Capture de Flags (CTF)

La verdad que esta imagen simplifica bastante, todo el tiempo invertido y esfuerzo realizado en algunos CTFs y retos por internet.

Source: http://infosuck.org/0x0042.png

One Dictionary to rule them all

Dictionaries:

http://packetstormsecurity.org/Crackers/wordlists/dictionaries/

http://www.openwall.com/wordlists/

USB 3.0

Desde la BackTrack, vemos cuanto tarda en copiar un archivo de 10 Gb, al USB 3.0 (montado en /mnt/copias/)

root@bt:~# dd if=/dev/zero of=10gb.img bs=1024 count=0 seek=$[1024*1024*10]
0+0 records in
0+0 records out
0 bytes (0 B) copied, 1.7244e-05 s, 0.0 kB/s

root@bt:~# dd if=/dev/zero of=10gb1.img bs=1024 count=$[1024*1024*10]
10485760+0 records in
10485760+0 records out
10737418240 bytes (11 GB) copied, 130.913 s, 82.0 MB/s

root@bt:~# ls -sh
total 11G
0 10gb.img  11G 10gb1.img

root@bt:~# ls -lh
total 11G
-rw-r--r-- 1 root root 10G Apr 10 18:24 10gb.img
-rw-r--r-- 1 root root 10G Apr 10 18:29 10gb1.img

root@bt:~# time cp 10gb1.img /mnt/copias/


real    8m58.659s
user    0m2.237s
sys     1m31.217s
root@bt:~#

root@bt:~# time cp 10gb.img /mnt/copias/

real    0m29.846s
user    0m6.753s
sys     0m23.035s
root@bt:~#          

root@bt:~# lspci | grep "USB 3.0"
04:00.0 USB Controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 03)
root@bt:~#

Ahora seria cuestion de ver por que uno ocupa espacio y tarda tanto y el otro "no ocupa espacio" y se hace la copia en muy poco tiempo.

Buscando por google, obtenemos la respuesta:

http://maarten.lippmann.us/?page_id=116

To create a 10GB sparse file which doesn't allocate any actual space (if the filesystem supports this feature):
dd if=/dev/zero of=sparsefile.img bs=1 seek=10G count=0

http://en.wikipedia.org/wiki/Sparse_file

http://www.flexhex.com/docs/articles/sparse-files.phtml

Sparse file

Penetration Testing - Vulnerable - ISO

Adjunto una relación de imagenes para penetration Testing, se pueden montar sobre VMWare o VirtualBox y practicar (Si veo mas las ire añadiendo):

Holynix:

http://pynstrom.net/index.php?page=holynix.php

Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
The object of the challenge v1 is to gain root level privileges and access to personal client information.
Register on the forums to receive an email update when a new challenge is released.

WackoPicko:

https://github.com/adamdoupe/WackoPicko

WackoPicko Vulnerable Website
WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners.

De-ICE:

http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.

Metasploitable:
http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image.

One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.

exploit.co.il Vulnerable Web App:
http://sourceforge.net/projects/exploitcoilvuln/

exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured

Badstore:
http://www.badstore.net/

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.

Virtual Hacking Lab (pentoo):
http://sourceforge.net/projects/virtualhacking/

A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.

PwnOS:
http://code.google.com/p/pwnos/

PwnOS is an operating system being written from the ground up to be ideal for making the most of resource-rich dedicated server systems.
The most significant section of the project is to create a core (kernel) that is designed to be best suited for servers (e.g. usually one process with many threads of varying priorities). Much (highly-regulated) assembly language and some C is used here to increase the performance and decrease bloat potential, (because to code this in assembly, it's ESSENTIAL to have excellent, lean code design).
Development of PwnOS will be switching to be done with PwnIDE once PwnIDE reaches version 0.2.4. Development so far has been done with RadASM and MASM32 for assembly, and Dev-C++ and MinGW for C/C++. Documentation is produced with Natural Docs. Custom linking is done with a utility called JLOC, and drive image writing is done with various utilities.

Damn Vulnerable Linux (DVL):

http://www.damnvulnerablelinux.org/

Damn Vulnerable Linux (DVL) is a Slackware and Slax-based live DVD. The distribution, purposefully stuffed with broken, ill-configured, outdated and exploitable software, began life as a training system used during the author's university lectures. Its primary goal is to design a Linux system that is as vulnerable as possible -- in order to teach and demonstrate a variety of security topics, including reverse code engineering, buffer overflows, shell code development, web exploitation, and SQL injection.

Damn Vulnerable Web App (DVWA):

http://www.dvwa.co.uk/

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Moth:

http://www.bonsai-sec.com/en/research/moth.php

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)

- Giving an introductory course to Web Application Security



Hacking-Lab:

http://media.hacking-lab.com/largefiles/livecd/
http://hacking-lab.com/Remote_Sec_Lab/livecd.html

This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote. A valid OpenVPN connection is required for accessing the Hacking-Lab server infrastructure. Do you feel like being a beta-tester? Yes? Please make yourself familiar with the the full beta-tester programm where you find everything required to start using Hacking-Lab Remote.

OWASP Broken Web Applications Project:

http://code.google.com/p/owaspbwa/

Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).

LAMPSecurity Training:

http://sourceforge.net/projects/lampsecurity/

LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.

Web Security Dojo:

http://www.mavensecurity.com/web_security_dojo/

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo.

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Updated 12/06/2011

owasp-hackademic-challenges:

http://code.google.com/p/owasp-hackademic-challenges/

The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

They have been especially designed for use in a classroom environment where they have been proved a valuable educational tool. Using OWASP Hackademic Challenges project students have the chance to experience application security in a realistic environment, something that triggers their interest and provokes a lot of interesting discussions.

Hackxor:

http://hackxor.sourceforge.net/cgi-bin/index.pl

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Features:
Client attack simulation using HtmlUnit; no alert('xss') here.
Smooth difficulty gradient from moderately easy to fiendishly tricky.
Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
Open ended play; progress by any means possible.

Updated 27/07/2011

Gruyere:

http://google-gruyere.appspot.com/

Want to beat the hackers at their own game?Learn how hackers find security vulnerabilities! Learn how hackers exploit web applications! Learn how to stop them!

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

Updated 28/07/2011

Sweet:

http://csis.pace.edu/~lchen/sweet/

SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.

Updated 15/05/2012

On Null Byte Poisoning and XPath Injection:

http://blog.spiderlabs.com/2012/01/on-null-byte-poisoning-and-xpath-injection.html

https://github.com/SpiderLabs/SQLol

http://github.com/SpiderLabs/XMLmao

From Spiderlabs Blog:

Recently I released a tool called XMLmao, a configurable testbed for learning to exploit XPath injection flaws, developing new attack techniques for XPath injection flaws or simulating real-world XPath injection scenarios, similar to SQLol. Among other features, it has challenge scenarios which give you a set of pre-configured options and an objective to complete. As of recently, I've begun to write tutorials for each challenge which will be distributed with their respective testbeds.

Updated 26/01/2014

bWAPP:

http://www.itsecgames.com/

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares to conduct successful penetration testing and ethical hacking projects.

What makes bWAPP so unique? Well, it has over 60 web vulnerabilities!
It covers all major known web bugs, including all risks from the OWASP Top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.

Download our What is bWAPP? introduction tutorial, including free exercises...

bWAPP is for educational purposes. Education, the most powerful weapon which we can use to change the world.
Have fun with this free and open source project!

Cheers, Malik Mesellem


Updated 30/08/2014
VULN HUB:
http://vulnhub.com/

Aim/Goal

To provide materials that allows anyone to gain practical 'hands-on' experience in digital security, computer application & network administration.

Brief History/Purpose

Before you can run, you need to be able to walk. You do so by learning the basics so you an gain of the theory.
Once you're up and walking, you need 'something' to run to (Something to aim for) & you need 'somewhere' that's padded with foam to run about in (so it doesn't matter if you fall over). This is where VulnHub comes in.

We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself.
Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.

Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them.
So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally)'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out.
When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.

We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.

You can watch someone else...
Then follow along at the same time...
Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)...
Finally you can start on an unknown source (black box testing)...
...and if you get stuck you can always ask for a nudge!

Updated 01/09/2014
Binary Auditing:
http://www.binary-auditing.com/

That's not an ISO, but very interesting to learn about reversing.

Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever.

Try to solve brain teasing puzzles with our collection of copy protection games. Increasing difficulty and unseen strange tricks.

Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented.

Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.

The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!

WHAT IS INSIDE...
Topic	Files
IDA Pro 5.0 (Free)	1
TOTAL	324
HLL Mapping 1 (NOT for training, only as reference!)	98
HLL Mapping 2 (Start here and convert them to C)	31
Manual Decompilation (Simple exercises)	10
Algorithm Analysis 1 (Simple math exercises)	3
Algorithm Analysis 2 (Simple math exercises)	6
Crash Auditing (more complicated, why crashing?)	10
File Understanding (Simple to hard Reversemes)	31
Copy Protection Auditing (Simple to very hard)	47
Unpacking (Simple exercises)	3
Vulnerability Auditing (Simple to intermediate)	38
Malware Auditing 1 (Simple old .com/.exe exercises)	41
Malware Auditing 2 (Some fakes for analysis)	4
Malware Auditing 3 (Simple win32 analysis)	1

Life of Binaries:
http://opensecuritytraining.info/LifeOfBinaries

Same as before, not ISO, but excellent to learn about Asm, Reverse and Exploit.

Topics include but are not limited to:

•Scanning and tokenizing source code.

•Parsing a grammar.

•Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).

•Linking object files together to create a well-formed binary.

•Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:

•Using the new “Binary Scavenger Hunt” tool which creates randomized PE binaries and asks randomized questions about the material you just learned!

•Manipulating compiler options to change the type of assembly which is output

•Manipulating linker options to change the structure of binary formats

•Reading and understanding PE files with PEView

•Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•Using WinDbg and/or GDB to watch the loader dynamically link an executable

•Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism

•Creating a simple example virus for PE

•Analyze the changes made to the binary format when a file is packed with UPX

•Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering.

A student Q&A forum has been set up at http://www.reddit.com/r/OST_LifeOfBinaries.

(updated 10/01/2017)

Vulnerability and Attack Labs

http://www.cis.syr.edu/~wedu/seed/all_labs.html

People learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a "seemly-benign" mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing.

(1) Software in general

• Shellshock Vulnerability Lab (

new): exploit Bash's Shellshock vulnerability

Set-UID Program Vulnerability Lab: exploit the vulnerabilities of the privileged Set-UID programs. (

Survey Results)

• For Ubuntu9.11 VM
• For Ubuntu11.04 and Ubuntu12.04 VMs
1. Buffer Overflow Vulnerability Lab: exploit the buffer overflow vulnerability using the shell-code approach. (Survey Results)

• For Ubuntu9.11 VM
• For Ubuntu11.04 VM
• For Ubuntu12.04 VM

Return-to-libc Attack Lab: exploit the buffer-overflow vulnerabilities using the return-to-libc attack. (Survey Results)

Format String Vulnerability Lab: exploit the format string vulnerability. (Survey Results)

Race Condition Vulnerability Lab: exploit the race condition vulnerability. (Survey Results)

• For Ubuntu9.11 VM
• For Ubuntu11.04 and Ubuntu12.04 VMs

Chroot Sandbox Vulnerability Lab: explore how the chroot sandbox can be broken. (Survey Results)

(2) Network Protocols

8. TCP/IP Attack Lab: exploit the vulnerabilities of the TCP/IP protocols. (Survey Results)

DNS Pharming Attack Lab: exploit the vulnerabilities of the DNS protocol to launch Pharming attacks. (Survey Results)

(3) Web Applications

The following labs need to use the Ubuntu9.11 VM:
10. Cross-site Scripting Attack Lab on PhpBB: exploiting cross-site scripting vulnerabilities. (Survey Results)

Cross-site Request Forgery Attack Lab on PhpBB: exploiting cross-site request forgery vulnerabilities. (Survey Results)

SQL Injection Attack Lab on PhpBB: experience the SQL-Injection attacks. (Survey Results)

ClickJacking Attack Lab: experience the ClickJacking attacks.

The following labs need to use the Ubuntu11.04 or Ubuntu12.04 VM:
14. Cross-site Scripting Attack Lab on Collabtive: exploiting cross-site scripting vulnerabilities.

Cross-site Request Forgery Attack Lab on Collabtive: exploiting cross-site request forgery vulnerabilities.

SQL Injection Attack Lab on Collabtive: experience the SQL-Injection attacks.

---

Design/Implementation Labs

The objective of the design/implementation labs is to provide students with opportunities to apply security principles in designing and implementingsystems. They help students achieve learning by system development.

(1) Networking

17. Linux Firewall Lab: implement a simple firewall (called "miniFirewall") for Linux. This lab involves Loadable Kernel Module and Netfilter. (Survey Results)

Minix Firewall Lab implement a simple firewall (called "miniFirewall") for Minix. (Survey Results)

IPSec Lab: implement a simplified IPSec protocol (called "miniIPSec") for Minix (a comprehensive project). (Survey Results)

Virtual Private Network (VPN) Lab: implement a simple VPN (called "miniVPN") in Linux (a comprehensive project). Unlike IPSec-based VPNs, this lab does not need to modify the Linux kernel. All the implementations are in the user space. This lab involves encryption, hash, public key certificates, SSL, and network tunneling techniques (TUN/TAP). (Survey Results)

(2) System

20. Role-Based Access Control (RBAC) Lab design and implement an integrated access control system for Minix that uses both capability-based and role-based access control mechanisms. Students need to modify Minix kernel to implement both capability and RBAC (this is a comprehensive project for access control). (Survey Results)

Capability Lab: design and implement a capability-based access control system for Minix (this is a comprehensive project).

Encrypted File System Lab: design and implement an encrypted file system for Minix (a comprehensive project).

Set-RandomUID Lab: design and implement a simple sandbox for Minix.

Address Space Layout Randomization (ASLR) Lab randomize stack and heap in Minix to improve security.

---

Exploration Labs

The objective of the exploration labs is two-fold: the first is to enhance students' learning via observation, playing and exploration, so they can see what security principles ``feel'' like in a real system; the second objective is to provide students with opportunities to apply security principles in analyzing and evaluating systems. The exploration labs provide a feasible means by which the students have "a direct encounter with the phenomena being studied rather than merely thinking about the encounter, or only considering the possibility of doing something about it".

25. Linux Firewall Exploration Lab: This is the redesign of the Linux Firewall Design/Implementation Lab. The focus is shifted from programming to exploration. Students will explore various firewall-related technologies, such as netfilter, web proxy, URL rewriting, and using SSH tunnels to evade egress filtering.

Packet Sniffing and Spoofing Lab: explore how sniffing and spoofing tools are implemented. (Survey Results)

Linux Capability Exploration Lab: explore the capability-based access control in Linux. (Survey Results)

• For Ubuntu9.11 VM
• For Ubuntu11.04 and Ubuntu12.04 VMs

Web Browser Access Control Lab: explore the Same-Origin Access Control Policy in web browsers. (Survey Results)

• For Ubuntu9.11 VM
• For Ubuntu11.04 and Ubuntu12.04 VM

Crypto Lab I -- Secret-Key Encryption : explore secret-key encryption and its applications using OpenSSL. (Survey Results)

Crypto Lab II -- One-Way Hash Function: explore one-way hash function and its applications using OpenSSL. (Survey Results)

Crypto Lab III -- Public-Key Cryptography and PKI: explore public-key cryptography, digital signature, certificate, and PKI using OpenSSL.

Pluggable Authentication Modules (PAM) Lab: explore a flexible authentication technique.

SYN Cookies Lab: explore the SYN Cookies mechanism in Linux.

(updated 14/01/2017)

The Lord of Buffer Overflow (Redhat 6.2)

http://hackerschool.org/TheLordofBOF/TheLordOfTheBOF_redhat_bootable.zip (136 MB)

LEVEL1 (gate -> gremlin) : simple bof
LEVEL2 (gremlin -> cobolt) : small buffer
LEVEL3 (cobolt -> goblin) : small buffer + stdin
LEVEL4 (goblin -> orc) : egghunter
LEVEL5 (orc -> wolfman) : egghunter + bufferhunter
LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter
LEVEL7 (darkelf -> orge) : check argv[0]
LEVEL8 (orge -> troll) : check argc
LEVEL9 (troll -> vampire) : check 0xbfff
LEVEL10 (vampire -> skeleton) : argv hunter
LEVEL11 (skeleton -> golem) : stack destroyer
LEVEL12 (golem -> darkknight) : sfp
LEVEL13 (darkknight -> bugbear) : RTL1
LEVEL14 (bugbear -> giant) : RTL2, only execve
LEVEL15 (giant -> assassin) : no stack, no RTL
LEVEL16 (assassin -> zombie_assassin) : fake ebp
LEVEL17 (zombie_assassin -> succubus) : function calls
LEVEL18 (succubus -> nightmare) : plt
LEVEL19 (nightmare -> xavis) : fgets + destroyers
LEVEL20 (xavis -> death_knight) : remote BOF

[Ref --> http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Notice&no=1170881885]

The Lord of Buffer Overflow (Fedora)

http://hackerschool.org/TheLordofBOF/VM_FC3.zip (521 MB)

http://hackerschool.org/TheLordofBOF/VM_FC4.zip (354 MB)

http://hackerschool.org/TheLordofBOF/VM_Fedora10.rar (589 MB)

http://hackerschool.org/TheLordofBOF/VM_Fedora14.rar   (658 MB)

[FC 3]
Stack Dummy : O
Down privileage of bash : O
Random Stack : O
Random Library : X
Random Program Binary Mapped : X
ASCII Armor : O
Non-Executable Stack : O
Non-Executable Heap : O
Stack Carany : X
Stack Smashing Protector : X

Levels:
gate -> iron_golem : Fake_SFP + Ascii Armor
iron_golem -> dark_eyes : RET Sleding
dark_eyes -> hell_fire : another fake_ebp or got overwriting
hell_fire -> evil_wizard : POP POP RET
evil_wizard -> dark_stone : POP POP RET / Remote

[FC 4]
dark_stone -> cruel : Local BOF on FC4
cruel -> enigma : Remote BOF on FC4
enigma -> titan : Remote BOF on FC4

[FC 10]
* level1 (titan -> balog)
* level2 (balog -> talos)
* level3 (talos -> dark_mare)

[FC 14]
* level1 (dark_mare -> stegodon)
* level2 (stegodon -> blood_seeker)

[Ref - http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship_2round&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=4]

Python Challenge

Bastante recomendado para practicar retos de programacion en python, a traves del cual, una vez solucionado los distintos niveles, puedes ver la solucion en distintos lenguajes como python, perl, bash, java, c, etc.

La verdad que ayuda bastante hacer este reto porque ayuda en la resolucion de otros, y tambien da soltura en el uso del lenguaje python.

http://www.pythonchallenge.com/

Updated 29-03-2011

Algunos ebooks gratis, y sitios para aprender python:

1. Learn Python the Hard Way
2. A Byte of Python
3. The Python Tutorial
4. Python Programming

Sources Interesantes

Algunos sources que pueden resultar interesantes para su uso en retos/wargames/ctf:

The Way of Binary Copy without Permission:

aliggo

Otra herramienta curiosa es la que nos presenta Albert Sellarès, (whats):

This is a tool to dump a process to an executable ELF file to execute it.

http://www.wekk.net/skpd/

https://www.wekk.net/code/attachments/download/1/skpd.tar.gz

Shared Library Hijacking For Playing Wargames

GDB Reference Card - Hacking GDB

Otros retos shell

Otros retos a traves de shell para practicar:
http://intruded.net/leviathan.html
http://intruded.net/narnia.html
http://intruded.net/behemoth.html
http://intruded.net/utumno.html
http://intruded.net/maze.html
http://intruded.net/manpage.html

http://io.smashthestack.org:84/
http://blowfish.smashthestack.org:81/
http://apfel.smashthestack.org:83/
http://tux.smashthestack.org:86/
http://blackbox.smashthestack.org:85/

http://www.overthewire.org/wargames/vortex/
http://www.overthewire.org/wargames/semtex/
http://www.overthewire.org/wargames/blacksun/
http://www.overthewire.org/wargames/drifter/
http://www.overthewire.org/wargames/krypton/

http://invi.phpnet.us/ <--- Source de ExploitMe y SQLi (Hackit)

http://www.felinemenace.org/~mercy/ <--- Buenos source para practicar

http://community.corest.com/~gera/InsecureProgramming/

http://luna.sc/security-badulake/created-hackit-contests/ <-- dreyer was here :)

http://gulcas.linux.es/?q=hackit <-- Sources del Hackit de la iparty 8 de aditel

http://back2hack.cc/forumdisplay.php?fid=249&page=1 <-- sources para practicar

http://www.shell-storm.org/smashme/

http://hack.thebackupbox.net/

http://www.hackerschool.org --> ssh level1@ftz.hackerschool.org pass: level1
telnet ftz.hackerschool.org
http://w3challs.com/challenges/challenge59 <--- Registrarse y ya ssh con user basic1

http://www.root-me.org <-- 3 retos, shell, binary y rbinary (remote binary)

Updated 30-03-2011:

https://github.com/mabj/ctf_ucon2 <-- Capture The Flag uCon 2009 de Marcos Álvares

http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz <-- Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.

Updated 14-12-2011:

http://exploit-exercises.com/   <--  Linux exploiting from source with Virtual Machine, 3 kind of challenges Nebula - Protostar - Fusion

Updated 23-09-2012:

https://sm0k.org/dojo/vanilla.php <-- Over ssh (ssh vanilla1@vanilladome.sm0k.org -p 13722 pass: vanilla1)  with levels that you must exploit to bypass to the next.

Updated 01-09-2014:

http://pwnable.kr/ <-- We provide various pwn challenges regarding system security. If you succeed to 'pwn' a task, you will be able to read the 'flag' file which contains a secret message. Once you authenticate the flag, you can get the corresponding point. If you are good at system hacking, these tasks would be just a bunch of fun games - enjoy :)

Solucion - Linux - cyrex's Linux Crackme 02

http://www.crackmes.de/users/cyrex/linux_crackme_02/

$ wget http://www.crackmes.de/users/cyrex/linux_crackme_02/download
--2011-01-04 17:41:08-- http://www.crackmes.de/users/cyrex/linux_crackme_02/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2199 (2,1K) [application/tgz]
Guardando en: «download»

100%[============================================================================================================>] 2.199 --.-K/s en 0,004s

2011-01-04 17:41:15 (558 KB/s) - «download» guardado [2199/2199]

$ file download
download: gzip compressed data, from Unix, last modified: Wed Feb 23 23:36:55 2005
$ mv download crackme_02.tgz
$ tar xvzf crackme_02.tgz
crackme

$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password     ]-
-[ Enter Password: asdf
-[ Entered Password: asdf
-[ Checking Stage 1 Now.....
-[ Game Over

$ strings crackme
/lib/ld-linux.so.2
libc.so.6
printf
__deregister_frame_info
ptrace
strcmp
scanf
exit
fopen
_IO_stdin_used
__libc_start_main
__register_frame_info
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
QVh
[^_]
Are you trying to Debug me?
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password     ]-
-[ Enter Password:
-[ Entered Password: %s
-[ Checking Stage 1 Now.....
7gb5fjf8v4bg8fb34f
-[ Stage 1 Cleared
-[ Game Over
-[ Checking Stage 2 Now....
/tmp/crackme_89nfnjfiefheufeue
-[ Bad did you forgot something?
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru

$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password     ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ Bad did you forgot something?
$ touch /tmp/crackme_89nfnjfiefheufeue
$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password     ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru
$

###########################################################

Veamoslo con el GDB y objdump:

$ objdump -d crackme

crackme:     file format elf32-i386

...
... (omitido no importante) ...

Disassembly of section .text:

08048440 <.text>:
8048440: 31 ed                 xor    %ebp,%ebp
8048442: 5e                    pop    %esi
8048443: 89 e1                 mov    %esp,%ecx
8048445: 83 e4 f0              and    $0xfffffff0,%esp
8048448: 50                    push   %eax
8048449: 54                    push   %esp
804844a: 52                    push   %edx
804844b: 68 00 87 04 08        push   $0x8048700
8048450: 68 a0 86 04 08        push   $0x80486a0
8048455: 51                    push   %ecx
8048456: 56                    push   %esi
8048457: 68 20 85 04 08        push   $0x8048520
804845c: e8 9f ff ff ff        call   8048400 <__libc_start_main@plt>
8048461: f4                    hlt
8048462: 90                    nop
8048463: 90                    nop
8048464: 55                    push   %ebp
8048465: 89 e5                 mov    %esp,%ebp
8048467: 53                    push   %ebx
8048468: e8 00 00 00 00        call   804846d 
804846d: 5b                    pop    %ebx
804846e: 81 c3 6b 16 00 00     add    $0x166b,%ebx
8048474: 50                    push   %eax
8048475: 8b 83 30 00 00 00     mov    0x30(%ebx),%eax
804847b: 85 c0                 test   %eax,%eax
804847d: 74 02                 je     8048481 
804847f: ff d0                 call   *%eax
8048481: 8b 5d fc              mov    -0x4(%ebp),%ebx
8048484: c9                    leave
8048485: c3                    ret
8048486: 90                    nop
8048487: 90                    nop
8048488: 90                    nop
8048489: 90                    nop
804848a: 90                    nop
804848b: 90                    nop
804848c: 90                    nop
804848d: 90                    nop
804848e: 90                    nop
804848f: 90                    nop
8048490: 55                    push   %ebp
8048491: 89 e5                 mov    %esp,%ebp
8048493: 83 ec 08              sub    $0x8,%esp
8048496: 83 3d f8 99 04 08 00  cmpl   $0x0,0x80499f8
804849d: 75 3e                 jne    80484dd 
804849f: eb 12                 jmp    80484b3 
80484a1: a1 f4 99 04 08        mov    0x80499f4,%eax
80484a6: 8d 50 04              lea    0x4(%eax),%edx
80484a9: 89 15 f4 99 04 08     mov    %edx,0x80499f4
80484af: 8b 00                 mov    (%eax),%eax
80484b1: ff d0                 call   *%eax
80484b3: a1 f4 99 04 08        mov    0x80499f4,%eax
80484b8: 83 38 00              cmpl   $0x0,(%eax)
80484bb: 75 e4                 jne    80484a1 
80484bd: b8 e0 83 04 08        mov    $0x80483e0,%eax
80484c2: 85 c0                 test   %eax,%eax
80484c4: 74 0d                 je     80484d3 
80484c6: 83 c4 f4              add    $0xfffffff4,%esp
80484c9: 68 fc 99 04 08        push   $0x80499fc
80484ce: e8 0d ff ff ff        call   80483e0 <__deregister_frame_info@plt>
80484d3: c7 05 f8 99 04 08 01  movl   $0x1,0x80499f8
80484da: 00 00 00
80484dd: c9                    leave
80484de: c3                    ret
80484df: 90                    nop
80484e0: 55                    push   %ebp
80484e1: 89 e5                 mov    %esp,%ebp
80484e3: 83 ec 08              sub    $0x8,%esp
80484e6: c9                    leave
80484e7: c3                    ret
80484e8: 55                    push   %ebp
80484e9: 89 e5                 mov    %esp,%ebp
80484eb: 83 ec 08              sub    $0x8,%esp
80484ee: b8 b0 83 04 08        mov    $0x80483b0,%eax
80484f3: 85 c0                 test   %eax,%eax
80484f5: 74 12                 je     8048509 
80484f7: 83 c4 f8              add    $0xfffffff8,%esp
80484fa: 68 0c 9b 04 08        push   $0x8049b0c
80484ff: 68 fc 99 04 08        push   $0x80499fc
8048504: e8 a7 fe ff ff        call   80483b0 <__register_frame_info@plt>
8048509: c9                    leave
804850a: c3                    ret
804850b: 90                    nop
804850c: 55                    push   %ebp
804850d: 89 e5                 mov    %esp,%ebp
804850f: 83 ec 08              sub    $0x8,%esp
8048512: c9                    leave
8048513: c3                    ret
8048514: 8d b6 00 00 00 00     lea    0x0(%esi),%esi
804851a: 8d bf 00 00 00 00     lea    0x0(%edi),%edi
8048520: 55                    push   %ebp
8048521: 89 e5                 mov    %esp,%ebp
8048523: 81 ec 18 04 00 00     sub    $0x418,%esp
8048529: 6a 00                 push   $0x0
804852b: 6a 01                 push   $0x1
804852d: 6a 00                 push   $0x0
804852f: 6a 00                 push   $0x0
8048531: e8 ba fe ff ff        call   80483f0 
8048536: 83 c4 10              add    $0x10,%esp
8048539: 89 c0                 mov    %eax,%eax
804853b: 85 c0                 test   %eax,%eax
804853d: 7d 21                 jge    8048560 
804853f: 83 c4 f4              add    $0xfffffff4,%esp
8048542: 68 e0 87 04 08        push   $0x80487e0
8048547: e8 c4 fe ff ff        call   8048410 
804854c: 83 c4 10              add    $0x10,%esp
804854f: b8 01 00 00 00        mov    $0x1,%eax
8048554: e9 37 01 00 00        jmp    8048690 
8048559: 8d b4 26 00 00 00 00  lea    0x0(%esi,%eiz,1),%esi
8048560: 83 c4 f4              add    $0xfffffff4,%esp
8048563: 68 00 88 04 08        push   $0x8048800
8048568: e8 a3 fe ff ff        call   8048410 
804856d: 83 c4 10              add    $0x10,%esp
8048570: 83 c4 f4              add    $0xfffffff4,%esp
8048573: 68 40 88 04 08        push   $0x8048840
8048578: e8 93 fe ff ff        call   8048410 
804857d: 83 c4 10              add    $0x10,%esp
8048580: 83 c4 f4              add    $0xfffffff4,%esp
8048583: 68 68 88 04 08        push   $0x8048868
8048588: e8 83 fe ff ff        call   8048410 
804858d: 83 c4 10              add    $0x10,%esp
8048590: 83 c4 f8              add    $0xfffffff8,%esp
8048593: 8d 85 00 fc ff ff     lea    -0x400(%ebp),%eax
8048599: 50                    push   %eax
804859a: 68 7c 88 04 08        push   $0x804887c
804859f: e8 2c fe ff ff        call   80483d0 
80485a4: 83 c4 10              add    $0x10,%esp
80485a7: 83 c4 f8              add    $0xfffffff8,%esp
80485aa: 8d 85 00 fc ff ff     lea    -0x400(%ebp),%eax
80485b0: 50                    push   %eax
80485b1: 68 7f 88 04 08        push   $0x804887f
80485b6: e8 55 fe ff ff        call   8048410 
80485bb: 83 c4 10              add    $0x10,%esp
80485be: 83 c4 f4              add    $0xfffffff4,%esp
80485c1: 68 98 88 04 08        push   $0x8048898
80485c6: e8 45 fe ff ff        call   8048410 
80485cb: 83 c4 10              add    $0x10,%esp
80485ce: 83 c4 f8              add    $0xfffffff8,%esp
80485d1: 68 b6 88 04 08        push   $0x80488b6
80485d6: 8d 85 00 fc ff ff     lea    -0x400(%ebp),%eax
80485dc: 50                    push   %eax
80485dd: e8 de fd ff ff        call   80483c0 
80485e2: 83 c4 10              add    $0x10,%esp
80485e5: 89 c0                 mov    %eax,%eax
80485e7: 85 c0                 test   %eax,%eax
80485e9: 75 15                 jne    8048600 
80485eb: 83 c4 f4              add    $0xfffffff4,%esp
80485ee: 68 c9 88 04 08        push   $0x80488c9
80485f3: e8 18 fe ff ff        call   8048410 
80485f8: 83 c4 10              add    $0x10,%esp
80485fb: eb 17                 jmp    8048614 
80485fd: 8d 76 00              lea    0x0(%esi),%esi
8048600: 83 c4 f4              add    $0xfffffff4,%esp
8048603: 68 dd 88 04 08        push   $0x80488dd
8048608: e8 03 fe ff ff        call   8048410 
804860d: 83 c4 10              add    $0x10,%esp
8048610: 31 c0                 xor    %eax,%eax
8048612: eb 7c                 jmp    8048690 
8048614: 83 c4 f4              add    $0xfffffff4,%esp
8048617: 68 eb 88 04 08        push   $0x80488eb
804861c: e8 ef fd ff ff        call   8048410 
8048621: 83 c4 10              add    $0x10,%esp
8048624: 83 c4 f8              add    $0xfffffff8,%esp
8048627: 68 08 89 04 08        push   $0x8048908
804862c: 68 20 89 04 08        push   $0x8048920
8048631: e8 fa fd ff ff        call   8048430 
8048636: 83 c4 10              add    $0x10,%esp
8048639: 89 c0                 mov    %eax,%eax
804863b: 89 85 fc fb ff ff     mov    %eax,-0x404(%ebp)
8048641: 83 bd fc fb ff ff 00  cmpl   $0x0,-0x404(%ebp)
8048648: 75 1d                 jne    8048667 
804864a: 83 c4 f4              add    $0xfffffff4,%esp
804864d: 68 40 89 04 08        push   $0x8048940
8048652: e8 b9 fd ff ff        call   8048410 
8048657: 83 c4 10              add    $0x10,%esp
804865a: 83 c4 f4              add    $0xfffffff4,%esp
804865d: 6a 00                 push   $0x0
804865f: e8 bc fd ff ff        call   8048420 
8048664: 83 c4 10              add    $0x10,%esp
8048667: 83 c4 f4              add    $0xfffffff4,%esp
804866a: 68 80 89 04 08        push   $0x8048980
804866f: e8 9c fd ff ff        call   8048410 
8048674: 83 c4 10              add    $0x10,%esp
8048677: 83 c4 f4              add    $0xfffffff4,%esp
804867a: 68 c0 89 04 08        push   $0x80489c0
804867f: e8 8c fd ff ff        call   8048410 
8048684: 83 c4 10              add    $0x10,%esp
8048687: 31 c0                 xor    %eax,%eax
8048689: eb 05                 jmp    8048690 
804868b: 90                    nop
804868c: 8d 74 26 00           lea    0x0(%esi,%eiz,1),%esi
8048690: c9                    leave
8048691: c3                    ret
8048692: 90                    nop
8048693: 90                    nop
8048694: 90                    nop
8048695: 90                    nop
8048696: 90                    nop
8048697: 90                    nop
8048698: 90                    nop
8048699: 90                    nop
804869a: 90                    nop
804869b: 90                    nop
804869c: 90                    nop
804869d: 90                    nop
804869e: 90                    nop
804869f: 90                    nop
80486a0: 55                    push   %ebp
80486a1: 89 e5                 mov    %esp,%ebp
80486a3: 57                    push   %edi
80486a4: 56                    push   %esi
80486a5: 31 f6                 xor    %esi,%esi
80486a7: 53                    push   %ebx
80486a8: 83 ec 0c              sub    $0xc,%esp
80486ab: e8 a0 00 00 00        call   8048750 
80486b0: 81 c3 28 14 00 00     add    $0x1428,%ebx
80486b6: e8 cd fc ff ff        call   8048388 <__register_frame_info@plt-0x28>
80486bb: 8d 93 14 ff ff ff     lea    -0xec(%ebx),%edx
80486c1: 8d 83 14 ff ff ff     lea    -0xec(%ebx),%eax
80486c7: 29 c2                 sub    %eax,%edx
80486c9: c1 fa 02              sar    $0x2,%edx
80486cc: 39 d6                 cmp    %edx,%esi
80486ce: 73 1c                 jae    80486ec 
80486d0: 89 d7                 mov    %edx,%edi
80486d2: 8d b4 26 00 00 00 00  lea    0x0(%esi,%eiz,1),%esi
80486d9: 8d bc 27 00 00 00 00  lea    0x0(%edi,%eiz,1),%edi
80486e0: ff 94 b3 14 ff ff ff  call   *-0xec(%ebx,%esi,4)
80486e7: 46                    inc    %esi
80486e8: 39 fe                 cmp    %edi,%esi
80486ea: 72 f4                 jb     80486e0 
80486ec: 83 c4 0c              add    $0xc,%esp
80486ef: 5b                    pop    %ebx
80486f0: 5e                    pop    %esi
80486f1: 5f                    pop    %edi
80486f2: 5d                    pop    %ebp
80486f3: c3                    ret
80486f4: 8d b6 00 00 00 00     lea    0x0(%esi),%esi
80486fa: 8d bf 00 00 00 00     lea    0x0(%edi),%edi
8048700: 55                    push   %ebp
8048701: 89 e5                 mov    %esp,%ebp
8048703: 83 ec 08              sub    $0x8,%esp
8048706: 89 1c 24              mov    %ebx,(%esp)
8048709: e8 42 00 00 00        call   8048750 
804870e: 81 c3 ca 13 00 00     add    $0x13ca,%ebx
8048714: 89 74 24 04           mov    %esi,0x4(%esp)
8048718: 8d 83 14 ff ff ff     lea    -0xec(%ebx),%eax
804871e: 8d 93 14 ff ff ff     lea    -0xec(%ebx),%edx
8048724: 29 d0                 sub    %edx,%eax
8048726: c1 f8 02              sar    $0x2,%eax
8048729: 85 c0                 test   %eax,%eax
804872b: 8d 70 ff              lea    -0x1(%eax),%esi
804872e: 75 10                 jne    8048740 
8048730: e8 5b 00 00 00        call   8048790 
8048735: 8b 1c 24              mov    (%esp),%ebx
8048738: 8b 74 24 04           mov    0x4(%esp),%esi
804873c: 89 ec                 mov    %ebp,%esp
804873e: 5d                    pop    %ebp
804873f: c3                    ret
8048740: ff 94 b3 14 ff ff ff  call   *-0xec(%ebx,%esi,4)
8048747: 89 f0                 mov    %esi,%eax
8048749: 4e                    dec    %esi
804874a: 85 c0                 test   %eax,%eax
804874c: 75 f2                 jne    8048740 
804874e: eb e0                 jmp    8048730 
8048750: 8b 1c 24              mov    (%esp),%ebx
8048753: c3                    ret
8048754: 90                    nop
8048755: 90                    nop
8048756: 90                    nop
8048757: 90                    nop
8048758: 90                    nop
8048759: 90                    nop
804875a: 90                    nop
804875b: 90                    nop
804875c: 90                    nop
804875d: 90                    nop
804875e: 90                    nop
804875f: 90                    nop
8048760: 55                    push   %ebp
8048761: 89 e5                 mov    %esp,%ebp
8048763: 83 ec 14              sub    $0x14,%esp
8048766: 53                    push   %ebx
8048767: bb c8 9a 04 08        mov    $0x8049ac8,%ebx
804876c: 83 3d c8 9a 04 08 ff  cmpl   $0xffffffff,0x8049ac8
8048773: 74 0c                 je     8048781 
8048775: 8b 03                 mov    (%ebx),%eax
8048777: ff d0                 call   *%eax
8048779: 83 c3 fc              add    $0xfffffffc,%ebx
804877c: 83 3b ff              cmpl   $0xffffffff,(%ebx)
804877f: 75 f4                 jne    8048775 
8048781: 5b                    pop    %ebx
8048782: c9                    leave
8048783: c3                    ret
8048784: 55                    push   %ebp
8048785: 89 e5                 mov    %esp,%ebp
8048787: 83 ec 08              sub    $0x8,%esp
804878a: c9                    leave
804878b: c3                    ret
804878c: 8d 74 26 00           lea    0x0(%esi,%eiz,1),%esi

Algunas strings con gdb:

$ gdb ./crackme
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".

(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme
Are you trying to Debug me?

Program exited with code 01. 
(gdb) x/s 0x80487e0
0x80487e0:  "Are you trying to Debug me?\n"

El programa usa ptrace para ver si el programa esta siendo traceado o debugeado, cambiamos un simple jump y ya nos saltamos esa proteccion.

$ cmp -b crackme crackme_parcheado
crackme crackme_parcheado son distintos: el byte 1342, en la línea 3 es 175 } 176 ~

$ objdump -d crackme | grep 804853d
804853d: 7d 21                 jge    8048560 

$ objdump -d crackme_parcheado | grep 804853d
804853d: 7e 21                 jle    8048560 


$ gdb ./crackme_parcheado
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".

(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_parcheado
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password     ]-
-[ Enter Password: aaa
-[ Entered Password: aaa
-[ Checking Stage 1 Now.....
-[ Game Over

Program exited normally.
(gdb)

##########################################################

Usando ltrace:

$ ltrace ./crackme
__libc_start_main(0x8048520, 1, 0xbf8d5c64, 0x80486a0, 0x8048700 
__register_frame_info(0x80499fc, 0x8049b0c, 0xb773ece0, 0xb773dff4, 0xbf8d5c64)             = 0x80499fc
ptrace(0, 0, 1, 0, 4)                                                                       = -1
printf("Are you trying to Debug me?\n"Are you trying to Debug me?
)                                                     = 28
__deregister_frame_info(0x80499fc, 3, 0xbf8d5b00, 4, 0x80482a4)                             = 0
+++ exited (status 1) +++

$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfc384f4, 0x80486a0, 0x8048700 
__register_frame_info(0x80499fc, 0x8049b0c, 0xb787fce0, 0xb787eff4, 0xbfc384f4)             = 0x80499fc
ptrace(0, 0, 1, 0, 4)                                                                       = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
)                                               = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password     ]-
)                                               = 39
printf("-[ Enter Password: ")                                                               = 19
scanf(0x804887c, 0xbfc38048, 1, 0, 4-[ Enter Password: aaa
)                                                       = 1
printf("-[ Entered Password: %s\n", "aaa"-[ Entered Password: aaa
)                                                  = 25
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
)                                                    = 29
strcmp("aaa", "7gb5fjf8v4bg8fb34f")                                                         = 1
printf("-[ Game Over\n"-[ Game Over
)                                                                    = 13
__deregister_frame_info(0x80499fc, 3, 0xbfc38390, 4, 0x80482a4)                             = 0
+++ exited (status 0) +++

y metiendo el serial de la primera parte vemos que intenta abrir el archivo "/tmp/crackme_89nfnjfiefheufeue" en la segunda parte:

$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfdb0c04, 0x80486a0, 0x8048700 
__register_frame_info(0x80499fc, 0x8049b0c, 0xb7764ce0, 0xb7763ff4, 0xbfdb0c04)             = 0x80499fc
ptrace(0, 0, 1, 0, 4)                                                                       = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
)                                               = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password     ]-
)                                               = 39
printf("-[ Enter Password: ")                                                               = 19
scanf(0x804887c, 0xbfdb0758, 1, 0, 4-[ Enter Password: 7gb5fjf8v4bg8fb34f
)                                                       = 1
printf("-[ Entered Password: %s\n", "7gb5fjf8v4bg8fb34f"-[ Entered Password: 7gb5fjf8v4bg8fb34f
)                                   = 40
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
)                                                    = 29
strcmp("7gb5fjf8v4bg8fb34f", "7gb5fjf8v4bg8fb34f")                                          = 0
printf("-[ Stage 1 Cleared\n"-[ Stage 1 Cleared
)                                                              = 19
printf("-[ Checking Stage 2 Now....\n"-[ Checking Stage 2 Now....
)                                                     = 28
fopen("/tmp/crackme_89nfnjfiefheufeue", "r")                                                = 0
printf("-[ Bad did you forgot something?"...-[ Bad did you forgot something?
)                                               = 33
exit(0 
__deregister_frame_info(0x80499fc, 3, 0xbfdb0670, 4, 0xb7783b28)                            = 0
+++ exited (status 0) +++