A walkthrough for io.smashthestack.org Level 1

Hello, in this tutorial I will show you how to defeat the security in the first level of the smashthestack io servers.  The program which we will be exploiting is set to always be run by the level2 user.  What this means is that if we are logged into a lower level account (level1) this program will be run in a process with higher privileges than our own.  So, if we can hijack the process, we can use it to retrieve the password for level2 from a new shell and therefore gain permanent access to the account.  This level is particularly easy because the program will automatically spawn a shell for you.  In most cases it's not this simple and will require using a buffer overflow to inject code into the process in order to achieve the desired effect.





Required Knowledge: 
 - Use of the Bash shell
 - A small amount of 8086 assembly language
 - Knowledge of the hexadecimal numbering system

Warnings:
 - Vulnerable programs are located in /levels

Anyway, to begin, we must connect to the smashthestack servers. To do this, open a terminal and type the following command:

ssh -p2224 level1@io.smashthestack.org

The password for level1 is not surprisingly 'level1'.

After connecting, you should be in the home directory of the level1 user account on the server.  Your mission is to exploit any of the tools at your disposal in order to escalate your permissions and gain access to the level2 account.  For this we will need to use two different executable files, 'level01' and 'gdb'.  On this level, level01 is the vulnerable program and gdb stands for the GNU Debugger.  It is a very helpful utillity which you will need to frequently use on these challenges.

Anyway, let's get down to the task at hand.  To begin, let's try running the vulnerable program. 

level1@io:~$ cd /levels
level1@io:/levels$ ./level01
You need to supply a password.
Usage: ./level01 [password]
level1@io:/levels$ 

It appears that this program requires a password to continue.  So, Let's use GDB to get a list of the assembly instructions that make this program tick.

level1@io:/levels$ gdb ./level01

...

Reading symbols from /levels/level01...(no debugging symbols found)...done.

(gdb) set disassembly-flavor intel

(gdb) disass main

Dump of assembler code for function main:

0x08048596 <main+0>: push   ebp

...

0x0804861b <main+133>: leave  

0x0804861c <main+134>: ret    

End of assembler dump.

(gdb) 

Let's break this down a bit.  gdb ./level01 simply runs gdb and tells it to load the level01 program for debugging.  set disassembly-flavor intel is not a necessary line of code and tells GDB to display disassembled code in Intel syntax rather than GAS syntax.  Finally, disass main tells GDB to decompile the main function of the program and display it.

Now we need to actually look at the code we are presented with.

...

0x080485a4 <main+14>:       sub    esp,eax

0x080485a6 <main+16>:       cmp    DWORD PTR [ebp+0x8],0x2  #password entered?

0x080485aa <main+20>: je     0x80485ca <main+52>                   #if yes then jump

0x080485ac <main+22>: mov    eax,DWORD PTR [ebp+0xc]

0x080485af <main+25>:         mov    eax,DWORD PTR [eax]

0x080485b1 <main+27>: mov    DWORD PTR [esp+0x4],eax

0x080485b5 <main+31>: mov    DWORD PTR [esp],0x8048760

0x080485bc <main+38>: call   0x80483b8 <printf@plt>

0x080485c1 <main+43>: mov    DWORD PTR [ebp-0x4],0x0

0x080485c8 <main+50>: jmp    0x8048618 <main+130>

0x080485ca <main+52>: call   0x804852d <pass>          #jump destination looks suspicious

0x080485cf <main+57>:         mov    DWORD PTR [esp+0x8],0x64

0x080485d7 <main+65>: mov    eax,DWORD PTR [ebp+0xc]

...

As you can see from this code listing, the instruction at main+16 will make sure that you entered a password.  It does this by checking the number of command-line parameters passed to the program when it was executed.  This value should be two (0x02) if a password was entered because the file name counts as one.  By decompiling the location in memory where the jump leads (pass) to we get the following:

(gdb) disass pass

Dump of assembler code for function pass:

0x0804852d <pass+0>: push   ebp

0x0804852e <pass+1>: mov    ebp,esp

0x08048530 <pass+3>: sub    esp,0x4

0x08048533 <pass+6>: mov    DWORD PTR [ebp-0x4],0x8049140

0x0804853a <pass+13>: mov    DWORD PTR ds:0x8049140,****

0x08048544 <pass+23>: mov    DWORD PTR ds:0x8049144,****

0x0804854e <pass+33>: mov    DWORD PTR ds:0x8049148,****

0x08048558 <pass+43>: mov    DWORD PTR ds:0x804914c,****

0x08048562 <pass+53>: mov    DWORD PTR ds:0x8049150,****

0x0804856c <pass+63>: mov    DWORD PTR ds:0x8049154,****

0x08048576 <pass+73>: mov    DWORD PTR ds:0x8049158,****

0x08048580 <pass+83>: mov    DWORD PTR ds:0x804915c,****

0x0804858a <pass+93>: mov    DWORD PTR ds:0x8049160,0x00

0x08048594 <pass+103>: leave  

0x08048595 <pass+104>: ret    

End of assembler dump.

(gdb) 

From here, you must take the hexadecimal values where the stars are and send them through a hexadecimal-to-string converter such as at http://www.string-functions.com/hex-string.aspx.  Voila! there is the password for the program!

To wrap things up, run the following command (replacing the stars with the password of course):

./level01 *******

You should be taken to a new shell.  Now, run id to check your permissions.  You should get output similar to the following:

uid=1002(level2) gid=1001(level1) groups=1002(level2),1001(level1),1029(nosu)

You'll now notice that your uid equals level2 rather than level1.  At this point you are essentially logged in as the level2 user.  Even so, you aren't finished yet.  You'll most likely want to retrieve the password for this account so you can log back in at a later date.  Run this last command to do so:

cat ~/.pass

Make sure to save the password so you can log in later!