Challenge 2: Program Exploitation

Goal

Find the password of /home/rookie/Challenge2/pwdChallenge in testbed, running as user rookie (see the note below). In order to run the program you need to change the current directory to /home/rookie/Challenge2

$ cd /home/rookie/Challenge2

$ ./pwdChallenge 
Insert password: test 
Password should be 15 chars
Error: wrong password!

The password is contained in file pwd.txt which belongs to a different user and is accessible only by program pwdChallenge (thanks to a setgid permission that we will study in a different class).

NOTE: Since you can run the docker image locally you can become root and read the file. This is NOT considered a valid solution! Your task it to find an attack that leaks the password running as rookie.

IMPORTANT NOTE: Trying attacks like the one in this challenge on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.

White box attack scenario

The source code of the program is available. This is usually referred to as a white box attack scenario: the attacker can review the source code to spot vulnerabilities.

Tasks

Challenge is solvable with a simple python script, but getting to the right solution is nontrivial. You need to solve the challenge by taking individual tasks as suggested below.

Task 1: find the bug

Study the source code and try to understand how the program works and what code is wrong. Once you spot the bug try various inputs and observe the (buggy) output. (Hint: comments will guide you 😅)

task 2: understand the bug

In order to understand the consequences of the bug you have two alternatives:

Using gdb (see here how to run gdb in docker). Notice that gdb will run as user rookie and won’t be able to open file pwd.txt. So, to debug the program, you need to make a copy of the executable in a folder where you have write permissions (e.g. /home/rookie/Challenge2copy) and create a pwd.txt file containing a single word of at most 15 chars, without newline. The program will read your password but the behaviour will be identical to the original program.

Recompiling the program. Since you have the source code, you can recompile the program (even adding some debug printf code!). Even in this case you need to create your own pwd.txt file. You can then both debug (with gdb) and analyze the recompiled executable.

Taks 3: exploiting the bug

Once you understand the bug and its consequences you need to find a strategy to exploit it. Try the idea by hand and then use python to run the full attack.

You order to speed-up scripting the attack you can take inspiration from the interacting with programs lab!

In bocca al lupo! 😁

Bonus

Send me and @Simone Jovon on slack the script used to the attack with an accurate description of how you solved the challenge by 8 November 2023 to get a 0.5 bonus on the final grade! The report should illustrate the step you followed to solve the challenge: once you have solution, repeat the steps and document them even using screenshots, pieces of code, … Make your reports “beautiful to read”  ! 😁