\||/
| @___oo
/\ /\ / (__,,,,|
) /^\) ^\/ _)
) /^\/ _)
) _ / / _)
/\ )/\/ || | )_)
< > |(,,) )__)
|| / \)___)\
| \____( )___) )___
\______(_______;;; __;;;
________ _______________ ________
____ ____ ____ / __ \/ _____/\ _ \/ __ \
_/ __ \_/ ___\/ __ \ \____ / __ \ / /_\ \____ /
\ ___/\ \__\ ___/ / /\ |__\ \\ \_/ \ / /
\___ >\___ >___ > /____/ \_____ / \_____ //____/
\/ \/ \/ \/ \/
.__ __ ________
_____ ______ _____|__| ____ ____ _____ ____ _____/ |_ \_____ \
\__ \ / ___// ___/ |/ ___\ / \ / \_/ __ \ / \ __\ _(__ <
/ __ \_\___ \ \___ \| / /_/ > | \ Y Y \ ___/| | \ | / \
(____ /____ >____ >__\___ /|___| /__|_| /\___ >___| /__| /______ /
\/ \/ \/ /_____/ \/ \/ \/ \/ \/
Assignment 3
Overview
In this assignment you will complete a Capture-the-flag (CTF) style challenge. You will be presented with a Linux virtual machine and will be required to solve a set of programming puzzles inspired by the pwnable.kr challenges.
How the assignment is marked
In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.
What to do
Some examples of how you can convince us you thought through the problem could include sharing details of:
- Your thought process (e.g., “I noticed something unusual in the code, so I…”)
- Things you didn’t know (e.g., “I had to look up how netcat works”)
- Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
- The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)
What NOT to do
- Say “I couldn’t figure it out” and not write anything else
- Submit the writeup of another person, whether another student, or someone online (duh)
- Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
- Only give the flag and no other window into your thought process
Instructions
Answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 3
Requirements
- A modern computer. The VM is based on Tinycore Linux, and the virtual machine image is only about 100Mb to download.
Directions for VirtualBox
These instructions apply to students using Intel/AMD64 architectures. Mac M1/M2 users skip this section and scroll down below.
Install VirtualBox
- The VirtualBox virtual machine player. (Note: You can use any VM player that supports
.ova
VMs, however the instructions below are specific to VirtualBox and may differ slightly if you decide to use a different player such as VMWare). - It is recommended that you install the Virtual Box extension pack. This will allow you to interact with your host OS more easily, e.g. by logging in via
SSH
, and transferring files withscp
as well as copy/paste functionality.- Note to Mac users: You must allow the Oracle extensions by going into
System preferences -> Security & Privacy -> General
and clicking Allow. A restart may be required. Later, when you try to start the virtual machine, it will also ask you to grant it Accessibility and Keyboard permissions in theSystem preferences -> Security & Privacy -> Privacy
area.
- Note to Mac users: You must allow the Oracle extensions by going into
- Open VirtualBox. If it’s your first time, create a new host-only network. Click
File -> Tools -> Network Manager -> Create
. An adapter with a name likeHostNetwork
will now show in the list.
Load the Virtual Machine
- Download the
ECE 9609 Assignment 3 VM.ova
virtual machine image inOWL -> ECE 9609 -> Resources
- Import the virtual machine image into your virtual machine player:
File -> Import appliance -> ECE 9609 Assignment 3 VM.ova -> Continue -> Import
- Start the VM:
ECE 9609 Assignment 3 -> Start
- Login to an account and capture the flag.
The VM is currently configured to use a Host-only Network
adapter, which provides network access between your host OS and the VM.
Directions for Mac M1/M2 Users
These instructions apply to students with a Mac M1/M2 (ARM) architecture (also known as “Apple Silicon”).
The tinycore Linux VM is an AMD64 architecture. It is not directly compatible with your device’s ARM instruction set. Fortunately, there’s a decent, free VM emulator for Mac called “UTM”. For the purposes of this assignment, it does the same thing as VirtualBox.
Install UTM
- Download and install the free UTM app.
- Do not download from the Mac App Store (it costs money—and the free version is the SAME!)
Load the Virtual Machine
- Download the
ECE 9609 Assignment 3 VM-for-Mac-M1.utm.zip
virtual machine image inOWL -> ECE 9609 -> Resources
- Unzip to produce the file
ECE 9609 Assignment 3 VM-for-Mac-M1.utm
- In UTM click “Create a New Virtual Machine” -> Existing -> Open
- In the left column, double-click on the VM to run.
Accessing Your VM over SSH
We highly recommend interacting with VM over SSH
instead of directly in the VM player’s window. Working with the VM directly is annoying. You cannot copy/paste, repeat commands, or scroll up to see previous output. A better method is to interact with the VM over SSH
.
To do this you will need to know the IP address of the virtual machine on your Host OS. This can be done by logging into the VM once and typing ifconfig
to find the ip address.
q1@box:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:BA:8C:11
inet addr:192.168.56.102 Bcast:192.168.56.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
...
This tells us the VM’s IP address is 192.168.56.102 (it possible that it might be different on your machine). Then in a command line in the host OS, we can log into an account (e.g.. q1
) via ssh
:
$ ssh q1@192.168.56.102
Note: The IP address of your VM may be different.
The first time you login it will ask you to accept the server’s SSH public key. You can also use the IP address to download/upload files using utilities like scp
. This will allow you to write programs in your favorite code editor and then transfer them to the VM instead of having to work in vim
all the time.
Tips
There are a few basic skills that you will need to know to complete the challenges:
- How to compile and run a C program
- How to use the
gdb
debugger - How to execute a Python program from the command line
$ python -c "<program>"
- How to upload and download files using
scp
- How to view and interpret file permissions and ownership
- How to use command-line text editor like
vi
orvim
Other tips:
- You can create working files in the
/tmp
directory - The VM is non-persistent. Any changes (e.g., uploaded file, etc) are not saved by the OS after shutdown
- You can scroll up and down in the terminal window using
<SHIFT> + <Pg Up>
and<SHIFT> + <Pg Dn>
.
vim
Tips
vim
will help you edit files on the virtual machine if you want to test things. Like pwnable.kr
you can work in the /tmp
directory.
- There are two main modes in
vim
: Insert mode (for editing text) and command mode. - When you first open vim by typing “
vim file
”, you begin in command mode. - When you are in command mode, hit
i
to enter insert mode. You may begin typing. - When you are in insert mode, you can hit
Esc
to go into command mode. - From command mode type
:q
to quit. If there are unsaved changes you wish to discard type:q!
- From command mode type
:x
to exit with saving. - Many commands exist. Check out this article for examples.
gdb
Tips
gdb
will help you especially with Q3 and Q4. Here’s a useful guide on gdb commmands. Specific commands that will be helpful:
list n
: print the program’s source code beginning at line ndisas func
: print the assembly code of function func()break n
: set a breakpoint at line nrun
: run the program in gdb (it will stop at any break points you set)kill
: halts a running programp variable
: prints the contents of a variable in its default form (e.g.int
prints as a decimal integer)p &variable
: prints the address ofvariable
p *variable
: grabs the next 4 bytes stored at thevariable
address. These 4 bytes are interpreted as a target address. The contents of the target address are printed.p/f variable
: prints (p/
) the contents of a variable (variable
) and prints them in the specified format (f
). For example:p/x variable
: prints the contents ofvariable
displayed in hexidecimal formp/c variable
: prints one byte at the address pointed to byvariable
and displays result in character formp/c (char* [4])variable
: prints 4 bytes beginning at the memory address pointed to byvariable
and displays it in character form.p/x (char* [4])variable
: same as above only displays it in hexidecimal form
x/nfu address
: examines (i.w., “x/
”) n (i.e.,n
) bytes a memory address (i.e.,address
) printing them in the specified format (i.e.,f
) and in the specified units (i.e.,u
) of bytes. For example:x/20xb 0x08010203
: prints 20 bytes (b
) in hexidecimal (x
) form beginning at address0x08010203
.x/20xb &variable
: prints 20 bytes (b
) in hexidecimal (x
) form beginning at the address of variablevariable
.x/2xw 0x08010203
: prints 2 words (w
), i.e., 4-byte groups in in hexidecimal (x
) form beginning at address0x08010203
.
VM Ground Rules
The purpose of the assignment is to simulate a real, remotely accessed computer system and questions are meant to be solved in this spirit. To that end, you will not receive credit for accessing the flags by attacking the virtual machine itself e.g., by recovering the flags from forensics on the .ova
file.
Questions
There are 4 user accounts: q1, q2, q3, and q4. Log in to each account and capture the flag.
All flags have the form flag{...}
- Question 1
- Challenge name: Hidden
- Username:
q1
- Password:
q1
- Flag location:
/home/q1/flag1
- Instructions: Locate and run a program owned by user
flag1
to capture the flag.
- Question 2
- Challenge name: Hardcode
- Username:
q2
- Password:
q2
- Flag location:
/home/q2/flag2
- Instructions: Run the
hardcode
program. Enter the correct password to capture the flag.
- Question 3
- Challenge name: Password
- Username:
q3
- Password:
q3
- Flag location:
/home/q3/flag3
- Instructions: Get the program to execute the
system()
command in thepassword
program to capture the flag. - Hint: Use the knowledge you gained from the bof challenge in Assignment 2.
- Question 4
- Challenge name: Username
- Username:
q4
- Password:
q4
- Flag location:
/home/q4/flag4
- Instructions: Get the program to execute the
system()
command in theusername
program to capture the flag. - Hint: Use the knowledge you gained from the passcode lecture.