@JohnKoepi @ g on software engineering

How to solve behemoth0 task

The tasks have been taken from overthewire.org.

Login into the warbox:

    $ ssh behemoth0@behemoth.labs.overthewire.org -p 2221
    with password behemoth0

Try to play with:

    $ /behemoth/behemoth0

We are required to enter the password. Entering something long does not help. So there is no obvious buffer overflow.

Let’s take a look at the file.

    $ cat /behemoth/behemoth0

You should notice interesting strings among the output:

    unixisbetterthanwindowsfollowthewhiterabbitpacmanishighoncrackPassword: %64sAccess granted../bin/shAccess denied..;0$

Those strings may be somehow related to the password, but entering anything of it does not help.

Ok.

But what we see that there is /bin/sh which must be a result of successful password insertion using its suid bit.

gets/scanf uses buf of 64 symbols long.

    $ readelf -a /behemoth/behemoth0

In .dynsym and .symtab sections you can notice a presence of interesting function memfrob. It looks very harmless, until a reading of the man file man memfrob would give you an insight, that this function is actually a memory protector which may be used to hide actual password string against which entered password checked.

Here, you also can check various sections dumps but that would not give you anything more:

    $ objdump -s /behemoth/behemoth0

.rodata contains everything you have saw with plain cat.

Ok, go for gdb with:

    $ gdb -ix /usr/local/gdbinit/gdbinit /behemoth/behemoth0
    gdb$ func

Among everything, there will be main and memfrob.

    gdb$ dis main

You will see a disassembled main listing. There will be memfrob in the middle right after the scanf call.

It’s easy to notice that right after the memfrob there is a strcmp. Obviously, that must be the place where passwords get compared. Set a breakpoint there and run:

    gdb$ b strcmp
    gdb$ run
    Starting program: /behemoth/behemoth0
    Password: 12345

You will be stopped at the breakpoint.

    gdb$ x/32w $esp+0xC

To get current string address on the stack.

Then, just print out memory with the password:

    gdb$ hexdump 0xADDRESS_FROM_STACK_MEM-8 2

Use obtained password to enter new a /bin/sh shell and get a flag for the next warbox.

Links

blog comments powered by Disqus