Smash The Stack – Level1

Hacking is one of the most interesting topic in the Computer Science. Everyone wants to learn hacking, but, many people doesn’t have the opportunity/facility to learn hacking. Recently, I found the site http://smashthestack.org/. I am currently in learning stage. This post will be updated after the completion of each levels

How to connect?

To connect to any of the War-games you need an ssh client (openssh, PuTTy, SecureCRT). Each game has it’s own set of connection details. You need to pay attention on to the port and initial user name. If you are using a UNIX variant simply type the following at the shell prompt:

-bash-3.2$ ssh -l level1 io.smashthestack.org -p2224
____ ____
||i |||o || Welcome at IO and smashthestack!
||__|||__||
|/__\|/__\| If you have problems connecting please contact us on IRC. (irc.smashthestack.org +6697)
level1@io.smashthestack.org's password:

When you are prompted for the password enter “level1” without the quotes. This information is also provided on the `io’ wargame page. Once you are logged in read the text (MOTD: Message of the day) that is displayed on your screen. The problems will be presented to you as a series of programs. Which will vary in size from a few lines containing an obvious bug, over to larger, and finally real software. The point is always to exploit this bug in such a way that you can grab control of the programs execution and make it do what you want. For example you will often want it to drop a shell. The way this works is that the binaries are SUID binaries (http://en.wikipedia.org/wiki/Setuid). This means in short that they run as a different user than you do. The point is to grab control of the program and make it execute your own shell code. Which will in turn allow you to read the password for the next level.

How to get started-#Round1

Right now I will talk you through the first level. Currently you are “level1” user. This means you can access only files that are owned by level1, or are accessible by everybody.

level1@io:~# cd /levels
level1@io:/levels# ls -las level01
8 -r-sr-x--- 1 level2 level1 7500 Nov 16 2007 level01

When you run it will ask you for a password. Use “strings” – print the strings of printable characters in files, you will be able to find the password.

level1@io:/levels$ strings level01
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
printf
execl
puts
strncmp
_IO_stdin_used
__libc_start_main
GLIBC_2.0
PTRh
0Y_]
[^_]
[^_]
omgpassword
Usage: %s
Win.
/bin/sh
Fail.

When you supply the password, you will get a new shell which has level2 rights. Using this shell you can read the file

level1@io:/levels$ ./level01 [something you have to figure out goes here]
Win.
level1@io:/levels$ id
uid=1001(level1) gid=1001(level1) euid=1002(level2) groups=1001(level1),1029(nosu)

As you can see, by the output of the “id” command you now have euid (effective user id) of level2. You can now read files that belong to level2. The point is to use this right to read the password file for the next level.

level1@io:/levels$ cat /home/level2/.pass
[BINGO YOU DID IT]

Now you have the level2 password. You can now login as level2. Disconnect the current connection. Please save the password in your local disk. It will be helpful for the later usage.
/*End of Level1 */

Advertisements

2 comments

  1. Hello,

    I managed to pass level 2 fairly easyly, however I can’t beat the alternative one (level02_alt). Could you provide me with another hint, please? Thanks in advance.

    Diego

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s