HTS Rooting Challenge 1

This is the place for ALL of the user submitted challenges. If you create a little challenge/mission/riddle/whatever, post it here.
Forum rules
Do not post missions that you did NOT create without proper citing.

Re: HTS Rooting Challenge 1

Post by pretentious on Tue Feb 05, 2013 3:50 am
([msg=73444]see Re: HTS Rooting Challenge 1[/msg])

along the same lines, I'm playing around with a virtual shell. It doesn't have much functionality but some badly coded foundations are laid

Code: Select all
#include <iostream>
#include <vector>
#include <string>
using namespace std;
void kernal(string command);
void makeDirRelative(string dir);
void echo(string arg);
void ls();
void ls(string arg);
void pwd();
void cat(string arg);
class permissions{
   public:
   bool read;
   bool write;
   bool execute;
   permissions(string perms){
      if(perms[0]=='r'){
         read = true;
      }else{
         read = false;
      }
      if(perms[1]=='w'){
         write = true;
      }else{
         write = false;
      }
      if(perms[2]=='x'){
         execute = true;
      }else{
         execute = false;
      }
   }
};
class file{
   public:
   string name;
   permissions *perms;
   string contents;
   file(string _name, string _perms, string _contents){
      name = _name;
      permissions a(_perms);
      perms = &a;
      contents = _contents;      
   }
};
class directory{
   public:
   string name;
   permissions* perms;
   directory* parent;
   vector<directory> subdirs;
   vector<file*> files;
   directory(string _name, string _perms, directory *_parent){
      parent = _parent;
      name = _name;
      permissions a(_perms);
      perms = &a;
      _parent->subdirs.push_back(*this);
   }
   directory(string _name, string _perms){
      name = _name;
      permissions a(_perms);
      perms = &a;
   }

};


directory * workingDir;
directory * relativeWorkingDir;
   directory root("/","---");
int main(){
   vector<directory> tree;   
tree.push_back(root);
   directory home("home","rwx",&root);
tree.push_back(home);
   file text("intro","rwx","this is a file");
   home.files.push_back(&text);
   directory pretentious("pretentious","rwx",&home);
   tree.push_back(pretentious);
   file note("note","rwx","this is a file");
   pretentious.files.push_back(&note);
::workingDir = &pretentious;   
   string input;

   for(;;){
      getline(cin,input);
      kernal(input);
   }
   

return 0;
}
void kernal(string command){
   vector<string> argv;

   int base = 0;
   int extension = 0;
   int length = command.length();
   while(extension < length){
      while(command[extension] != ' '  && extension <= length){
         extension ++;
      }
      if(command.substr(base,extension - base) != "")
         argv.push_back(command.substr(base,extension - base));
      base = extension +1;
      extension += 1;
    }

   if(argv[0] == "echo" && argv.size() ==2 ){
      echo(argv[1]);
   }
      if(argv[0] == "ls" && argv.size() ==1 ){
      ls();
   }
      if(argv[0] == "ls" && argv.size() ==2 ){
      ls(argv[1]);
   }   
      if(argv[0] == "pwd" && argv.size() ==1 ){
      pwd();
   }      
         if(argv[0] == "cat" && argv.size() ==2 ){
      cat(argv[1]);
   }   
}
void echo(string arg){
   cout<<arg<<endl;
}
void ls(string arg){
makeDirRelative(arg);
      for(int i = 0; i < relativeWorkingDir->subdirs.size(); i ++){
      cout<<relativeWorkingDir->subdirs[i].name<<endl;
      }
      for(int i = 0; i < workingDir->files.size(); i ++){
      cout<<relativeWorkingDir->files[i]->name<<endl;
      }
}
void ls(){
   
      for(int i = 0; i < workingDir->subdirs.size(); i ++){
      cout<<workingDir->subdirs[i].name<<endl;
      }
      for(int i = 0; i < workingDir->files.size(); i ++){
      cout<<workingDir->files[i]->name<<endl;
      }
}
void pwd(){
cout<< workingDir->name<<endl;
}
void cat(string arg){
   for(int i = 0; i < workingDir->files.size(); i ++){
      if (workingDir->files[i]->name == arg){
         cout<<workingDir->files[i]->contents<<endl;
      }
   }
}
void makeDirRelative(string dir){
   vector<string> parts;
       if(dir[0] == '/'){
      ::relativeWorkingDir= &root;
   }
   int base = 0;
   int extension = 0;
   int length = dir.length();
   while(extension < length){
      while(dir[extension] != '/'  && extension <= length){
         extension ++;
      }
      if(dir.substr(base,extension - base) != "")
         parts.push_back(dir.substr(base,extension - base));
      base = extension +1;
      extension += 1;
    }
for(int x = 0; x <parts.size(); x ++){
   if(parts[x][0] == '.' && parts[x][1] == '.' ){
   ::relativeWorkingDir = workingDir->parent;
   }else{
            for(int i = 0; i < workingDir->subdirs.size(); i ++){
      if(workingDir->subdirs[i].name == parts[x]){
            *::relativeWorkingDir = workingDir->subdirs[i];
         }
      }
   }
}

}
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 705
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by limdis on Tue Feb 05, 2013 8:20 pm
([msg=73469]see Re: HTS Rooting Challenge 1[/msg])

I leave for a day and come back and this! Excited to try this one out :geek:
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1432
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by centip3de on Tue Feb 05, 2013 11:08 pm
([msg=73506]see Re: HTS Rooting Challenge 1[/msg])

Did I do this right?

Download: http://dl.dropbox.com/u/30539999/hts_ro ... dows64.exe
Hint: For extra fun, hit the "Enter" with no command!
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 0phidian on Wed Feb 06, 2013 12:57 pm
([msg=73512]see Re: HTS Rooting Challenge 1[/msg])

centip3de wrote:Did I do this right?

Download: http://dl.dropbox.com/u/30539999/hts_ro ... dows64.exe
Hint: For extra fun, hit the "Enter" with no command!

What did you do, reverse engineer it? Well, bonus points for you I guess.

To complete it you're just suppossed to get to congratulagions message. It's just a simple challenge geared towards newer people who dont have their own testing environment set up. Basically it's just a simulation to introduce people to some tools, show them how they work and the attacks associated with them. You could say the challenge is a bit skiddyish because it relies on the use of tools, but I think most people have to start with tools to learn concepts before they can start writing their own tools/exploits.
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by centip3de on Wed Feb 06, 2013 2:23 pm
([msg=73513]see Re: HTS Rooting Challenge 1[/msg])

0phidian wrote:What did you do, reverse engineer it? Well, bonus points for you I guess.


Quite right, and thank you.

0phidian wrote:To complete it you're just suppossed to get to congratulagions message. It's just a simple challenge geared towards newer people who dont have their own testing environment set up. Basically it's just a simulation to introduce people to some tools, show them how they work and the attacks associated with them. You could say the challenge is a bit skiddyish because it relies on the use of tools, but I think most people have to start with tools to learn concepts before they can start writing their own tools/exploits.


I understand the reasoning and logic behind this challenge, however my post did have more than one intention (and none of them were to look like a tool). Primarily, I wanted to show you how easy it would be to reverse engineer this and cheat on it. I legitimately only had to load it in OllyDBG, look at the strings, and I found the password to the box. Granted, some strings are necessary to hard-code (commands, arguments, messages, etc.), but the password shouldn't be. Instead, some sort of algorithm (no matter how basic) should be implemented to randomly generate the password on each run. That way, although it would still be pretty simple to reverse engineer, it would deter most cheaters. Just some food for thought, really.

(If you're interested, the only other reason I did this was for funsies, as I haven't reversed anything in awhile (there aren't that many Linux-native debugger options out there that allow you to write to an executable).)

Anyway, good challenge, keep them up, just try to make them harder for me to break next time. :)
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 0phidian on Wed Feb 06, 2013 4:44 pm
([msg=73519]see Re: HTS Rooting Challenge 1[/msg])

centip3de wrote:I understand the reasoning and logic behind this challenge, however my post did have more than one intention (and none of them were to look like a tool). Primarily, I wanted to show you how easy it would be to reverse engineer this and cheat on it. I legitimately only had to load it in OllyDBG, look at the strings, and I found the password to the box. Granted, some strings are necessary to hard-code (commands, arguments, messages, etc.), but the password shouldn't be. Instead, some sort of algorithm (no matter how basic) should be implemented to randomly generate the password on each run. That way, although it would still be pretty simple to reverse engineer, it would deter most cheaters. Just some food for thought, really.

(If you're interested, the only other reason I did this was for funsies, as I haven't reversed anything in awhile (there aren't that many Linux-native debugger options out there that allow you to write to an executable).)

Anyway, good challenge, keep them up, just try to make them harder for me to break next time. :)


Thanks, I'll keep this in mind. I have never had someone trying to reverse engineer my code before, I'll have to do some research on how to make it harder to break.
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by fuchsteufel on Mon Feb 11, 2013 10:26 pm
([msg=73681]see Re: HTS Rooting Challenge 1[/msg])

this one was very nice, thanks for that. I hope you will make more of these, perhaps a bit more difficult to solve (and perhaps with a implementation of nmaping a whole range of subnet ids ;)
I'd look at the code to implement it by myself, but I'm not good enough in that stuff to do so... :roll:

Edit: OK, I have to take a look before saying something. If the code pasted to github is still the one for the challenge, you could perhaps add some code like that in the nmap-case (sorry for posting obvious things, just wanted to help approving this great challenge idea):

Code: Select all
else if(args[1] == "192.168.49.0/24"){
         cout << "Starting Nmap 6.00 ( http://nmap.org )" << endl;
                        cout << "Nmap scan report for localhost (192.168.49.1)" << endl;
                        cout << "Not shown: 998 closed ports" << endl;
                        cout << "PORT   STATE SERVICE" << endl;
                        cout << "80/tcp open http" << endl;
                        cout << "443/tcp open https" << endl;
                        cout << "MAC Address: 08:00:28:da:72:30 (Unknown)\n" << endl;
         cout << "Nmap scan report for localhost (192.168.49.2)" << endl;
                        cout << "Not shown: 997 closed ports" << endl;
                        cout << "PORT   STATE SERVICE" << endl;
                        cout << "22/tcp open ssh" << endl;
                        cout << "80/tcp open http" << endl;
                        cout << "443/tcp open https" << endl;
                        cout << "MAC Address: 08:00:28:da:72:30 (Unknown)\n" << endl;
         cout << "Nmap scan report for localhost (192.168.49.101)" << endl;
                        cout << "Not shown: 998 closed ports" << endl;
                        cout << "PORT   STATE SERVICE" << endl;
                        cout << "22/tcp open ssh" << endl;
                        cout << "80/tcp open http" << endl;
                        cout << "MAC Address: 08:00:28:da:72:30 (Unknown)\n" << endl;
         cout << "Nmap done: 256 IP addresses (2 hosts up) scanned in 6.46 seconds" << endl;
         
      }
fuchsteufel
New User
New User
 
Posts: 12
Joined: Sat Feb 09, 2013 11:45 pm
Blog: View Blog (0)


Previous

Return to User Submitted

Who is online

Users browsing this forum: No registered users and 0 guests