[io64][smashthestack] level 1: a piece of cake

Here it is, my first post !

In this post I’ll be talking about smashthestack‘s io64 level1.

First let’s connect to the server:

Instructions are pretty straightforward, let’s have a look at the levels folder:

All binaries have suid bit set and belong to next level.

We can spot an sqlite database provided with the level01 binary.

a first execution of level01 with no arguments gives the following output:

luckily enough radare2 and gdb are available on the server, so Iet’s first get a list of all strings from the data section:

we can spot an the select password from password sql command

and another interesting string: /bin/sh, this might mean the code is likely to spawn a shell on success.

time to analyse the code with radare2:

nothing really interesting is happening in this block, the code is just storing argc and argv in local_4_4 and local_6, setting  local_0_4 to 0 and cheking we actually provided a parameter to the command line.

here the code is just opening the database, let’s see what’s happening next:

just compiling the “select password from password” query into an sql statement, next block !

here the code evaluates the statement, then continues if a row have been found (0x64 == SQL_ROW), next block !

things are getting interesting in this block,  sqlite3_column_text returns a row in null terminated string, esi is set to 0, this means row 0 is requested. This row will probably contain our password.

This is confirmed as the result is compared to the parameter provided in the command line with strcmp.

Let’s dump the password:

Hoorray ! the password is “Administ”, let’s try it:

piece of cake isn’t it ?

Leave a Reply

Your email address will not be published. Required fields are marked *