lunes, 10 de enero de 2011

Otros retos shell

Otros retos a traves de shell para practicar:
http://intruded.net/leviathan.html
http://intruded.net/narnia.html
http://intruded.net/behemoth.html
http://intruded.net/utumno.html
http://intruded.net/maze.html
http://intruded.net/manpage.html

http://io.smashthestack.org:84/
http://blowfish.smashthestack.org:81/
http://apfel.smashthestack.org:83/
http://tux.smashthestack.org:86/
http://blackbox.smashthestack.org:85/

http://www.overthewire.org/wargames/vortex/
http://www.overthewire.org/wargames/semtex/
http://www.overthewire.org/wargames/blacksun/
http://www.overthewire.org/wargames/drifter/
http://www.overthewire.org/wargames/krypton/

http://invi.phpnet.us/ <--- Source de ExploitMe y SQLi (Hackit)

http://www.felinemenace.org/~mercy/ <--- Buenos source para practicar

http://community.corest.com/~gera/InsecureProgramming/

http://luna.sc/security-badulake/created-hackit-contests/ <-- dreyer was here :)

http://gulcas.linux.es/?q=hackit <-- Sources del Hackit de la iparty 8 de aditel

http://back2hack.cc/forumdisplay.php?fid=249&page=1 <-- sources para practicar

http://www.shell-storm.org/smashme/

http://hack.thebackupbox.net/

http://www.hackerschool.org --> ssh level1@ftz.hackerschool.org pass: level1
telnet ftz.hackerschool.org
http://w3challs.com/challenges/challenge59 <--- Registrarse y ya ssh con user basic1

http://www.root-me.org <-- 3 retos, shell, binary y rbinary (remote binary)

Updated 30-03-2011:

https://github.com/mabj/ctf_ucon2 <-- Capture The Flag uCon 2009 de Marcos Álvares

http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz <-- Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.

Updated 14-12-2011:

http://exploit-exercises.com/   <--  Linux exploiting from source with Virtual Machine, 3 kind of challenges Nebula - Protostar - Fusion

Updated 23-09-2012:

https://sm0k.org/dojo/vanilla.php <-- Over ssh (ssh vanilla1@vanilladome.sm0k.org -p 13722 pass: vanilla1)  with levels that you must exploit to bypass to the next.

Updated 01-09-2014:

http://pwnable.kr/ <-- We provide various pwn challenges regarding system security. If you succeed to 'pwn' a task, you will be able to read the 'flag' file which contains a secret message. Once you authenticate the flag, you can get the corresponding point. If you are good at system hacking, these tasks would be just a bunch of fun games - enjoy :)

martes, 4 de enero de 2011

Solucion - Linux - cyrex's Linux Crackme 02

http://www.crackmes.de/users/cyrex/linux_crackme_02/

$ wget http://www.crackmes.de/users/cyrex/linux_crackme_02/download
--2011-01-04 17:41:08-- http://www.crackmes.de/users/cyrex/linux_crackme_02/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2199 (2,1K) [application/tgz]
Guardando en: «download»

100%[============================================================================================================>] 2.199 --.-K/s en 0,004s

2011-01-04 17:41:15 (558 KB/s) - «download» guardado [2199/2199]


$ file download
download: gzip compressed data, from Unix, last modified: Wed Feb 23 23:36:55 2005
$ mv download crackme_02.tgz
$ tar xvzf crackme_02.tgz
crackme

$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: asdf
-[ Entered Password: asdf
-[ Checking Stage 1 Now.....
-[ Game Over

$ strings crackme
/lib/ld-linux.so.2
libc.so.6
printf
__deregister_frame_info
ptrace
strcmp
scanf
exit
fopen
_IO_stdin_used
__libc_start_main
__register_frame_info
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
QVh
[^_]
Are you trying to Debug me?
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password:
-[ Entered Password: %s
-[ Checking Stage 1 Now.....
7gb5fjf8v4bg8fb34f
-[ Stage 1 Cleared
-[ Game Over
-[ Checking Stage 2 Now....
/tmp/crackme_89nfnjfiefheufeue
-[ Bad did you forgot something?
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru

$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ Bad did you forgot something?
$ touch /tmp/crackme_89nfnjfiefheufeue
$ ./crackme
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: 7gb5fjf8v4bg8fb34f
-[ Entered Password: 7gb5fjf8v4bg8fb34f
-[ Checking Stage 1 Now.....
-[ Stage 1 Cleared
-[ Checking Stage 2 Now....
-[ You have successfully reversed/cracked/sniffed This Crackme
-[ Email me your solution to eth0@list.ru
$

###########################################################


Veamoslo con el GDB y objdump:


$ objdump -d crackme

crackme: file format elf32-i386

...
... (omitido no importante) ...

Disassembly of section .text:

08048440 <.text>:
8048440: 31 ed xor %ebp,%ebp
8048442: 5e pop %esi
8048443: 89 e1 mov %esp,%ecx
8048445: 83 e4 f0 and $0xfffffff0,%esp
8048448: 50 push %eax
8048449: 54 push %esp
804844a: 52 push %edx
804844b: 68 00 87 04 08 push $0x8048700
8048450: 68 a0 86 04 08 push $0x80486a0
8048455: 51 push %ecx
8048456: 56 push %esi
8048457: 68 20 85 04 08 push $0x8048520
804845c: e8 9f ff ff ff call 8048400 <__libc_start_main@plt>
8048461: f4 hlt
8048462: 90 nop
8048463: 90 nop
8048464: 55 push %ebp
8048465: 89 e5 mov %esp,%ebp
8048467: 53 push %ebx
8048468: e8 00 00 00 00 call 804846d
804846d: 5b pop %ebx
804846e: 81 c3 6b 16 00 00 add $0x166b,%ebx
8048474: 50 push %eax
8048475: 8b 83 30 00 00 00 mov 0x30(%ebx),%eax
804847b: 85 c0 test %eax,%eax
804847d: 74 02 je 8048481
804847f: ff d0 call *%eax
8048481: 8b 5d fc mov -0x4(%ebp),%ebx
8048484: c9 leave
8048485: c3 ret
8048486: 90 nop
8048487: 90 nop
8048488: 90 nop
8048489: 90 nop
804848a: 90 nop
804848b: 90 nop
804848c: 90 nop
804848d: 90 nop
804848e: 90 nop
804848f: 90 nop
8048490: 55 push %ebp
8048491: 89 e5 mov %esp,%ebp
8048493: 83 ec 08 sub $0x8,%esp
8048496: 83 3d f8 99 04 08 00 cmpl $0x0,0x80499f8
804849d: 75 3e jne 80484dd
804849f: eb 12 jmp 80484b3
80484a1: a1 f4 99 04 08 mov 0x80499f4,%eax
80484a6: 8d 50 04 lea 0x4(%eax),%edx
80484a9: 89 15 f4 99 04 08 mov %edx,0x80499f4
80484af: 8b 00 mov (%eax),%eax
80484b1: ff d0 call *%eax
80484b3: a1 f4 99 04 08 mov 0x80499f4,%eax
80484b8: 83 38 00 cmpl $0x0,(%eax)
80484bb: 75 e4 jne 80484a1
80484bd: b8 e0 83 04 08 mov $0x80483e0,%eax
80484c2: 85 c0 test %eax,%eax
80484c4: 74 0d je 80484d3
80484c6: 83 c4 f4 add $0xfffffff4,%esp
80484c9: 68 fc 99 04 08 push $0x80499fc
80484ce: e8 0d ff ff ff call 80483e0 <__deregister_frame_info@plt>
80484d3: c7 05 f8 99 04 08 01 movl $0x1,0x80499f8
80484da: 00 00 00
80484dd: c9 leave
80484de: c3 ret
80484df: 90 nop
80484e0: 55 push %ebp
80484e1: 89 e5 mov %esp,%ebp
80484e3: 83 ec 08 sub $0x8,%esp
80484e6: c9 leave
80484e7: c3 ret
80484e8: 55 push %ebp
80484e9: 89 e5 mov %esp,%ebp
80484eb: 83 ec 08 sub $0x8,%esp
80484ee: b8 b0 83 04 08 mov $0x80483b0,%eax
80484f3: 85 c0 test %eax,%eax
80484f5: 74 12 je 8048509
80484f7: 83 c4 f8 add $0xfffffff8,%esp
80484fa: 68 0c 9b 04 08 push $0x8049b0c
80484ff: 68 fc 99 04 08 push $0x80499fc
8048504: e8 a7 fe ff ff call 80483b0 <__register_frame_info@plt>
8048509: c9 leave
804850a: c3 ret
804850b: 90 nop
804850c: 55 push %ebp
804850d: 89 e5 mov %esp,%ebp
804850f: 83 ec 08 sub $0x8,%esp
8048512: c9 leave
8048513: c3 ret
8048514: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
804851a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
8048520: 55 push %ebp
8048521: 89 e5 mov %esp,%ebp
8048523: 81 ec 18 04 00 00 sub $0x418,%esp
8048529: 6a 00 push $0x0
804852b: 6a 01 push $0x1
804852d: 6a 00 push $0x0
804852f: 6a 00 push $0x0
8048531: e8 ba fe ff ff call 80483f0
8048536: 83 c4 10 add $0x10,%esp
8048539: 89 c0 mov %eax,%eax
804853b: 85 c0 test %eax,%eax
804853d: 7d 21 jge 8048560
804853f: 83 c4 f4 add $0xfffffff4,%esp
8048542: 68 e0 87 04 08 push $0x80487e0
8048547: e8 c4 fe ff ff call 8048410
804854c: 83 c4 10 add $0x10,%esp
804854f: b8 01 00 00 00 mov $0x1,%eax
8048554: e9 37 01 00 00 jmp 8048690
8048559: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
8048560: 83 c4 f4 add $0xfffffff4,%esp
8048563: 68 00 88 04 08 push $0x8048800
8048568: e8 a3 fe ff ff call 8048410
804856d: 83 c4 10 add $0x10,%esp
8048570: 83 c4 f4 add $0xfffffff4,%esp
8048573: 68 40 88 04 08 push $0x8048840
8048578: e8 93 fe ff ff call 8048410
804857d: 83 c4 10 add $0x10,%esp
8048580: 83 c4 f4 add $0xfffffff4,%esp
8048583: 68 68 88 04 08 push $0x8048868
8048588: e8 83 fe ff ff call 8048410
804858d: 83 c4 10 add $0x10,%esp
8048590: 83 c4 f8 add $0xfffffff8,%esp
8048593: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
8048599: 50 push %eax
804859a: 68 7c 88 04 08 push $0x804887c
804859f: e8 2c fe ff ff call 80483d0
80485a4: 83 c4 10 add $0x10,%esp
80485a7: 83 c4 f8 add $0xfffffff8,%esp
80485aa: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
80485b0: 50 push %eax
80485b1: 68 7f 88 04 08 push $0x804887f
80485b6: e8 55 fe ff ff call 8048410
80485bb: 83 c4 10 add $0x10,%esp
80485be: 83 c4 f4 add $0xfffffff4,%esp
80485c1: 68 98 88 04 08 push $0x8048898
80485c6: e8 45 fe ff ff call 8048410
80485cb: 83 c4 10 add $0x10,%esp
80485ce: 83 c4 f8 add $0xfffffff8,%esp
80485d1: 68 b6 88 04 08 push $0x80488b6
80485d6: 8d 85 00 fc ff ff lea -0x400(%ebp),%eax
80485dc: 50 push %eax
80485dd: e8 de fd ff ff call 80483c0
80485e2: 83 c4 10 add $0x10,%esp
80485e5: 89 c0 mov %eax,%eax
80485e7: 85 c0 test %eax,%eax
80485e9: 75 15 jne 8048600
80485eb: 83 c4 f4 add $0xfffffff4,%esp
80485ee: 68 c9 88 04 08 push $0x80488c9
80485f3: e8 18 fe ff ff call 8048410
80485f8: 83 c4 10 add $0x10,%esp
80485fb: eb 17 jmp 8048614
80485fd: 8d 76 00 lea 0x0(%esi),%esi
8048600: 83 c4 f4 add $0xfffffff4,%esp
8048603: 68 dd 88 04 08 push $0x80488dd
8048608: e8 03 fe ff ff call 8048410
804860d: 83 c4 10 add $0x10,%esp
8048610: 31 c0 xor %eax,%eax
8048612: eb 7c jmp 8048690
8048614: 83 c4 f4 add $0xfffffff4,%esp
8048617: 68 eb 88 04 08 push $0x80488eb
804861c: e8 ef fd ff ff call 8048410
8048621: 83 c4 10 add $0x10,%esp
8048624: 83 c4 f8 add $0xfffffff8,%esp
8048627: 68 08 89 04 08 push $0x8048908
804862c: 68 20 89 04 08 push $0x8048920
8048631: e8 fa fd ff ff call 8048430
8048636: 83 c4 10 add $0x10,%esp
8048639: 89 c0 mov %eax,%eax
804863b: 89 85 fc fb ff ff mov %eax,-0x404(%ebp)
8048641: 83 bd fc fb ff ff 00 cmpl $0x0,-0x404(%ebp)
8048648: 75 1d jne 8048667
804864a: 83 c4 f4 add $0xfffffff4,%esp
804864d: 68 40 89 04 08 push $0x8048940
8048652: e8 b9 fd ff ff call 8048410
8048657: 83 c4 10 add $0x10,%esp
804865a: 83 c4 f4 add $0xfffffff4,%esp
804865d: 6a 00 push $0x0
804865f: e8 bc fd ff ff call 8048420
8048664: 83 c4 10 add $0x10,%esp
8048667: 83 c4 f4 add $0xfffffff4,%esp
804866a: 68 80 89 04 08 push $0x8048980
804866f: e8 9c fd ff ff call 8048410
8048674: 83 c4 10 add $0x10,%esp
8048677: 83 c4 f4 add $0xfffffff4,%esp
804867a: 68 c0 89 04 08 push $0x80489c0
804867f: e8 8c fd ff ff call 8048410
8048684: 83 c4 10 add $0x10,%esp
8048687: 31 c0 xor %eax,%eax
8048689: eb 05 jmp 8048690
804868b: 90 nop
804868c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
8048690: c9 leave
8048691: c3 ret
8048692: 90 nop
8048693: 90 nop
8048694: 90 nop
8048695: 90 nop
8048696: 90 nop
8048697: 90 nop
8048698: 90 nop
8048699: 90 nop
804869a: 90 nop
804869b: 90 nop
804869c: 90 nop
804869d: 90 nop
804869e: 90 nop
804869f: 90 nop
80486a0: 55 push %ebp
80486a1: 89 e5 mov %esp,%ebp
80486a3: 57 push %edi
80486a4: 56 push %esi
80486a5: 31 f6 xor %esi,%esi
80486a7: 53 push %ebx
80486a8: 83 ec 0c sub $0xc,%esp
80486ab: e8 a0 00 00 00 call 8048750
80486b0: 81 c3 28 14 00 00 add $0x1428,%ebx
80486b6: e8 cd fc ff ff call 8048388 <__register_frame_info@plt-0x28>
80486bb: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
80486c1: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
80486c7: 29 c2 sub %eax,%edx
80486c9: c1 fa 02 sar $0x2,%edx
80486cc: 39 d6 cmp %edx,%esi
80486ce: 73 1c jae 80486ec
80486d0: 89 d7 mov %edx,%edi
80486d2: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
80486d9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
80486e0: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
80486e7: 46 inc %esi
80486e8: 39 fe cmp %edi,%esi
80486ea: 72 f4 jb 80486e0
80486ec: 83 c4 0c add $0xc,%esp
80486ef: 5b pop %ebx
80486f0: 5e pop %esi
80486f1: 5f pop %edi
80486f2: 5d pop %ebp
80486f3: c3 ret
80486f4: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80486fa: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
8048700: 55 push %ebp
8048701: 89 e5 mov %esp,%ebp
8048703: 83 ec 08 sub $0x8,%esp
8048706: 89 1c 24 mov %ebx,(%esp)
8048709: e8 42 00 00 00 call 8048750
804870e: 81 c3 ca 13 00 00 add $0x13ca,%ebx
8048714: 89 74 24 04 mov %esi,0x4(%esp)
8048718: 8d 83 14 ff ff ff lea -0xec(%ebx),%eax
804871e: 8d 93 14 ff ff ff lea -0xec(%ebx),%edx
8048724: 29 d0 sub %edx,%eax
8048726: c1 f8 02 sar $0x2,%eax
8048729: 85 c0 test %eax,%eax
804872b: 8d 70 ff lea -0x1(%eax),%esi
804872e: 75 10 jne 8048740
8048730: e8 5b 00 00 00 call 8048790
8048735: 8b 1c 24 mov (%esp),%ebx
8048738: 8b 74 24 04 mov 0x4(%esp),%esi
804873c: 89 ec mov %ebp,%esp
804873e: 5d pop %ebp
804873f: c3 ret
8048740: ff 94 b3 14 ff ff ff call *-0xec(%ebx,%esi,4)
8048747: 89 f0 mov %esi,%eax
8048749: 4e dec %esi
804874a: 85 c0 test %eax,%eax
804874c: 75 f2 jne 8048740
804874e: eb e0 jmp 8048730
8048750: 8b 1c 24 mov (%esp),%ebx
8048753: c3 ret
8048754: 90 nop
8048755: 90 nop
8048756: 90 nop
8048757: 90 nop
8048758: 90 nop
8048759: 90 nop
804875a: 90 nop
804875b: 90 nop
804875c: 90 nop
804875d: 90 nop
804875e: 90 nop
804875f: 90 nop
8048760: 55 push %ebp
8048761: 89 e5 mov %esp,%ebp
8048763: 83 ec 14 sub $0x14,%esp
8048766: 53 push %ebx
8048767: bb c8 9a 04 08 mov $0x8049ac8,%ebx
804876c: 83 3d c8 9a 04 08 ff cmpl $0xffffffff,0x8049ac8
8048773: 74 0c je 8048781
8048775: 8b 03 mov (%ebx),%eax
8048777: ff d0 call *%eax
8048779: 83 c3 fc add $0xfffffffc,%ebx
804877c: 83 3b ff cmpl $0xffffffff,(%ebx)
804877f: 75 f4 jne 8048775
8048781: 5b pop %ebx
8048782: c9 leave
8048783: c3 ret
8048784: 55 push %ebp
8048785: 89 e5 mov %esp,%ebp
8048787: 83 ec 08 sub $0x8,%esp
804878a: c9 leave
804878b: c3 ret
804878c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi


Algunas strings con gdb:


$ gdb ./crackme
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".

(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme
Are you trying to Debug me?

Program exited with code 01.
(gdb) x/s 0x80487e0
0x80487e0: "Are you trying to Debug me?\n"


El programa usa ptrace para ver si el programa esta siendo traceado o debugeado, cambiamos un simple jump y ya nos saltamos esa proteccion.


$ cmp -b crackme crackme_parcheado
crackme crackme_parcheado son distintos: el byte 1342, en la línea 3 es 175 } 176 ~

$ objdump -d crackme | grep 804853d
804853d: 7d 21 jge 8048560

$ objdump -d crackme_parcheado | grep 804853d
804853d: 7e 21 jle 8048560


$ gdb ./crackme_parcheado
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".

(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_parcheado
-[ Linux CrackMe (Level:3) by cyrex ]-
-[ TODO: Get the valid password ]-
-[ Enter Password: aaa
-[ Entered Password: aaa
-[ Checking Stage 1 Now.....
-[ Game Over

Program exited normally.
(gdb)

##########################################################


Usando ltrace:

$ ltrace ./crackme
__libc_start_main(0x8048520, 1, 0xbf8d5c64, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb773ece0, 0xb773dff4, 0xbf8d5c64) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("Are you trying to Debug me?\n"Are you trying to Debug me?
) = 28
__deregister_frame_info(0x80499fc, 3, 0xbf8d5b00, 4, 0x80482a4) = 0
+++ exited (status 1) +++

$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfc384f4, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb787fce0, 0xb787eff4, 0xbfc384f4) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
) = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
) = 39
printf("-[ Enter Password: ") = 19
scanf(0x804887c, 0xbfc38048, 1, 0, 4-[ Enter Password: aaa
) = 1
printf("-[ Entered Password: %s\n", "aaa"-[ Entered Password: aaa
) = 25
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
) = 29
strcmp("aaa", "7gb5fjf8v4bg8fb34f") = 1
printf("-[ Game Over\n"-[ Game Over
) = 13
__deregister_frame_info(0x80499fc, 3, 0xbfc38390, 4, 0x80482a4) = 0
+++ exited (status 0) +++

y metiendo el serial de la primera parte vemos que intenta abrir el archivo "/tmp/crackme_89nfnjfiefheufeue" en la segunda parte:

$ ltrace ./crackme_parcheado
__libc_start_main(0x8048520, 1, 0xbfdb0c04, 0x80486a0, 0x8048700
__register_frame_info(0x80499fc, 0x8049b0c, 0xb7764ce0, 0xb7763ff4, 0xbfdb0c04) = 0x80499fc
ptrace(0, 0, 1, 0, 4) = -1
printf("-[ Linux CrackMe (Level:3) by cy"...-[ Linux CrackMe (Level:3) by cyrex ]-
) = 39
printf("-[ TODO: Get the valid password "...-[ TODO: Get the valid password ]-
) = 39
printf("-[ Enter Password: ") = 19
scanf(0x804887c, 0xbfdb0758, 1, 0, 4-[ Enter Password: 7gb5fjf8v4bg8fb34f
) = 1
printf("-[ Entered Password: %s\n", "7gb5fjf8v4bg8fb34f"-[ Entered Password: 7gb5fjf8v4bg8fb34f
) = 40
printf("-[ Checking Stage 1 Now.....\n"-[ Checking Stage 1 Now.....
) = 29
strcmp("7gb5fjf8v4bg8fb34f", "7gb5fjf8v4bg8fb34f") = 0
printf("-[ Stage 1 Cleared\n"-[ Stage 1 Cleared
) = 19
printf("-[ Checking Stage 2 Now....\n"-[ Checking Stage 2 Now....
) = 28
fopen("/tmp/crackme_89nfnjfiefheufeue", "r") = 0
printf("-[ Bad did you forgot something?"...-[ Bad did you forgot something?
) = 33
exit(0
__deregister_frame_info(0x80499fc, 3, 0xbfdb0670, 4, 0xb7783b28) = 0
+++ exited (status 0) +++




Solucion - Linux - cyrex's Linux CrackMe

http://www.crackmes.de/users/cyrex/linux_crackme/

$ wget http://www.crackmes.de/users/cyrex/linux_crackme/download
--2011-01-04 17:28:23-- http://www.crackmes.de/users/cyrex/linux_crackme/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 5497 (5,4K) [application/tgz]
Guardando en: «download»

100%[============================================================================================================>] 5.497 --.-K/s en 0,1s

2011-01-04 17:28:26 (48,0 KB/s) - «download» guardado [5497/5497]

$ file crackme_01.tgz
crackme_01.tgz: gzip compressed data, from Unix, last modified: Mon Feb 21 20:39:58 2005
$ mv download crackme_01.tgz
$ tar xvzf crackme_01.tgz
crackme_01/
crackme_01/crackme

$ ./crackme
-[ Linux CrackMe (Level:2) by cyrex ]-
-[ TODO: You have to get the valid Password ]-
Enter Password: 1234
-[ Ohhhh, your skills are bad try again later ]-
$
$ strings crackme
/lib/ld-linux.so.2
libc.so.6
printf
__deregister_frame_info
strcmp
scanf
_IO_stdin_used
__libc_start_main
__register_frame_info
__gmon_start__
GLIBC_2.0
PTRhP
QVhP
[^_]
-[ Linux CrackMe (Level:2) by cyrex ]-
-[ TODO: You have to get the valid Password ]-
Enter Password:
47ghf6fh37fbgbgj
-[ Good, You're ready to begin linux reversing ]-
-[ Ohhhh, your skills are bad try again later ]-
$

$ ./crackme
-[ Linux CrackMe (Level:2) by cyrex ]-
-[ TODO: You have to get the valid Password ]-
Enter Password: 47ghf6fh37fbgbgj
-[ Good, You're ready to begin linux reversing ]-

Veamoslo con el GDB, pero vamos es bastante sencillo de entender:



$ gdb ./crackme
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Leyendo símbolos desde /home/uknow/Escritorio/kk/pruebas/crackme_01/crackme...hecho.
(gdb) disass main
Dump of assembler code for function main:
0x08048450 <+0>: push %ebp
0x08048451 <+1>: mov %esp,%ebp
0x08048453 <+3>: sub $0x28,%esp
0x08048456 <+6>: add $0xfffffff4,%esp
0x08048459 <+9>: push $0x8048620
0x0804845e <+14>: call 0x804835c
0x08048463 <+19>: add $0x10,%esp
0x08048466 <+22>: add $0xfffffff4,%esp
0x08048469 <+25>: push $0x8048660
0x0804846e <+30>: call 0x804835c
0x08048473 <+35>: add $0x10,%esp
0x08048476 <+38>: add $0xfffffff4,%esp
0x08048479 <+41>: push $0x8048690
0x0804847e <+46>: call 0x804835c
0x08048483 <+51>: add $0x10,%esp
0x08048486 <+54>: add $0xfffffff8,%esp
0x08048489 <+57>: lea -0x20(%ebp),%eax
0x0804848c <+60>: push %eax
0x0804848d <+61>: push $0x80486a1
0x08048492 <+66>: call 0x804832c
0x08048497 <+71>: add $0x10,%esp
0x0804849a <+74>: add $0xfffffff8,%esp
0x0804849d <+77>: push $0x80486a4
0x080484a2 <+82>: lea -0x20(%ebp),%eax
0x080484a5 <+85>: push %eax
0x080484a6 <+86>: call 0x804831c
0x080484ab <+91>: add $0x10,%esp
0x080484ae <+94>: mov %eax,%eax
0x080484b0 <+96>: test %eax,%eax
0x080484b2 <+98>: jne 0x80484c6
0x080484b4 <+100>: add $0xfffffff4,%esp
0x080484b7 <+103>: push $0x80486c0
0x080484bc <+108>: call 0x804835c
0x080484c1 <+113>: add $0x10,%esp
0x080484c4 <+116>: jmp 0x80484d6
0x080484c6 <+118>: add $0xfffffff4,%esp
---Type to continue, or q to quit---q
Quit
(gdb) x/s 0x80486a4
0x80486a4: "47ghf6fh37fbgbgj"
(gdb) r
Starting program: /home/uknow/Escritorio/kk/pruebas/crackme_01/crackme 47ghf6fh37fbgbgj
-[ Linux CrackMe (Level:2) by cyrex ]-
-[ TODO: You have to get the valid Password ]-
Enter Password: 47ghf6fh37fbgbgj
-[ Good, You're ready to begin linux reversing ]-

Program exited normally.
(gdb) x/s 0x80486c0
0x80486c0: "-[ Good, You're ready to begin linux reversing ]-\n"
(gdb) q



Solucion - Linux - lord's easy linux crackme

http://www.crackmes.de/users/lord/easy_linux_crackme/


$ wget http://www.crackmes.de/users/lord/easy_linux_crackme/download
--2011-01-04 17:04:45-- http://www.crackmes.de/users/lord/easy_linux_crackme/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 362 [application/gz]
Guardando en: «download»

100%[============================================================================================================>] 362 --.-K/s en 0s

2011-01-04 17:04:47 (18,6 MB/s) - «download» guardado [362/362]

$ mv download blah.tar.gz


$ tar xvzf blah.tar.gz
blah

$ file blah
blah: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

$ strings blah
Okej!
$ chmod +x blah


$ ./blah
$

$ objdump -d blah

blah: file format elf32-i386


Disassembly of section .text:

08048094 <.text>:
8048094: 31 c0 xor %eax,%eax
8048096: b8 2f 00 00 00 mov $0x2f,%eax
804809b: cd 80 int $0x80
804809d: 3d ad de 00 00 cmp $0xdead,%eax
80480a2: 75 16 jne 0x80480ba
80480a4: b8 04 00 00 00 mov $0x4,%eax
80480a9: bb 01 00 00 00 mov $0x1,%ebx
80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx
80480b3: ba 06 00 00 00 mov $0x6,%edx
80480b8: cd 80 int $0x80
80480ba: 31 c0 xor %eax,%eax
80480bc: 40 inc %eax
80480bd: 31 db xor %ebx,%ebx
80480bf: cd 80 int $0x80


$ perl -e 'print 0xdead'
57005

$

$ perl -e 'print 0x2f'
47


vemos que hace una llamada al syscall 47, veamos cual es:



$ cat /usr/include/asm/unistd_32.h | grep 47
#define __NR_getgid 47
#define __NR_getsid 147
#define __NR_io_getevents 247

Compara si nuestro gid es 57005, si es asi muestra el mensaje de correcto, si no, no devuelve nada :(



$ sudo useradd -g 57005 titopako
$ sudo passwd titopako
Introduzca la nueva contraseña de UNIX:
Vuelva a escribir la nueva contraseña de UNIX:
passwd: contraseña actualizada correctamente

$ su titopako
Contraseña:
$ ./blah
Okej!
$ id
uid=1002(titopako) gid=57005(titopako) grupos=57005(titopako)


Solucion - Linux - lord's Easy crackme 2

http://www.crackmes.de/users/lord/easy_crackme_2/

$ wget http://www.crackmes.de/users/lord/easy_crackme_2/download
--2011-01-04 15:19:11-- http://www.crackmes.de/users/lord/easy_crackme_2/download
Resolviendo www.crackmes.de... 88.198.55.82
Conectando a www.crackmes.de|88.198.55.82|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 362 [application/gz]
Guardando en: «download»

100%[============================================================================================================>] 362 --.-K/s en 0s

2011-01-04 15:19:17 (36,3 MB/s) - «download» guardado [362/362]


$ file download
download: gzip compressed data, was "cm1eng", from Unix, last modified: Fri Mar 31 10:34:34 2006

$ mv download cm1eng.gz
$ gzip -d cm1eng.gz
$ chmod +x cm1eng
$ ./cm1eng

Password : asdf
$



$ strings cm1eng
Password :
Great you did it !:)

QTBXCTU


$ objdump -d cm1eng

cm1eng: file format elf32-i386


Disassembly of section .text:

08048080 <.text>:
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 f8 90 04 08 mov $0x80490f8,%ecx
804808f: ba 0d 00 00 00 mov $0xd,%edx
8048094: cd 80 int $0x80
8048096: ba 00 01 00 00 mov $0x100,%edx
804809b: b9 1b 91 04 08 mov $0x804911b,%ecx
80480a0: bb 00 00 00 00 mov $0x0,%ebx
80480a5: b8 03 00 00 00 mov $0x3,%eax
80480aa: cd 80 int $0x80
80480ac: be 26 91 04 08 mov $0x8049126,%esi
80480b1: 89 f7 mov %esi,%edi
80480b3: 31 db xor %ebx,%ebx
80480b5: fc cld
80480b6: ac lods %ds:(%esi),%al
80480b7: 34 21 xor $0x21,%al
80480b9: aa stos %al,%es:(%edi)
80480ba: 43 inc %ebx
80480bb: 81 fb 07 00 00 00 cmp $0x7,%ebx
80480c1: 74 02 je 0x80480c5
80480c3: e2 f1 loop 0x80480b6
80480c5: be 1b 91 04 08 mov $0x804911b,%esi
80480ca: bf 26 91 04 08 mov $0x8049126,%edi
80480cf: b9 07 00 00 00 mov $0x7,%ecx
80480d4: fc cld
80480d5: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi)
80480d7: 75 16 jne 0x80480ef
80480d9: b8 04 00 00 00 mov $0x4,%eax
80480de: bb 01 00 00 00 mov $0x1,%ebx
80480e3: b9 05 91 04 08 mov $0x8049105,%ecx
80480e8: ba 16 00 00 00 mov $0x16,%edx
80480ed: cd 80 int $0x80
80480ef: b8 01 00 00 00 mov $0x1,%eax
80480f4: cd 80 int $0x80
$

Vemos que tiene que tener longitud 7 la entrada de datos y hace un XOR con 21 en hex (simbolo ! en ascii)

Viendo las strings, vemos que hace XOR a esa misma string y obtenemos el password.


$ perl -e 'print "QTBXCTU"^"!!!!!!!\n"'
pucybut


$ ./cm1eng

Password : pucybut
Great you did it !:)