[NetGarage] Level 01

Style: Wargame
Website: http://io.netgarage.org

Access: ssh level1@io.netgarage.org

As described on the website, NetGarage is a Linux-based shell wargame, in which you must solve each level to move on to the next one. This is a write-up of LEVEL 1. Upon logging in, you’ll discover that the all the binaries, including the level01 binary, is located /levels.

So let’s try running the program as is:

Absolutely nothing. Chances are we got the passcode wrong, since it was just a random guess. There’s two ways we could go about solving this.

GDB DEBUGGING

My first thought was brute force since there are only 999 possibilites, but I figured I’d do the more technical approach first using gdb. Naturally, the first step here is to disassemble the main function of the program.

Here we see that a value in a register (likely the value we provide) is being compared to some constant in the program (likely the correct passcode). There’s plenty of sites or calculators to convert hex to decimal, but since we have a bash shell, might as well put it to use:


Breaking it down, we are performing a very quick conversion. The “16”  is the base, which is more commonly known as hex. The “10f” is the value of the constant in the program. Seems like we have a three digit number, and thus, the password!

Brute Force

Alternatively, we could solve this with brute force. Normally, I’d use Python for this, but we can use a basic bash for loop to do the job.

for i in $(seq -w 0 999); do echo $i; echo $i | ./level01 ; sleep 0.5; clear; done

Let’s walk through this between semicolons. The first section “for i in $(seq -w 0 999)” creates the condition under which the loop will run. Here, we are using the seq command to sequentially count from 0 to 999. However, since we need to input a 3 digit code, we need to make sure the width of the code is 3. We do that by using the “-w” command. This will turn into 000, 1 into 001, and so forth.

Next, we “do echo $i”.  Think of the “do” and “done” in this code as the { } limits you find in almost every language to keep scope of the loop. So for each number generated by seq, we are going to “do” everything until this iteration of the loop is “done”. The only reason for this section is so we can keep track of our current attempt number.

Then, we “echo $i | ./level01″ This will “pipe (|)” the current number into our program. This means we can expect our program to run 999 times total. Next, we sleep 0.5″ to give the program time to display the output, and to give us time to visually process it. The “clear” command is then used to wipe the screen, just to keep things clean. Then we are “done”.  Here is what the output looks like when we successfully brute force the answer.