Lab1C Write-up (Easy)


MBE’s Lab01 are mainly focused on reverse engineering so, we don’t have any source code (but who needs it). The first level (Lab1C) is quite simple and a good introduction to basic RCE.

First, log into the Lab01 as lab1C (lab1C:lab01start) and go to the challenges folder:

$ ssh lab1C@<VM_IP>
$ cd /levels/lab01

Let’s execute the program and see what is does:

lab1C@warzone:/levels/lab01$ ./lab1C
-----------------------------
--- RPISEC - CrackMe v1.0 ---
-----------------------------

Password: TestMe!    

Invalid Password!!!
lab1C@warzone:/levels/lab01$ 

The program is asking for a password and obviously, we don’t have it. We’ll need to do a bit of analysis to find out how our input is processed and what the password might be.

Binary Analysis

In this first challenge, we don’t really need to do any kind of dynamic analysis. If you read the assembly code, you should be able to figure out the password.

You can easily disassemble the main routine with GDB. I added some comments to help you understand the code.

gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x080486ad <+0>:	push   ebp
   0x080486ae <+1>:	mov    ebp,esp
   0x080486b0 <+3>:	and    esp,0xfffffff0
   0x080486b3 <+6>:	sub    esp,0x20
   0x080486b6 <+9>:	mov    DWORD PTR [esp],0x80487d0
   0x080486bd <+16>:	call   0x8048560 <puts@plt> ; Print banner
   0x080486c2 <+21>:	mov    DWORD PTR [esp],0x80487ee
   0x080486c9 <+28>:	call   0x8048560 <puts@plt> ; Print banner
   0x080486ce <+33>:	mov    DWORD PTR [esp],0x80487d0
   0x080486d5 <+40>:	call   0x8048560 <puts@plt> ; Print banner
   0x080486da <+45>:	mov    DWORD PTR [esp],0x804880c
   0x080486e1 <+52>:	call   0x8048550 <printf@plt> ; Print "Password: "
   0x080486e6 <+57>:	lea    eax,[esp+0x1c]
   0x080486ea <+61>:	mov    DWORD PTR [esp+0x4],eax
   0x080486ee <+65>:	mov    DWORD PTR [esp],0x8048818
   0x080486f5 <+72>:	call   0x80485a0 <__isoc99_scanf@plt> ; Wait for user input
   0x080486fa <+77>:	mov    eax,DWORD PTR [esp+0x1c]
   0x080486fe <+81>:	cmp    eax,0x149a ; Test the password
   0x08048703 <+86>:	jne    0x8048724 <main+119> ; If incorrect password jump to <main+119>
   0x08048705 <+88>:	mov    DWORD PTR [esp],0x804881b
   0x0804870c <+95>:	call   0x8048560 <puts@plt>
   0x08048711 <+100>:	mov    DWORD PTR [esp],0x804882b
   0x08048718 <+107>:	call   0x8048570 <system@plt> ; Give shell for "lab1B"
   0x0804871d <+112>:	mov    eax,0x0
   0x08048722 <+117>:	jmp    0x8048735 <main+136>
   0x08048724 <+119>:	mov    DWORD PTR [esp],0x8048833
   0x0804872b <+126>:	call   0x8048560 <puts@plt> ; Print fail message
   0x08048730 <+131>:	mov    eax,0x1
   0x08048735 <+136>:	leave  
   0x08048736 <+137>:	ret    
End of assembler dump.

The interesting code is right here:

0x080486e6 <+57>:	lea    eax,[esp+0x1c]
0x080486ea <+61>:	mov    DWORD PTR [esp+0x4],eax
0x080486ee <+65>:	mov    DWORD PTR [esp],0x8048818
0x080486f5 <+72>:	call   0x80485a0 <__isoc99_scanf@plt>
0x080486fa <+77>:	mov    eax,DWORD PTR [esp+0x1c]
0x080486fe <+81>:	cmp    eax,0x149a

The scanf() function reads data from stdin and stores it according to the parameter format into the locations pointed by the additional argument.

int scanf ( const char * format, ... );

Here, the arguments are placed in reverse order on the stack so, 0x080486ea <+61>: mov DWORD PTR [esp+0x4],eax points to an allocated space on the stack for our input and 0x080486ee <+65>: mov DWORD PTR [esp],0x8048818 contains the format expected. We can check the format expected by using GDB:

gdb-peda$ x/s 0x8048818
0x8048818:	"%d"

As we can see, the program expects a decimal integer: “%d” (and not a string). Then, our input is compared to 0x149a, which equals to 5274 in decimal. So, the password should be 5274.

Solution

Now that we have analyzed how the input is handled, let’s try it again and solve this challenge.

lab1C@warzone:/levels/lab01$ ./lab1C
-----------------------------
--- RPISEC - CrackMe v1.0 ---
-----------------------------

Password: 5274

Authenticated!
$ whoami
lab1B
$ cat /home/lab1B/.pass
n0_str1ngs_n0_pr0bl3m

Solved! Let’s tackle the next challenge!

Updated: