miércoles, 12 de octubre de 2011

Capture de Flags (CTF)

La verdad que esta imagen simplifica bastante, todo el tiempo invertido y esfuerzo realizado en algunos CTFs y retos por internet.

Source: http://infosuck.org/0x0042.png

domingo, 10 de abril de 2011

USB 3.0

Desde la BackTrack, vemos cuanto tarda en copiar un archivo de 10 Gb, al USB 3.0 (montado en /mnt/copias/)

root@bt:~# dd if=/dev/zero of=10gb.img bs=1024 count=0 seek=$[1024*1024*10]
0+0 records in
0+0 records out
0 bytes (0 B) copied, 1.7244e-05 s, 0.0 kB/s

root@bt:~# dd if=/dev/zero of=10gb1.img bs=1024 count=$[1024*1024*10]
10485760+0 records in
10485760+0 records out
10737418240 bytes (11 GB) copied, 130.913 s, 82.0 MB/s

root@bt:~# ls -sh
total 11G
0 10gb.img 11G 10gb1.img

root@bt:~# ls -lh
total 11G
-rw-r--r-- 1 root root 10G Apr 10 18:24 10gb.img
-rw-r--r-- 1 root root 10G Apr 10 18:29 10gb1.img

root@bt:~# time cp 10gb1.img /mnt/copias/

real 8m58.659s
user 0m2.237s
sys 1m31.217s

root@bt:~# time cp 10gb.img /mnt/copias/

real 0m29.846s
user 0m6.753s
sys 0m23.035s

root@bt:~# lspci | grep "USB 3.0"
04:00.0 USB Controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 03)

Ahora seria cuestion de ver por que uno ocupa espacio y tarda tanto y el otro "no ocupa espacio" y se hace la copia en muy poco tiempo.

Buscando por google, obtenemos la respuesta:


To create a 10GB sparse file which doesn't allocate any actual space (if the filesystem supports this feature):
dd if=/dev/zero of=sparsefile.img bs=1 seek=10G count=0



Sparse file

lunes, 14 de marzo de 2011

Penetration Testing - Vulnerable - ISO

Adjunto una relación de imagenes para penetration Testing, se pueden montar sobre VMWare o VirtualBox y practicar (Si veo mas las ire añadiendo):

Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
The object of the challenge v1 is to gain root level privileges and access to personal client information.
Register on the forums to receive an email update when a new challenge is released.

WackoPicko Vulnerable Website
WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners.

The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image.
One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.

exploit.co.il Vulnerable Web App:
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.

Virtual Hacking Lab (pentoo):
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.

PwnOS is an operating system being written from the ground up to be ideal for making the most of resource-rich dedicated server systems.
The most significant section of the project is to create a core (kernel) that is designed to be best suited for servers (e.g. usually one process with many threads of varying priorities). Much (highly-regulated) assembly language and some C is used here to increase the performance and decrease bloat potential, (because to code this in assembly, it's ESSENTIAL to have excellent, lean code design).
Development of PwnOS will be switching to be done with PwnIDE once PwnIDE reaches version 0.2.4. Development so far has been done with RadASM and MASM32 for assembly, and Dev-C++ and MinGW for C/C++. Documentation is produced with Natural Docs. Custom linking is done with a utility called JLOC, and drive image writing is done with various utilities.

Damn Vulnerable Linux (DVL):
Damn Vulnerable Linux (DVL) is a Slackware and Slax-based live DVD. The distribution, purposefully stuffed with broken, ill-configured, outdated and exploitable software, began life as a training system used during the author's university lectures. Its primary goal is to design a Linux system that is as vulnerable as possible -- in order to teach and demonstrate a variety of security topics, including reverse code engineering, buffer overflows, shell code development, web exploitation, and SQL injection.

Damn Vulnerable Web App (DVWA):
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)

- Giving an introductory course to Web Application Security


This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote. A valid OpenVPN connection is required for accessing the Hacking-Lab server infrastructure. Do you feel like being a beta-tester? Yes? Please make yourself familiar with the the full beta-tester programm where you find everything required to start using Hacking-Lab Remote.

OWASP Broken Web Applications Project:
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).

LAMPSecurity Training:
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.

Web Security Dojo:
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo.
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Updated 12/06/2011

The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

They have been especially designed for use in a classroom environment where they have been proved a valuable educational tool. Using OWASP Hackademic Challenges project students have the chance to experience application security in a realistic environment, something that triggers their interest and provokes a lot of interesting discussions.


Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Client attack simulation using HtmlUnit; no alert('xss') here.
Smooth difficulty gradient from moderately easy to fiendishly tricky.
Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
Open ended play; progress by any means possible.

Updated 27/07/2011

Want to beat the hackers at their own game?Learn how hackers find security vulnerabilities! Learn how hackers exploit web applications! Learn how to stop them!
This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

Updated 28/07/2011

SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.

Updated 15/05/2012
On Null Byte Poisoning and XPath Injection:

From Spiderlabs Blog:
Recently I released a tool called XMLmao, a configurable testbed for learning to exploit XPath injection flaws, developing new attack techniques for XPath injection flaws or simulating real-world XPath injection scenarios, similar to SQLol. Among other features, it has challenge scenarios which give you a set of pre-configured options and an objective to complete. As of recently, I've begun to write tutorials for each challenge which will be distributed with their respective testbeds.

Updated 26/01/2014

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares to conduct successful penetration testing and ethical hacking projects.

What makes bWAPP so unique? Well, it has over 60 web vulnerabilities!
It covers all major known web bugs, including all risks from the OWASP Top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.

Download our What is bWAPP? introduction tutorial, including free exercises...

bWAPP is for educational purposes. Education, the most powerful weapon which we can use to change the world.
Have fun with this free and open source project!

Cheers, Malik Mesellem

Updated 30/08/2014

To provide materials that allows anyone to gain practical 'hands-on' experience in digital security, computer application & network administration.

Brief History/Purpose
Before you can run, you need to be able to walk. You do so by learning the basics so you an gain of the theory.
Once you're up and walking, you need 'something' to run to (Something to aim for) & you need 'somewhere' that's padded with foam to run about in (so it doesn't matter if you fall over). This is where VulnHub comes in.

We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself.
Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.

Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them.
So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally)'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out.
When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.

We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.

You can watch someone else...
Then follow along at the same time...
Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)...
Finally you can start on an unknown source (black box testing)...
...and if you get stuck you can always ask for a nudge!

Updated 01/09/2014
Binary Auditing:

That's not an ISO, but very interesting to learn about reversing.

Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever.

Try to solve brain teasing puzzles with our collection of copy protection games. Increasing difficulty and unseen strange tricks.

Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented.

Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.

The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!

IDA Pro 5.0 (Free)1
HLL Mapping 1 (NOT for training, only as reference!)98
HLL Mapping 2 (Start here and convert them to C)31
Manual Decompilation (Simple exercises)10
Algorithm Analysis 1 (Simple math exercises)3
Algorithm Analysis 2 (Simple math exercises)6
Crash Auditing (more complicated, why crashing?)10
File Understanding (Simple to hard Reversemes)31
Copy Protection Auditing (Simple to very hard)47
Unpacking (Simple exercises)3
Vulnerability Auditing (Simple to intermediate)38
Malware Auditing 1 (Simple old .com/.exe exercises)41
Malware Auditing 2 (Some fakes for analysis)4
Malware Auditing 3 (Simple win32 analysis)1

Life of Binaries:

Same as before, not ISO, but excellent to learn about Asm, Reverse and Exploit.

Topics include but are not limited to:

•Scanning and tokenizing source code.

•Parsing a grammar.

•Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).

•Linking object files together to create a well-formed binary.

•Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:

•Using the new “Binary Scavenger Hunt” tool which creates randomized PE binaries and asks randomized questions about the material you just learned!

•Manipulating compiler options to change the type of assembly which is output

•Manipulating linker options to change the structure of binary formats

•Reading and understanding PE files with PEView

•Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•Using WinDbg and/or GDB to watch the loader dynamically link an executable

•Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism

•Creating a simple example virus for PE

•Analyze the changes made to the binary format when a file is packed with UPX

•Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering.

A student Q&A forum has been set up at http://www.reddit.com/r/OST_LifeOfBinaries.

(updated 10/01/2017)
Vulnerability and Attack Labs

People learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a "seemly-benign" mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing.

(1) Software in general

new): exploit Bash's Shellshock vulnerability

  • Set-UID Program Vulnerability Lab: exploit the vulnerabilities of the privileged Set-UID programs. (
  • Survey Results)
    1. Buffer Overflow Vulnerability Lab: exploit the buffer overflow vulnerability using the shell-code approach. (Survey Results)

  • Return-to-libc Attack Lab: exploit the buffer-overflow vulnerabilities using the return-to-libc attack. (Survey Results)
  • Format String Vulnerability Lab: exploit the format string vulnerability. (Survey Results)
  • Race Condition Vulnerability Lab: exploit the race condition vulnerability. (Survey Results)

  • Chroot Sandbox Vulnerability Lab: explore how the chroot sandbox can be broken. (Survey Results)

  • (2) Network Protocols

    1. TCP/IP Attack Lab: exploit the vulnerabilities of the TCP/IP protocols. (Survey Results)

  • DNS Pharming Attack Lab: exploit the vulnerabilities of the DNS protocol to launch Pharming attacks. (Survey Results)

  • (3) Web Applications

      The following labs need to use the Ubuntu9.11 VM:
    1. Cross-site Scripting Attack Lab on PhpBB: exploiting cross-site scripting vulnerabilities. (Survey Results)

  • Cross-site Request Forgery Attack Lab on PhpBB: exploiting cross-site request forgery vulnerabilities. (Survey Results)
  • SQL Injection Attack Lab on PhpBB: experience the SQL-Injection attacks. (Survey Results)
  • ClickJacking Attack Lab: experience the ClickJacking attacks.

    1. The following labs need to use the Ubuntu11.04 or Ubuntu12.04 VM:
    2. Cross-site Scripting Attack Lab on Collabtive: exploiting cross-site scripting vulnerabilities.

  • Cross-site Request Forgery Attack Lab on Collabtive: exploiting cross-site request forgery vulnerabilities.
  • SQL Injection Attack Lab on Collabtive: experience the SQL-Injection attacks.

  • Design/Implementation Labs

    The objective of the design/implementation labs is to provide students with opportunities to apply security principles in designing and implementingsystems. They help students achieve learning by system development.

    (1) Networking

    1. Linux Firewall Lab: implement a simple firewall (called "miniFirewall") for Linux. This lab involves Loadable Kernel Module and Netfilter. (Survey Results)

  • Minix Firewall Lab implement a simple firewall (called "miniFirewall") for Minix. (Survey Results)
  • IPSec Lab: implement a simplified IPSec protocol (called "miniIPSec") for Minix (a comprehensive project). (Survey Results)
  • Virtual Private Network (VPN) Lab: implement a simple VPN (called "miniVPN") in Linux (a comprehensive project). Unlike IPSec-based VPNs, this lab does not need to modify the Linux kernel. All the implementations are in the user space. This lab involves encryption, hash, public key certificates, SSL, and network tunneling techniques (TUN/TAP). (Survey Results)

  • (2) System

    1. Role-Based Access Control (RBAC) Lab design and implement an integrated access control system for Minix that uses both capability-based and role-based access control mechanisms. Students need to modify Minix kernel to implement both capability and RBAC (this is a comprehensive project for access control). (Survey Results)

  • Capability Lab: design and implement a capability-based access control system for Minix (this is a comprehensive project).
  • Encrypted File System Lab: design and implement an encrypted file system for Minix (a comprehensive project).
  • Set-RandomUID Lab: design and implement a simple sandbox for Minix.
  • Address Space Layout Randomization (ASLR) Lab randomize stack and heap in Minix to improve security.

  • Exploration Labs

    The objective of the exploration labs is two-fold: the first is to enhance students' learning via observation, playing and exploration, so they can see what security principles ``feel'' like in a real system; the second objective is to provide students with opportunities to apply security principles in analyzing and evaluating systems. The exploration labs provide a feasible means by which the students have "a direct encounter with the phenomena being studied rather than merely thinking about the encounter, or only considering the possibility of doing something about it".
    1. Linux Firewall Exploration Lab: This is the redesign of the Linux Firewall Design/Implementation Lab. The focus is shifted from programming to exploration. Students will explore various firewall-related technologies, such as netfilter, web proxy, URL rewriting, and using SSH tunnels to evade egress filtering.

  • Packet Sniffing and Spoofing Lab: explore how sniffing and spoofing tools are implemented. (Survey Results)
  • Linux Capability Exploration Lab: explore the capability-based access control in Linux. (Survey Results)

  • Web Browser Access Control Lab: explore the Same-Origin Access Control Policy in web browsers. (Survey Results)

  • Crypto Lab I -- Secret-Key Encryption : explore secret-key encryption and its applications using OpenSSL. (Survey Results)
  • Crypto Lab II -- One-Way Hash Function: explore one-way hash function and its applications using OpenSSL. (Survey Results)
  • Crypto Lab III -- Public-Key Cryptography and PKI: explore public-key cryptography, digital signature, certificate, and PKI using OpenSSL.
  • Pluggable Authentication Modules (PAM) Lab: explore a flexible authentication technique.
  • SYN Cookies Lab: explore the SYN Cookies mechanism in Linux.

  • (updated 14/01/2017)
    The Lord of Buffer Overflow (Redhat 6.2)

    LEVEL1 (gate -> gremlin) : simple bof
    LEVEL2 (gremlin -> cobolt) : small buffer
    LEVEL3 (cobolt -> goblin) : small buffer + stdin
    LEVEL4 (goblin -> orc) : egghunter
    LEVEL5 (orc -> wolfman) : egghunter + bufferhunter
    LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter
    LEVEL7 (darkelf -> orge) : check argv[0]
    LEVEL8 (orge -> troll) : check argc
    LEVEL9 (troll -> vampire) : check 0xbfff
    LEVEL10 (vampire -> skeleton) : argv hunter
    LEVEL11 (skeleton -> golem) : stack destroyer
    LEVEL12 (golem -> darkknight) : sfp
    LEVEL13 (darkknight -> bugbear) : RTL1
    LEVEL14 (bugbear -> giant) : RTL2, only execve
    LEVEL15 (giant -> assassin) : no stack, no RTL
    LEVEL16 (assassin -> zombie_assassin) : fake ebp
    LEVEL17 (zombie_assassin -> succubus) : function calls
    LEVEL18 (succubus -> nightmare) : plt
    LEVEL19 (nightmare -> xavis) : fgets + destroyers
    LEVEL20 (xavis -> death_knight) : remote BOF

    http://hackerschool.org/TheLordofBOF/VM_Fedora10.rar (589 MB)

    http://hackerschool.org/TheLordofBOF/VM_Fedora14.rar   (658 MB)

    [FC 3]
    Stack Dummy : O
    Down privileage of bash : O
    Random Stack : O
    Random Library : X
    Random Program Binary Mapped : X
    ASCII Armor : O
    Non-Executable Stack : O
    Non-Executable Heap : O
    Stack Carany : X
    Stack Smashing Protector : X

    gate -> iron_golem : Fake_SFP + Ascii Armor
    iron_golem -> dark_eyes : RET Sleding
    dark_eyes -> hell_fire : another fake_ebp or got overwriting
    hell_fire -> evil_wizard : POP POP RET
    evil_wizard -> dark_stone : POP POP RET / Remote

    [FC 4]
    dark_stone -> cruel : Local BOF on FC4
    cruel -> enigma : Remote BOF on FC4
    enigma -> titan : Remote BOF on FC4

    [FC 10]
    * level1 (titan -> balog)
    * level2 (balog -> talos)
    * level3 (talos -> dark_mare)

    [FC 14]
    * level1 (dark_mare -> stegodon)
    * level2 (stegodon -> blood_seeker)

    [Ref - http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship_2round&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=4]

    miércoles, 2 de marzo de 2011

    Python Challenge

    Bastante recomendado para practicar retos de programacion en python, a traves del cual, una vez solucionado los distintos niveles, puedes ver la solucion en distintos lenguajes como python, perl, bash, java, c, etc.

    La verdad que ayuda bastante hacer este reto porque ayuda en la resolucion de otros, y tambien da soltura en el uso del lenguaje python.


    Updated 29-03-2011

    Algunos ebooks gratis, y sitios para aprender python:

    1. Learn Python the Hard Way
    2. A Byte of Python
    3. The Python Tutorial
    4. Python Programming

    lunes, 28 de febrero de 2011

    Sources Interesantes

    Algunos sources que pueden resultar interesantes para su uso en retos/wargames/ctf:

    The Way of Binary Copy without Permission:


    Otra herramienta curiosa es la que nos presenta Albert Sellarès, (whats):

    This is a tool to dump a process to an executable ELF file to execute it.



    Shared Library Hijacking For Playing Wargames

    GDB Reference Card - Hacking GDB

    lunes, 10 de enero de 2011

    Otros retos shell

    Otros retos a traves de shell para practicar:



    http://invi.phpnet.us/ <--- Source de ExploitMe y SQLi (Hackit)

    http://www.felinemenace.org/~mercy/ <--- Buenos source para practicar


    http://luna.sc/security-badulake/created-hackit-contests/ <-- dreyer was here :)

    http://gulcas.linux.es/?q=hackit <-- Sources del Hackit de la iparty 8 de aditel

    http://back2hack.cc/forumdisplay.php?fid=249&page=1 <-- sources para practicar



    http://www.hackerschool.org --> ssh level1@ftz.hackerschool.org pass: level1
    telnet ftz.hackerschool.org
    http://w3challs.com/challenges/challenge59 <--- Registrarse y ya ssh con user basic1

    http://www.root-me.org <-- 3 retos, shell, binary y rbinary (remote binary)

    Updated 30-03-2011:

    https://github.com/mabj/ctf_ucon2 <-- Capture The Flag uCon 2009 de Marcos Álvares

    http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz <-- Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.

    Updated 14-12-2011:

    http://exploit-exercises.com/   <--  Linux exploiting from source with Virtual Machine, 3 kind of challenges Nebula - Protostar - Fusion

    Updated 23-09-2012:

    https://sm0k.org/dojo/vanilla.php <-- Over ssh (ssh vanilla1@vanilladome.sm0k.org -p 13722 pass: vanilla1)  with levels that you must exploit to bypass to the next.

    Updated 01-09-2014:

    http://pwnable.kr/ <-- We provide various pwn challenges regarding system security. If you succeed to 'pwn' a task, you will be able to read the 'flag' file which contains a secret message. Once you authenticate the flag, you can get the corresponding point. If you are good at system hacking, these tasks would be just a bunch of fun games - enjoy :)

    martes, 4 de enero de 2011

    Solucion - Linux - cyrex's Linux Crackme 02


    $ wget http://www.crackmes.de/users/cyrex/linux_crackme_02/download
    --2011-01-04 17:41:08-- http://www.crackmes.de/users/cyrex/linux_crackme_02/download
    Resolviendo www.crackmes.de...
    Conectando a www.crackmes.de||:80... conectado.
    Petición HTTP enviada, esperando respuesta... 200 OK
    Longitud: 2199 (2,1K) [application/tgz]
    Guardando en: «download»

    100%[============================================================================================================>] 2.199 --.-K/s en 0,004s

    2011-01-04 17:41:15 (558 KB/s) - «download» guardado [2199/2199]

    $ file download
    download: gzip compressed data, from Unix, last modified: Wed Feb 23 23:36:55 2005
    $ mv download crackme_02.tgz
    $ tar xvzf crackme_02.tgz

    $ ./crackme
    -[ Linux CrackMe (Level:3) by cyrex ]-
    -[ TODO: Get the valid password ]-
    -[ Enter Password: asdf
    -[ Entered Password: asdf
    -[ Checking Stage 1 Now.....
    -[ Game Over

    $ strings crackme
    Are you trying to Debug me?
    -[ Linux CrackMe (Level:3) by cyrex ]-
    -[ TODO: Get the valid password ]-
    -[ Enter Password:
    -[ Entered Password: %s
    -[ Checking Stage 1 Now.....
    -[ Stage 1 Cleared
    -[ Game Over
    -[ Checking Stage 2 Now....
    -[ Bad did you forgot something?
    -[ You have successfully reversed/cracked/sniffed This Crackme
    -[ Email me your solution to eth0@list.ru

    $ ./crackme
    -[ Linux CrackMe (Level:3) by cyrex ]-
    -[ TODO: Get the valid password ]-
    -[ Enter Password: 7gb5fjf8v4bg8fb34f
    -[ Entered Password: 7gb5fjf8v4bg8fb34f
    -[ Checking Stage 1 Now.....
    -[ Stage 1 Cleared
    -[ Checking Stage 2 Now....
    -[ Bad did you forgot something?
    $ touch /tmp/crackme_89nfnjfiefheufeue
    $ ./crackme
    -[ Linux CrackMe (Level:3) by cyrex ]-
    -[ TODO: Get the valid password ]-
    -[ Enter Password: 7gb5fjf8v4bg8fb34f
    -[ Entered Password: 7gb5fjf8v4bg8fb34f
    -[ Checking Stage 1 Now.....
    -[ Stage 1 Cleared
    -[ Checking Stage 2 Now....
    -[ You have successfully reversed/cracked/sniffed This Crackme
    -[ Email me your solution to eth0@list.ru


    Veamoslo con el GDB y objdump:

    $ objdump -d crackme

    crackme: file format elf32-i386

    ... (omitido no importante) ...

    Disassembly of section .text:

    08048440 <.text>:
    8048440: 31 ed xor %ebp,%ebp
    8048442: 5e pop %esi
    8048443: 89 e1 mov %esp,%ecx
    8048445: 83 e4 f0 and $0xfffffff0,%esp
    8048448: 50 push %eax
    8048449: 54 push %esp
    804844a: 52 push %edx
    804844b: 68 00 87 04 08 push $0x8048700
    8048450: 68 a0 86 04 08 push $0x80486a0
    8048455: 51 push %ecx
    8048456: 56 push %esi
    8048457: 68 20 85 04 08 push $0x8048520
    804845c: e8 9f ff ff ff call 8048400 <__libc_start_main@plt>
    8048461: f4 hlt
    8048462: 90 nop
    8048463: 90 nop
    8048464: 55 push %ebp
    8048465: 89 e5 mov %esp,%ebp
    8048467: 53 push %ebx
    8048468: e8 00 00 00 00 call 804846d
    804846d: 5b pop %ebx
    804846e: 81 c3 6b 16 00 00 add $0x166b,%ebx
    8048474: 50 push %eax
    8048475: 8b 83 30 00 00 00 mov 0x30(%ebx),%eax
    804847b: 85 c0 test %eax,%eax
    804847d: 74 02 je 8048481
    804847f: ff d0 call *%eax
    8048481: 8b 5d fc mov -0x4(%ebp),%ebx
    8048484: c9 leave
    8048485: c3 ret
    8048486: 90 nop
    8048487: 90 nop
    8048488: 90 nop
    8048489: 90 nop
    804848a: 90 nop
    804848b: 90 nop
    804848c: 90 nop
    804848d: 90 nop
    804848e: 90 nop
    804848f: 90 nop
    8048490: 55 push %ebp
    8048491: 89 e5 mov %esp,%ebp
    8048493: 83 ec 08 sub $0x8,%esp
    8048496: 83 3d f8 99 04 08 00 cmpl $0x0,0x80499f8
    804849d: 75 3e jne 80484dd
    804849f: eb 12 jmp 80484b3
    80484a1: a1 f4 99 04 08 mov 0x80499f4,%eax
    80484a6: 8d 50 04 lea 0x4(%eax),%edx
    80484a9: 89 15 f4 99 04 08 mov %edx,0x80499f4
    80484af: 8b 00 mov (%eax),%eax
    80484b1: ff d0 call *%eax
    80484b3: a1 f4 99 04 08 mov 0x80499f4,%eax
    80484b8: 83 38 00 cmpl $0x0,(%eax)
    80484bb: 75 e4 jne 80484a1
    80484bd: b8 e0 83 04 08 mov $0x80483e0,%eax
    80484c2: 85 c0 test %eax,%eax
    80484c4: 74 0d je 80484d3
    80484c6: 83 c4 f4 add $0xfffffff4,%esp
    80484c9: 68 fc 99 04 08 push $0x80499fc
    80484ce: e8 0d ff ff ff call 80483e0 <__deregister_frame_info@plt>
    80484d3: c7 05 f8 99 04 08 01 movl $0x1,0x80499f8
    80484da: 00 00 00
    80484dd: c9 leave
    80484de: c3 ret
    80484df: 90 nop
    80484e0: 55 push %ebp
    80484e1: 89 e5 mov %esp,%ebp
    80484e3: 83 ec 08 sub $0x8,%esp
    80484e6: c9 leave
    80484e7: c3 ret
    80484e8: 55 push %ebp
    80484e9: 89 e5 mov %esp,%ebp
    80484eb: 83 ec 08 sub $0x8,%esp
    80484ee: b8 b0 83 04 08 mov $0x80483b0,%eax
    80484f3: 85 c0 test %eax,%eax
    80484f5: 74 12 je 8048509
    80484f7: 83 c4 f8 add $0xfffffff8,%esp
    80484fa: 68 0c 9b 04 08 push $0x8049b0c
    80484ff: 68 fc 99 04 08 push $0x80499fc
    8048504: e8 a7 fe ff ff call 80483b0 <__register_frame_info@plt>
    8048509: c9 leave
    804850a: c3 ret
    804850b: 90 nop
    804850c: 55 push %ebp
    804850d: 89 e5 mov %esp,%ebp
    804850f: 83 ec 08 sub $0x8,%esp
    8048512: c9 leave
    8048513: c3 ret
    8048514: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
    804851a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
    8048520: 55 push %ebp
    8048521: 89 e5 mov %esp,%ebp
    8048523: 81 ec 18 04 00 00 sub $0x418,%esp
    8048529: 6a 00 push $0x0
    804852b: 6a 01 push $0x1
    804852d: 6a 00 push $0x0
    804852f: 6a 00 push $0x0
    8048531: e8 ba fe ff ff call 80483f0
    8048536: 83 c4 10 add $0x10,%esp
    8048539: 89 c0 mov %eax,%eax
    804853b: 85 c0 test %eax,%eax
    804853d: 7d 21 jge 8048560
    804853f: 83 c4 f4 add $0xfffffff4,%esp
    8048542: 68 e0 87 04 08 push $0x80487e0
    8048547: e8 c4 fe ff ff call 8048410
    804854c: 83 c4 10 add $0x10,%esp
    804854f: b8 01 00 00 00 mov $0x1,%eax
    8048554: e9 37 01 00 00 jmp 8048690
    8048559: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
    8048560: 83 c4 f4 add $0xfffffff4,%esp
    8048563: 68 00 88 04 08 push $0x8048800
    8048568: e8 a3 fe ff ff call 8048410
    804856d: 83 c4 10 add $0x10,%esp
    8048570: 83 c4 f4 add $0xfffffff4,%esp
    8048573: 68 40 88 04 08 push $0x8048840
    8048578: e8 93 fe ff ff call 8048410
    804857d: 83 c4 10 add $0x10,%esp
    8048580: 83 c4 f4 add $0xfffffff4,%esp
    8048583: 68 68 88 04 08 push $0x8048868
    8048588: e8 83 fe ff ff call 8048410
    804858d: 83 c4 10 add $0x10,%esp
    8048590: 83 c4 f8 add $0xfffffff8,%esp
    8048593: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
    8048599: 50 push %eax
    804859a: 68 7c 88 04 08 push $0x804887c
    804859f: e8 2c fe ff ff call 80483d0
    80485a4: 83 c4 10 add $0x10,%esp
    80485a7: 83 c4 f8 add $0xfffffff8,%esp
    80485aa: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
    80485b0: 50 push %eax
    80485b1: 68 7f 88 04 08 push $0x804887f
    80485b6: e8 55 fe ff ff call 8048410
    80485bb: 83 c4 10 add $0x10,%esp
    80485be: 83 c4 f4 add $0xfffffff4,%esp
    80485c1: 68 98 88 04 08 push $0x8048898
    80485c6: e8 45 fe ff ff call 8048410
    80485cb: 83 c4 10 add $0x10,%esp
    80485ce: 83 c4 f8 add $0xfffffff8,%esp
    80485d1: 68 b6 88 04 08 push $0x80488b6
    80485d6: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
    80485dc: 50 push %eax
    80485dd: e8 de fd ff ff call 80483c0
    80485e2: 83 c4 10 add $0x10,%esp
    80485e5: 89 c0 mov %eax,%eax
    80485e7: 85 c0 test %eax,%eax
    80485e9: 75 15 jne 8048600
    80485eb: 83 c4 f4 add $0xfffffff4,%esp
    80485ee: 68 c9 88 04 08 push $0x80488c9
    80485f3: e8 18 fe ff ff call 8048410
    80485f8: 83 c4 10 add $0x10,%esp
    80485fb: eb 17 jmp 8048614
    80485fd: 8d 76 00 lea 0x0(%esi),%esi
    8048600: 83 c4 f4 add $0xfffffff4,%esp
    8048603: 68 dd 88 04 08 push $0x80488dd
    8048608: e8 03 fe ff ff call 8048410
    804860d: 83 c4 10 add $0x10,%esp
    8048610: 31 c0 xor %eax,%eax
    8048612: eb 7c jmp 8048690
    8048614: 83 c4 f4 add $0xfffffff4,%esp
    8048617: 68 eb 88 04 08 push $0x80488eb
    804861c: e8 ef fd ff ff call 8048410
    8048621: 83 c4 10 add $0x10,%esp
    8048624: 83 c4 f8 add $0xfffffff8,%esp
    8048627: 68 08 89 04 08 push $0x8048908
    804862c: 68 20 89 04 08 push $0x8048920
    8048631: e8 fa fd ff ff call 8048430
    8048636: 83 c4 10 add $0x10,%esp
    8048639: 89 c0 mov %eax,%eax
    804863b: 89 85 fc fb ff ff mov %eax,-0x404(%ebp)
    8048641: 83 bd fc fb ff ff 00 cmpl $0x0,-0x404(%ebp)
    8048648: 75 1d jne 8048667
    804864a: 83 c4 f4 add $0xfffffff4,%esp
    804864d: 68 40 89 04 08 push $0x8048940
    8048652: e8 b9 fd ff ff call 8048410
    8048657: 83 c4 10 add $0x10,%esp
    804865a: 83 c4 f4 add $0xfffffff4,%esp
    804865d: 6a 00 push $0x0
    804865f: e8 bc fd ff ff call 8048420
    8048664: 83 c4 10 add $0x10,%esp
    8048667: 83 c4 f4 add $0xfffffff4,%esp
    804866a: 68 80 89 04 08 push $0x8048980
    804866f: e8 9c fd ff ff call 8048410
    8048674: 83 c4 10 add $0x10,%esp
    8048677: 83 c4 f4 add $0xfffffff4,%esp
    804867a: 68 c0 89 04 08 push $0x80489c0
    804867f: e8 8c fd ff ff call 8048410
    8048684: 83 c4 10 add $0x10,%esp
    8048687: 31 c0 xor %eax,%eax
    8048689: eb 05 jmp 8048690
    804868b: 90 nop
    804868c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
    8048690: c9 leave
    8048691: c3 ret
    8048692: 90 nop
    8048693: 90 nop
    8048694: 90 nop
    8048695: 90 nop
    8048696: 90 nop
    8048697: 90 nop
    8048698: 90 nop
    8048699: 90 nop
    804869a: 90 nop
    804869b: 90 nop
    804869c: 90 nop
    804869d: 90 nop
    804869e: 90 nop
    804869f: 90 nop
    80486a0: 55 push %ebp
    80486a1: 89 e5 mov %esp,%ebp
    80486a3: 57 push %edi
    80486a4: 56 push %esi
    80486a5: 31 f6 xor %esi,%esi
    80486a7: 53 push %ebx
    80486a8: 83 ec 0c sub $0xc,%esp
    80486ab: e8 a0 00 00 00 call 8048750
    80486b0: 81 c3 28 14 00 00 add $0x1428,%ebx
    80486b6: e8 cd fc ff ff call 8048388 <__register_frame_info@plt-0x28>
    80486bb: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
    80486c1: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
    80486c7: 29 c2 sub %eax,%edx
    80486c9: c1 fa 02 sar $0x2,%edx
    80486cc: 39 d6 cmp %edx,%esi
    80486ce: 73 1c jae 80486ec
    80486d0: 89 d7 mov %edx,%edi
    80486d2: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
    80486d9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
    80486e0: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
    80486e7: 46 inc %esi
    80486e8: 39 fe cmp %edi,%esi
    80486ea: 72 f4 jb 80486e0
    80486ec: 83 c4 0c add $0xc,%esp
    80486ef: 5b pop %ebx
    80486f0: 5e pop %esi
    80486f1: 5f pop %edi
    80486f2: 5d pop %ebp
    80486f3: c3 ret
    80486f4: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
    80486fa: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
    8048700: 55 push %ebp
    8048701: 89 e5 mov %esp,%ebp
    8048703: 83 ec 08 sub $0x8,%esp
    8048706: 89 1c 24 mov %ebx,(%esp)
    8048709: e8 42 00 00 00 call 8048750
    804870e: 81 c3 ca 13 00 00 add $0x13ca,%ebx
    8048714: 89 74 24 04 mov %esi,0x4(%esp)
    8048718: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
    804871e: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
    8048724: 29 d0 sub %edx,%eax
    8048726: c1 f8 02 sar $0x2,%eax
    8048729: 85 c0 test %eax,%eax
    804872b: 8d 70 ff lea -0x1(%eax),%esi
    804872e: 75 10 jne 8048740
    8048730: e8 5b 00 00 00 call 8048790
    8048735: 8b 1c 24 mov (%esp),%ebx
    8048738: 8b 74 24 04 mov 0x4(%esp),%esi
    804873c: 89 ec mov %ebp,%esp
    804873e: 5d pop %ebp
    804873f: c3 ret
    8048740: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
    8048747: 89 f0 mov %esi,%eax
    8048749: 4e dec %esi
    804874a: 85 c0 test %eax,%eax
    804874c: 75 f2 jne 8048740
    804874e: eb e0 jmp 8048730
    8048750: 8b 1c 24 mov (%esp),%ebx
    8048753: c3 ret
    8048754: 90 nop
    8048755: 90 nop
    8048756: 90 nop
    8048757: 90 nop
    8048758: 90 nop
    8048759: 90 nop
    804875a: 90 nop
    804875b: 90 nop
    804875c: 90 nop
    804875d: 90 nop
    804875e: 90 nop
    804875f: 90 nop
    8048760: 55 push %ebp
    8048761: 89 e5 mov %esp,%ebp
    8048763: 83 ec 14 sub $0x14,%esp
    8048766: 53 push %ebx
    8048767: bb c8 9a 04 08 mov $0x8049ac8,%ebx
    804876c: 83 3d c8 9a 04 08 ff cmpl $0xffffffff,0x8049ac8
    8048773: 74 0c je 8048781
    8048775: 8b 03 mov (%ebx),%eax
    8048777: ff d0 call *%eax
    8048779: 83 c3 fc add $0xfffffffc,%ebx
    804877c: 83 3b ff cmpl $0xffffffff,(%ebx)
    804877f: 75 f4 jne 8048775
    8048781: 5b pop %ebx
    8048782: c9 leave
    8048783: c3 ret
    8048784: 55 push %ebp
    8048785: 89 e5 mov %esp,%ebp
    8048787: 83 ec 08 sub $0x8,%esp
    804878a: c9 leave
    804878b: c3 ret
    804878c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi

    Algunas strings con gdb:

    $ gdb ./crackme
    GNU gdb (GDB) 7.2-ubuntu
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law. Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "i686-linux-gnu".

    (gdb) r
    Starting program: /home/uknow/Escritorio/kk/pruebas/crackme
    Are you trying to Debug me?

    Program exited with code 01.
    (gdb) x/s 0x80487e0
    0x80487e0: "Are you trying to Debug me?\n"

    El programa usa ptrace para ver si el programa esta siendo traceado o debugeado, cambiamos un simple jump y ya nos saltamos esa proteccion.

    $ cmp -b crackme crackme_parcheado
    crackme crackme_parcheado son distintos: el byte 1342, en la línea 3 es 175 } 176 ~

    $ objdump -d crackme | grep 804853d
    804853d: 7d 21 jge 8048560

    $ objdump -d crackme_parcheado | grep 804853d
    804853d: 7e 21 jle 8048560

    $ gdb ./crackme_parcheado
    GNU gdb (GDB) 7.2-ubuntu
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law. Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "i686-linux-gnu".

    (gdb) r
    Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_parcheado
    -[ Linux CrackMe (Level:3) by cyrex ]-
    -[ TODO: Get the valid password ]-
    -[ Enter Password: aaa
    -[ Entered Password: aaa
    -[ Checking Stage 1 Now.....
    -[ Game Over

    Program exited normally.


    Usando ltrace:

    $ ltrace ./crackme
    __libc_start_main(0x8048520, 1, 0xbf8d5c64, 0x80486a0, 0x8048700
    __register_frame_info(0x80499fc, 0x8049b0c, 0xb773ece0, 0xb773dff4, 0xbf8d5c64) = 0x80499fc
    ptrace(0, 0, 1, 0, 4) = -1
    printf("Are you trying to Debug me?\n"Are you trying to Debug me?
    ) = 28
    __deregister_frame_info(0x80499fc, 3, 0xbf8d5b00, 4, 0x80482a4) = 0
    +++ exited (status 1) +++

    $ ltrace ./crackme_parcheado
    __libc_start_main(0x8048520, 1, 0xbfc384f4, 0x80486a0, 0x8048700
    __register_frame_info(0x80499fc, 0x8049b0c, 0xb787fce0, 0xb787eff4, 0xbfc384f4) = 0x80499fc
    ptrace(0, 0, 1, 0, 4) = -1
    printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
    ) = 39
    printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
    ) = 39
    printf("-[ Enter Password: ") = 19
    scanf(0x804887c, 0xbfc38048, 1, 0, 4-[ Enter Password: aaa
    ) = 1
    printf("-[ Entered Password: %s\n", "aaa"-[ Entered Password: aaa
    ) = 25
    printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
    ) = 29
    strcmp("aaa", "7gb5fjf8v4bg8fb34f") = 1
    printf("-[ Game Over\n"-[ Game Over
    ) = 13
    __deregister_frame_info(0x80499fc, 3, 0xbfc38390, 4, 0x80482a4) = 0
    +++ exited (status 0) +++

    y metiendo el serial de la primera parte vemos que intenta abrir el archivo "/tmp/crackme_89nfnjfiefheufeue" en la segunda parte:

    $ ltrace ./crackme_parcheado
    __libc_start_main(0x8048520, 1, 0xbfdb0c04, 0x80486a0, 0x8048700
    __register_frame_info(0x80499fc, 0x8049b0c, 0xb7764ce0, 0xb7763ff4, 0xbfdb0c04) = 0x80499fc
    ptrace(0, 0, 1, 0, 4) = -1
    printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
    ) = 39
    printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
    ) = 39
    printf("-[ Enter Password: ") = 19
    scanf(0x804887c, 0xbfdb0758, 1, 0, 4-[ Enter Password: 7gb5fjf8v4bg8fb34f
    ) = 1
    printf("-[ Entered Password: %s\n", "7gb5fjf8v4bg8fb34f"-[ Entered Password: 7gb5fjf8v4bg8fb34f
    ) = 40
    printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
    ) = 29
    strcmp("7gb5fjf8v4bg8fb34f", "7gb5fjf8v4bg8fb34f") = 0
    printf("-[ Stage 1 Cleared\n"-[ Stage 1 Cleared
    ) = 19
    printf("-[ Checking Stage 2 Now....\n"-[ Checking Stage 2 Now....
    ) = 28
    fopen("/tmp/crackme_89nfnjfiefheufeue", "r") = 0
    printf("-[ Bad did you forgot something?"...-[ Bad did you forgot something?
    ) = 33
    __deregister_frame_info(0x80499fc, 3, 0xbfdb0670, 4, 0xb7783b28) = 0
    +++ exited (status 0) +++

    Solucion - Linux - cyrex's Linux CrackMe


    $ wget http://www.crackmes.de/users/cyrex/linux_crackme/download
    --2011-01-04 17:28:23-- http://www.crackmes.de/users/cyrex/linux_crackme/download
    Resolviendo www.crackmes.de...
    Conectando a www.crackmes.de||:80... conectado.
    Petición HTTP enviada, esperando respuesta... 200 OK
    Longitud: 5497 (5,4K) [application/tgz]
    Guardando en: «download»

    100%[============================================================================================================>] 5.497 --.-K/s en 0,1s

    2011-01-04 17:28:26 (48,0 KB/s) - «download» guardado [5497/5497]

    $ file crackme_01.tgz
    crackme_01.tgz: gzip compressed data, from Unix, last modified: Mon Feb 21 20:39:58 2005
    $ mv download crackme_01.tgz
    $ tar xvzf crackme_01.tgz

    $ ./crackme
    -[ Linux CrackMe (Level:2) by cyrex ]-
    -[ TODO: You have to get the valid Password ]-
    Enter Password: 1234
    -[ Ohhhh, your skills are bad try again later ]-
    $ strings crackme
    -[ Linux CrackMe (Level:2) by cyrex ]-
    -[ TODO: You have to get the valid Password ]-
    Enter Password:
    -[ Good, You're ready to begin linux reversing ]-
    -[ Ohhhh, your skills are bad try again later ]-

    $ ./crackme
    -[ Linux CrackMe (Level:2) by cyrex ]-
    -[ TODO: You have to get the valid Password ]-
    Enter Password: 47ghf6fh37fbgbgj
    -[ Good, You're ready to begin linux reversing ]-

    Veamoslo con el GDB, pero vamos es bastante sencillo de entender:

    $ gdb ./crackme
    GNU gdb (GDB) 7.2-ubuntu
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law. Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "i686-linux-gnu".
    Leyendo símbolos desde /home/uknow/Escritorio/kk/pruebas/crackme_01/crackme...hecho.
    (gdb) disass main
    Dump of assembler code for function main:
    0x08048450 <+0>: push %ebp
    0x08048451 <+1>: mov %esp,%ebp
    0x08048453 <+3>: sub $0x28,%esp
    0x08048456 <+6>: add $0xfffffff4,%esp
    0x08048459 <+9>: push $0x8048620
    0x0804845e <+14>: call 0x804835c
    0x08048463 <+19>: add $0x10,%esp
    0x08048466 <+22>: add $0xfffffff4,%esp
    0x08048469 <+25>: push $0x8048660
    0x0804846e <+30>: call 0x804835c
    0x08048473 <+35>: add $0x10,%esp
    0x08048476 <+38>: add $0xfffffff4,%esp
    0x08048479 <+41>: push $0x8048690
    0x0804847e <+46>: call 0x804835c
    0x08048483 <+51>: add $0x10,%esp
    0x08048486 <+54>: add $0xfffffff8,%esp
    0x08048489 <+57>: lea -0x20(%ebp),%eax
    0x0804848c <+60>: push %eax
    0x0804848d <+61>: push $0x80486a1
    0x08048492 <+66>: call 0x804832c
    0x08048497 <+71>: add $0x10,%esp
    0x0804849a <+74>: add $0xfffffff8,%esp
    0x0804849d <+77>: push $0x80486a4
    0x080484a2 <+82>: lea -0x20(%ebp),%eax
    0x080484a5 <+85>: push %eax
    0x080484a6 <+86>: call 0x804831c
    0x080484ab <+91>: add $0x10,%esp
    0x080484ae <+94>: mov %eax,%eax
    0x080484b0 <+96>: test %eax,%eax
    0x080484b2 <+98>: jne 0x80484c6
    0x080484b4 <+100>: add $0xfffffff4,%esp
    0x080484b7 <+103>: push $0x80486c0
    0x080484bc <+108>: call 0x804835c
    0x080484c1 <+113>: add $0x10,%esp
    0x080484c4 <+116>: jmp 0x80484d6
    0x080484c6 <+118>: add $0xfffffff4,%esp
    ---Type to continue, or q to quit---q
    (gdb) x/s 0x80486a4
    0x80486a4: "47ghf6fh37fbgbgj"
    (gdb) r
    Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_01/crackme 47ghf6fh37fbgbgj
    -[ Linux CrackMe (Level:2) by cyrex ]-
    -[ TODO: You have to get the valid Password ]-
    Enter Password: 47ghf6fh37fbgbgj
    -[ Good, You're ready to begin linux reversing ]-

    Program exited normally.
    (gdb) x/s 0x80486c0
    0x80486c0: "-[ Good, You're ready to begin linux reversing ]-\n"
    (gdb) q