간혹 FTZ비밀번호가 필요할때가 있습니다. 그럴때 블로그를 뒤질 필요 없이 직접 구축한 FTZ에서 비밀번호를 알아내는 방법을 알려드리겠습니다.
FTZ에는 자신의 비밀번호를 알아내기 위한 my-pass가 있습니다. 이 명령어는 /bin/에 위치하며 gdb로 분석하면 됩니다.
[root@BOF /root]# gdb -q /bin/my-pass
(gdb) set dis intel
(gdb) disas main
Dump of assembler code for function main:
0x8048468 <main>: push %ebp
0x8048469 <main+1>: mov %ebp,%esp
0x804846b <main+3>: sub %esp,8
0x804846e <main+6>: call 0x80483a8 <geteuid>
0x8048473 <main+11>: mov DWORD PTR [%ebp-4],%eax
0x8048476 <main+14>: call 0x8048398 <getuid>
0x804847b <main+19>: mov DWORD PTR [%ebp-8],%eax
0x804847e <main+22>: push 0x80486c0
0x8048483 <main+27>: call 0x8048358 <system>
0x8048488 <main+32>: add %esp,4
0x804848b <main+35>: cmp DWORD PTR [%ebp-4],0xbb9
0x8048492 <main+42>: jne 0x80484a1 <main+57>
0x8048494 <main+44>: push 0x80486e0
0x8048499 <main+49>: call 0x8048388 <printf> //level1
0x804849e <main+54>: add %esp,4
0x80484a1 <main+57>: cmp DWORD PTR [%ebp-4],0xbba
0x80484a8 <main+64>: jne 0x80484b7 <main+79>
0x80484aa <main+66>: push 0x8048700
0x80484af <main+71>: call 0x8048388 <printf> //level2
0x80484b4 <main+76>: add %esp,4
0x80484b7 <main+79>: cmp DWORD PTR [%ebp-4],0xbbb
0x80484be <main+86>: jne 0x80484cd <main+101>
0x80484c0 <main+88>: push 0x8048740
0x80484c5 <main+93>: call 0x8048388 <printf> //level3
0x80484ca <main+98>: add %esp,4
0x80484cd <main+101>: cmp DWORD PTR [%ebp-4],0xbbc
0x80484d4 <main+108>: jne 0x80484e3 <main+123>
0x80484d6 <main+110>: push 0x8048780
0x80484db <main+115>: call 0x8048388 <printf> //level4
0x80484e0 <main+120>: add %esp,4
0x80484e3 <main+123>: cmp DWORD PTR [%ebp-4],0xbbd
0x80484ea <main+130>: jne 0x80484f9 <main+145>
0x80484ec <main+132>: push 0x80487c0
0x80484f1 <main+137>: call 0x8048388 <printf> //level5
0x80484f6 <main+142>: add %esp,4
0x80484f9 <main+145>: cmp DWORD PTR [%ebp-4],0xbbe
0x8048500 <main+152>: jne 0x804850f <main+167>
0x8048502 <main+154>: push 0x8048800
---Type <return> to continue, or q <return> to quit---
0x8048507 <main+159>: call 0x8048388 <printf> // ...
0x804850c <main+164>: add %esp,4
0x804850f <main+167>: cmp DWORD PTR [%ebp-4],0xbbf
0x8048516 <main+174>: jne 0x8048525 <main+189>
0x8048518 <main+176>: push 0x8048840
0x804851d <main+181>: call 0x8048388 <printf>
0x8048522 <main+186>: add %esp,4
0x8048525 <main+189>: cmp DWORD PTR [%ebp-4],0xbc0
0x804852c <main+196>: jne 0x804853b <main+211>
0x804852e <main+198>: push 0x8048880
0x8048533 <main+203>: call 0x8048388 <printf>
0x8048538 <main+208>: add %esp,4
0x804853b <main+211>: cmp DWORD PTR [%ebp-4],0xbc1
0x8048542 <main+218>: jne 0x8048551 <main+233>
0x8048544 <main+220>: push 0x80488c0
0x8048549 <main+225>: call 0x8048388 <printf>
0x804854e <main+230>: add %esp,4
0x8048551 <main+233>: cmp DWORD PTR [%ebp-4],0xbc2
0x8048558 <main+240>: jne 0x8048567 <main+255>
0x804855a <main+242>: push 0x80488e0
0x804855f <main+247>: call 0x8048388 <printf>
0x8048564 <main+252>: add %esp,4
0x8048567 <main+255>: cmp DWORD PTR [%ebp-4],0xc14
0x804856e <main+262>: jne 0x804857d <main+277>
0x8048570 <main+264>: push 0x8048920
0x8048575 <main+269>: call 0x8048388 <printf>
0x804857a <main+274>: add %esp,4
0x804857d <main+277>: cmp DWORD PTR [%ebp-4],0xc15
0x8048584 <main+284>: jne 0x8048593 <main+299>
0x8048586 <main+286>: push 0x8048960
0x804858b <main+291>: call 0x8048388 <printf>
0x8048590 <main+296>: add %esp,4
0x8048593 <main+299>: cmp DWORD PTR [%ebp-4],0xc16
0x804859a <main+306>: jne 0x80485a9 <main+321>
0x804859c <main+308>: push 0x80489a0
0x80485a1 <main+313>: call 0x8048388 <printf>
0x80485a6 <main+318>: add %esp,4
0x80485a9 <main+321>: cmp DWORD PTR [%ebp-4],0xc17
0x80485b0 <main+328>: jne 0x80485bf <main+343>
---Type <return> to continue, or q <return> to quit---
0x80485b2 <main+330>: push 0x80489e0
0x80485b7 <main+335>: call 0x8048388 <printf>
0x80485bc <main+340>: add %esp,4
0x80485bf <main+343>: cmp DWORD PTR [%ebp-4],0xc18
0x80485c6 <main+350>: jne 0x80485d5 <main+365>
0x80485c8 <main+352>: push 0x8048a20
0x80485cd <main+357>: call 0x8048388 <printf>
0x80485d2 <main+362>: add %esp,4
0x80485d5 <main+365>: cmp DWORD PTR [%ebp-4],0xc19
0x80485dc <main+372>: jne 0x80485eb <main+387>
0x80485de <main+374>: push 0x8048a60
0x80485e3 <main+379>: call 0x8048388 <printf>
0x80485e8 <main+384>: add %esp,4
0x80485eb <main+387>: cmp DWORD PTR [%ebp-4],0xc1a
0x80485f2 <main+394>: jne 0x8048601 <main+409>
0x80485f4 <main+396>: push 0x8048aa0
0x80485f9 <main+401>: call 0x8048388 <printf>
0x80485fe <main+406>: add %esp,4
0x8048601 <main+409>: cmp DWORD PTR [%ebp-4],0xc1b
0x8048608 <main+416>: jne 0x8048617 <main+431>
0x804860a <main+418>: push 0x8048ae0
0x804860f <main+423>: call 0x8048388 <printf>
0x8048614 <main+428>: add %esp,4
0x8048617 <main+431>: cmp DWORD PTR [%ebp-4],0xc1c
0x804861e <main+438>: jne 0x804862d <main+453>
0x8048620 <main+440>: push 0x8048b20
0x8048625 <main+445>: call 0x8048388 <printf>
0x804862a <main+450>: add %esp,4
0x804862d <main+453>: cmp DWORD PTR [%ebp-4],0xc1d
0x8048634 <main+460>: jne 0x8048643 <main+475>
0x8048636 <main+462>: push 0x8048b60
0x804863b <main+467>: call 0x8048388 <printf> //level20
0x8048640 <main+472>: add %esp,4
0x8048643 <main+475>: leave
0x8048644 <main+476>: ret
0x8048645 <main+477>: nop
0x8048646 <main+478>: nop
0x8048647 <main+479>: nop
0x8048648 <main+480>: nop
---Type <return> to continue, or q <return> to quit---
0x8048649 <main+481>: nop
0x804864a <main+482>: nop
0x804864b <main+483>: nop
0x804864c <main+484>: nop
0x804864d <main+485>: nop
0x804864e <main+486>: nop
0x804864f <main+487>: nop
End of assembler dump.
(gdb)
여기서 어셈블리코드를 분석해 보면 현재 접속해 있는 유저의 uid를 얻은다음 해당 uid와 일치하는 패스워드를 출력해주는 프로그램이라는것을 알수 있습니다. 그럼 이제 우리가 주목해야 할것은 바로 각 레벨의 printf전에 나오는 주소가 push되는것입니다. 간단하죠? 이제 저 주소에 있는 문자열을 불러오면 원하는 레벨의 패스워드를 확인할수 있습니다.
(gdb) x/s 0x80486e0
0x80486e0 <_IO_stdin_used+60>: "\nLevel1 Password is \"level1\".\n\n"
이런식으로 원하는 레벨의 패스워드를 확인할수 있습니다.
'Hackerschool > FTZ 부가설명' 카테고리의 다른 글
| find명령어 (0) | 2015.01.29 |
|---|