Nebula Level04: A Newbie’s Approach

Nebula Level04: A Newbie’s Approach

With level04 challenge we are supposed to exploit the weak permissions of flag04’s file. As always, my main objective is to get a shell under the flag04 account.   What you’ll need to know… Symbolic links Basic Unix commands   Level04 For this challenge, we have some code to analyze. By reading this code, it’s possible to understand that flag04 takes one argument by looking at the first if condition. From the analysis of the second condition, we can conclude…

Read More Read More

Nebula Level03: A Newbie’s Approach

Nebula Level03: A Newbie’s Approach

Level03 is no longer about SUID vulnerable programs like previous exercises, but about permissions. Because I just learn about SUID programs in the last challenges, I’ll create my own in order to solve this exercise. What you’ll need to know… Cron jobs C/Bash programming Basic Unix command   Level03 In this challenge, we are given the information that there is a cron running every couple minutes. If you navigate to flag03 folder, you’ll notice a file, writable.sh, which has some…

Read More Read More

Nebula Level02: A Newbie’s Approach

Nebula Level02: A Newbie’s Approach

I see level02 as a combination of the previous two exercises, level00 and level01. Let’s dig in and work through the solution.   What you’ll need to know… Basic Unix commands   Level02 First, we can see that flag02 program in the /home/flag02 directory has the SUID bit set, which means that this program will run under the flag02 user. By taking a quick look at the original code of flag02, it’s very easy to identify what is most likely…

Read More Read More

Nebula Level01: A Newbie’s Approach

Nebula Level01: A Newbie’s Approach

Still under the SUID programs category, level01 makes use of another trick in order to be solved, the manipulation of environment variables.   What you’ll need to know… Use ln command Environment Variables Other basic Unix commands   Level01 If we analyze the code of level01 program, one of the first things that I notice is the use of a C function, system, and although it doesn’t receive input from the user, it’s still exploitable. Time to run the flag01…

Read More Read More

Nebula Level00: A Newbie’s Approach

Nebula Level00: A Newbie’s Approach

Level00 falls in the category of SUID files which is something that I heard about but never had any practical experience. The goal here is to collect the flag through the getflag command.   What you’ll need to know… find command Other basic Unix commands   Level00 The instructions for level00 state that we need to find a SUID program which run as flag00 account. First things first. A Set User ID (SUID) program is a risky type of file…

Read More Read More

Dr Von Noizeman’s Nuclear Bomb defused with Radare2

Dr Von Noizeman’s Nuclear Bomb defused with Radare2

Today, I bring to you another binary bomb that I found in 0x00sec website. This bomb has 4 stages, each one corresponding to a color. Let’s now defuse it, phase by phase. First, let’s take a look at the main menu of this Dr Von Noizeman’s nuclear bomb. Yellow Phase Yellow phase, it’s probably the easiest one in this binary bomb. It starts by asking you for a password that will be stored in obj.buffer. Looking at the code, you…

Read More Read More

BombLab Dissected with Radare2

BombLab Dissected with Radare2

The exercise of this week is a bomb! A binary one, of course. The bomblab is an exercise from the UCR that I found here. I ended up finding more bombs like this one in other sites and, for me, this exercise is more challenging that the previous crackme‘s. So, this is what the bomblab looks like. Awesome, right? If you list the functions present in the binary, you will be presented with a considerable number of functions. Seeking to…

Read More Read More

IOLI-Crackme with Radare2: Closing Thoughts

IOLI-Crackme with Radare2: Closing Thoughts

If you are an active reader of this blog (if you aren’t, why not start now?), then you probably know that I’ve been solving exercises from IOLI-Crackme aiming to learn about Radare2 and to take the first steps in the Reverse Engineering field, but you can read the full motivation in the first article that I wrote when I started this project. So, for the past weeks, I’ve been solving every IOLI-Crackme of this series of challenges, uploading content every…

Read More Read More

Crackme0x09 Dissected with Radare2

Crackme0x09 Dissected with Radare2

The IOLI-Crackme’s exercises have come to an end. Crackme0x09 is the last exercise of this series. Let’s start analyzing the Assembly to see what changed since the last exercise.   Getting the Crackme0x09 password through analysis When we check the available functions, we’re able to notice that the names have changed again, as they are similar to the native functions. Another detail is that there are no strings visible in the code. Although, we can see there are strings in…

Read More Read More

Crackme0x08 Dissected with Radare2

Crackme0x08 Dissected with Radare2

It’s not something new that both password and the environment variable are the same for the last exercises. But the fact that the code itself is almost the same… Well, that’s boring! Anyway, let’s analyze crackme0x08 and see what it reserved for us. Getting the Crackme0x08 password through analysis Contrary to what I expected, the name of the functions is very similar to the ones in Crackme0x06. I expected to see names like fcn.0804xxxx, the next step of “evolution” when…

Read More Read More