Gracker level0 (I've Got No Strings!)

Gracker is a hacking wargame. Here is the blog of the guy who created it. My seniors at InfoSecIITR told me that solving it would be good for improving my hacking skills.

So, let the hacking begin!

Here is the write-up for the level0 of the wargame.

Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.

On going to gracker.org we are presented with a screen that just says the journey begins. There’s got to be something more. On examining the source code, we find it.

So we ssh to [email protected], with the password level0. Read all the instructions and the story and start hacking.

We are provided with a binary in the directory /matrix/level0/ .


[email protected]:/matrix/level0$ ./level0
 _____
| _ _ |
|| | || Hidden
||_|_||   Backdoor
| _ _ o  by 
|| | ||     ~Zero Cool
||_|_||  
|_____|

Enter Secret Password:
password
wrong!%
[email protected]:/matrix/level0$

On running the binary we are asked it’s password, which we obviously don’t know yet. Well maybe the password has been hardcoded? It’s worth a try. So we run the strings command on the binary file. The command prints all the printable characters in the binary.


[email protected]:/matrix/level0$ strings level0
.
.
.
 _____
| _ _ |
|| | || Hidden
||_|_||   Backdoor
| _ _ o  by 
|| | ||     ~Zero Cool
||_|_||  
|_____|
Enter Secret Password:
Correct! Here is the level1 shell.
Read the level1 password in /home/level1/.pass to login with `ssh [email protected]`
wrong!
;*3$"
s3cr3t_backd00r_passw0rd
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.
.
.
[email protected]:/matrix/level0$

The string s3cr3t_backd00r_passw0rd seems suspicious. Trying it out as the password of the binary…


[email protected]:/matrix/level0$ ./level0              
 _____
| _ _ |
|| | || Hidden
||_|_||   Backdoor
| _ _ o  by 
|| | ||     ~Zero Cool
||_|_||  
|_____|

Enter Secret Password:
s3cr3t_backd00r_passw0rd
Correct! Here is the level1 shell.
Read the level1 password in /home/level1/.pass to login with `ssh [email protected]`
$

And Voila! we can now read the password of the next level. I am not revealing the password here so that the readers try the challenge on their own.