티스토리 뷰

Pwnable/FTZ level

[hackerschool FTZ] level8

PAPICO 2017. 1. 4. 14:36

level8을 풀어보겠다.


[level8@ftz level8]$


ls -al을 입력해서 파일과 디렉토리를 확인하겠다.


[level8@ftz level8]$ ls -al
total 80
drwxr-xr-x    4 root     level8       4096 Jan 14  2010 .
drwxr-xr-x   34 root     root         4096 Sep 10  2011 ..
-rw-------    1 root     root            1 Jan 15  2010 .bash_history
-rw-r--r--    1 root     root           24 Feb 24  2002 .bash_logout
-rw-r--r--    1 root     root          224 Feb 24  2002 .bash_profile
-rw-r--r--    1 root     root          151 Feb 24  2002 .bashrc
-rw-r--r--    1 root     root          400 Sep 24  2000 .cshrc
-rw-r--r--    1 root     root         4742 Sep 24  2000 .emacs
-r--r--r--    1 root     root          319 Sep 24  2000 .gtkrc
-rw-r--r--    1 root     root          100 Sep 24  2000 .gvimrc
-rw-r-----    1 root     level8        109 Jan 14  2010 hint
-rw-r--r--    1 root     root          226 Sep 24  2000 .muttrc
-rw-r--r--    1 root     root          367 Sep 24  2000 .profile
drwxr-xr-x    2 root     level8       4096 Feb 24  2002 public_html
drwxrwxr-x    2 root     level8       4096 Jan 14  2009 tmp
-rw-r--r--    1 root     root            1 May  7  2002 .viminfo
-rw-r--r--    1 root     root         4145 Sep 24  2000 .vimrc
-rw-r--r--    1 root     root          245 Sep 24  2000 .Xdefaults


hint파일을 읽어 보겠다.


[level8@ftz level8]$ cat hint


level9의 shadow 파일이 서버 어딘가에 숨어있다.
그 파일에 대해 알려진 것은 용량이 "2700"이라는 것 뿐이다.



찾고자 하는 파일의 용량만 "2700"이라는 것만 알려주고 있다.

find 명령을 이용해서 쉐도우파일을 찾아보겠다.


[level8@ftz level8]$ find / -size 2700c 2>/dev/null
/var/www/manual/ssl/ssl_intro_fig2.gif
/etc/rc.d/found.txt
/usr/share/man/man3/IO::Pipe.3pm.gz
/usr/share/man/man3/URI::data.3pm.gz


find명령은 전에 우리가 파일의 권한이나 파일의 이름을 아는 경우 그 파일을 찾기 위해 사용했던 명령어이다.

이는 파일의 용량을 알때도 사용할 수 있는데 size를 입력한 후 byte의 단위인 c를 뒤에 입력해준다.

2>/dev/null는 표준에러메시지를 /dev/null으로 버린다고 생각하면 이해가 쉽다.

여러 파일들이 있는데 gif, gz, txt중 txt 파일을 읽어보도록 하겠다.


[level8@ftz level8]$ cd /etc/rc.d
[level8@ftz rc.d]$ ls -al
total 76
drwxr-xr-x   10 root     root         4096 Sep 10  2011 .
drwxr-xr-x   52 root     root         4096 Jan  4 13:48 ..
-r--r-----    1 root     level8       2700 Sep 10  2011 found.txt
drwxr-xr-x    2 root     root         4096 Oct 31  2007 init.d
-rwxr-xr-x    1 root     root         2338 Feb 19  2003 rc
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc0.d
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc1.d
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc2.d
drwxr-xr-x    2 root     root         4096 Dec 19  2007 rc3.d
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc4.d
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc5.d
drwxr-xr-x    2 root     root         4096 Oct 31  2007 rc6.d
-rwxr-xr-x    1 root     root          545 Sep 10  2011 rc.local
-rwxr-xr-x    1 root     root        23299 Feb 25  2003 rc.sysinit
[level8@ftz rc.d]$ cat found.txt
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524


히익! 이상한 문자들이 출력되었다. 콜론으로 구분되어있는 여러문자와 숫자들의 배열이 나와있는데 이것은 존 더 리퍼라는 툴을 이용해 해독할 수 있다.


John the Ripper?


John the Ripper는 Solar Designer가 개발한 Unix계열 password crack tool이다.

무료로 다운 받을 수 있으며 다양한 플렛폼을 지원한다. 

속도를 높이기 위해 Intel MMX기술이나 AMD K6 프로세서의 특수 기능들을 이용한 최적화된 코드를 집어넣기도 하였다.



우선 john the ripper를 다운 받아야 한다. http://www.openwall.com/john/ 에서 window 버전 zip 파일을 다운받은 후 원하는 경로에 압축을 풀면 된다. 


그 다음 found.txt에 있는 암호들을 복사해 txt파일을 만든다. 이름은 마음대로 적어도 된다. 필자는 10120.txt 로 만들었다.

[10120.txt]


level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524


level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524

level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524


그 후 10120.txt를 압축 푼 john the ripper 폴더 아래 있는 run폴더에 저장한다.

그 다음은 cmd 창을 열어 패스워드를 저장한 run 폴더로 이동한다.

마지막으로 "john.exe 10120.txt"를 입력하면 비밀번호가 출력된다.

apple이네. 비밀번호는 apple이네요.

level8을 풀었다.

저작자표시 비영리 변경금지

'Pwnable > FTZ level' 카테고리의 다른 글

[hackerschool FTZ] level9  (0) 2017.03.23
[hackerschool FTZ] level7  (2) 2017.01.03
[hackerschool FTZ] level6  (0) 2016.12.27
[hackerschool FTZ] level5  (0) 2016.12.27
[hackerschool FTZ] level4  (0) 2016.12.26
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2024/04   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
글 보관함