I’ve recently started playing one of the wargames called ‘IO’ hosted at www.smashthestack.org.
Each game is hosted on it own server which you access via ssh. At the begging you are provided with the username and password for level1. It is your task to complete the challenge set for you in that level. Once completed you will have escalated your user privileges to that of the subsequent level, allowing you to read a file in the next levels home folder containing it’s password. Once retrieved you can log out and back in with the next levels username and password and attempt the following challenge.
Although for a seasoned pro’ the first few levels of ‘IO’ are probably considered easy they are still tough enough that significant knowledge is required to complete them.
The first level consists of a program which asks you to enter a password. Depending on your input this will then either output “Fail.” or “Win” along with a new shell running as level2 privileges.
The aim of this task is to analyse this executable file and extract the password string contained within. I won’t reveal the solution but one approach would be to debug the program with gdb, find the code which does the string comparison between your entry and the correct password and then to read the password stored at the memory address. The other approach is much quicker but maybe slightly defeats the point of the level as an introduction to gdb.
The second level consists of a programming and maths challenge. The level2 program asks for a password which consists of the results of a range of numbers in a specified series, joined together one after the other as a string.
#level2@io:~$ /levels/level02#Append the 39th through 42nd numbers in the sequence as a string and feed it to# this binary via argv. 1, 2, 3, 5, 8, 13, 21…#The 4th through the 7th numbers would give you 581321
I completed this by creating a python script to create the series of numbers needed, concatenate the appropriate ones together in to a string and to give that as an argument to the level2 executable. Win.
For tasks like this you may find it quicker to do the codeing on your own machine and then upload to the io server. To do this you can use the ‘scp’ command from the terminal. (you can download scp for windows from the putty website). First create a directory in the io server /tmp folder.
Give it a hard to guess unique name as although directory listing is restricted on the server and others can’t see your folder name if you use an easily guessable directory name others could still access it by chance.
While logged in to the io server type, ‘mkdir /tmp/mydirname’. Replacing mydirname with your unique directory name.
Then from the terminal on your machine you can upload files as such;
scp -P 2224 ~/files/level2.py email@example.com:/tmp/mydirname/
The command is broken down as follows, ‘-P 2224’ specifies the port number as io does not run on the standard ssh port number, ‘~/files/level2.py’ is the location of my file to upload on my machine, ‘level2’ is the username with which I want to connect to the remote machine, io.smashthestack.org is the remote server address, the ‘:’ separates the remote server address from the final part which is the location on the remote machine to store my file.
I’ve just started the 3rd level and upon running the level3 program it instantly seg’ faults. Here in lies the challenge. Hopefully this should keep me occupied for a while.
To join in yourself connect to the io server like so;
ssh firstname.lastname@example.org -p2224
(linux and os x)
From windows you will need to download an ssh client like this… (putty)
Here is a snippet from the ./README file you can view when you connect.
Welcome to the IO wargame at the smash the stack network.
You have done the hard part and found our realm. Here we allow you to play with classic, and up to date vulnerabilities in software. Since many of you may be unfamiliar with how a wargame works, we will give a quick introduction in the following paragraphs. If you are an experienced wargamer, all this will be familiar to you so you might want to skip to the last section which iterates the specifics of this game.
The problems will be presented to you as a series of programs. Which will vary in size from a few lines containing an obvious bug, over to larger, and finally real software. The point is always to exploit this bug in such a way that you can grab control of the programs execution and make it do what you want. For example you will often want it to drop a shell.
The way this works is that the binaries are SUID binaries (http://en.wikipedia.org/wiki/Setuid). This means in short that they run as a different user than you do. The point is to grab control of the program and make it execute your own shellcode. Which will in turn allow you to read the password for the next level.