm, let’s run it again, without ltrace.

Ok that was too easy.

For some reason, I keep thinking that I’ll need to disassemble the program and learn how to program in assembly in order to deconstruct an algorithm or something. I didn’t show the first little bit I did, where I objdumped the program and looked for things that way. Maybe in a future ctf I’ll have to do that, but not so far.

OTW Leviathan 2 -> 3

Let me explain what’s going on here.

You have the files listed above, each with a line of text. One is “0ne” and two is “tw0” (with zeros). The file named “one two” contains the words “one two” which is the same name as the two files. echo you cat “one two” you get the contents of the file “one two”, but when you run the program and pass “one two” into it, it cats each of the files individually. It’ll even do the same thing with three files. So I looks like it actually does pass what you type in as a string, passes that to cat. How can this be exploited?

What this does is exploits the programs execution of cat with elevated permissions, but it looks like it only checks for the permissions the first time. Let’s check.

Huh, looks like I was wrong. From this, I’m guessing then, that it checks to see if the file “three two one” is owned by leviathan2 (which it is), then passes “three two one” as an argument and cats it. Pretty cool.

OTW Leviathan 2

I’ve said before that ‘this one was fun’, but believe me when I say it, this one was fun. I know a lot of other places draft their write ups in a way that seems formal which is what you’d do on the OSCP or as a report for a business, but for this site, I like to document the process I went through and how I arrived at the conclusion I did. That said (and I’ll probably document my thought process vs writing a formal report) here we go.

I try not to assume anything, but it looks like a priv esc.

So this one seems a lot like the one before. It’s owned by leviathan3, but members of the group leviathan2 have access to it and can run it, and when it’s run, it runs with leviathan3 privileges.

ltrace of the program

So this is interesting. It runs, executes an access(), then snprintf – but it passes a system command. The part that I noticed was that it has the argument of the filename I passed into it, and it’s parsed as a string %s. Then it goes through a getuid and seteuid and setreuid . After that it looks like it actually executes a system command. So this looks like our entry point.

At this point I thought it was best to look at some of the assembly and see what I could pick out. This wasn’t very helpful, but it made me realize that I do need to brush up on my x86/64 knowledge, even dive into it for a while. In looking at it, it looked like it went into more detail of what I saw with ltrace. I got stuck in looking at assembly for longer than I should have. I am pretty sure it was a few hours. I got a little frustrated because there are so many cool things to learn and adding this on top makes me think that I’ll never get the hang of it.

I think at this point, I looked back to the way the program was run and decided to mess with it.

So lots of stuff happening here and these were some of the steps I did when looking at it. I made a temp directory, put a couple of files in them, and tried running the program against them, but wasn’t able to. This tripped me up for a bit. I also made a symlink to the program, but then it was owned by me and would mess up the way it ran (I also copied printfile into my $PWD at one point). After a little bit I was able to see the mistake I was making

chmod 777 .

So I spent more time than I’d like to admit looking at this, but basically programs didn’t have access to execute against the files inside my temporary directory. I could have done a ‘chmod 755 .’ and gotten a similar result, but I left it the way that it was.

This is interesting to see. So when I pass multiple files to printfile, it accepts only one whereas when I pass multiple files to cat it’ll accept them all.

OTW – Leviathan 1 -> 2

This exercise didn’t have any information, but it seemed self explanatory when I logged in.

The ‘check’ binary will run with elevated privs

So how can we exploit this? There were a few commands I used before I got to the end and got it, so I’m documenting what I did to solve it.

First thing is lets determine what we are working with. Looks like a binary file. The next command that was familiar with was xxd, so I tried that.

xxd check | less

I tried this command and looked through the file, I could see it telling me “Wrong password” so that was a good start. What other strings are in there?

looks interesting… wait is that ‘love’ in there?

This displayed quite a number of strings and if it was asking for a string and then comparing it to the answer, it should be in there, right? Well hopefully. I piped the input into the executable so I wouldn’t have to try it over and over again.

Huh that didn’t get anything…

After that I was stumped for a bit. I tried combing through it with the objdump and readelf commands. I looked into how a elf is built and where the strings are. In doing so, I got the assembly of the code and thought I had it because it was doing a strcmp which is what I thought I was looking for. I even tried typing in a single character and noticed that it will not return to the output until 2 chars are entered. I thought maybe I could escape out of the shell with other inputs, but didn’t get anywhere. I looked for similar commands to what I was already using because I felt I was on the right track, then I stumbled across this website.

I hadn’t tried strace or ltrace before. I didn’t get anything with strace, but ltrace did this.

Neat
wait strcmp(“pas”, “sex”)
I guess the password was sex

So I thought I was home free. This wasn’t the case.

wtf I am still leviathan1!

At this point I thought I had gone down a rabbit hole and wasted all sorts of time. I went ahead and ran the program again, this time without using ltrace

Got it!

This was a very fun exercise because I felt that I had been on the right track for the whole time and was slowly making progress towards the goal. It was satisfying to expand my horizon and use debugging tools. I feel that a whole new world was open up.

Oh fun fact, the password was in the binary when I issued the xxd command against it. One of the strings was ‘secrf’ so I went into the file one more time and found ‘sex’ and ‘god’ close to it was well. It almost looks like words are ‘sex’, ‘god’ and ‘secret’. I wonder why the other two words didn’t show up when using the strings command?