A Simple Cracked P*$$w*rd
Heavens
Posted on March 29, 2022
What is a passworded file without a "possward"?
With the advancement of the digital age; digital security is becoming much more important for safety. And with attackers getting so skilled, the need for an improvement for stronger security begs for exploration and implementation.
Anyhoo, I am not here for that. I'm here to show how a simple password file that is coded in C programming language can be hacked in a simple way. I will be running this on my Ubuntu machine.
You can access the file crackme2 here.
- You may need to install the
openssl
library to run thecrakme2
program:sudo apt install libssl-dev
- Edit the source list
sudo nano /etc/apt/sources.list
to add the following line:deb http://security.ubuntu.com/ubuntu xenial-security main
Thensudo apt update
andsudo apt install libssl1.0.0
Let us run the file:
$ ./crackme2
>>> bash: ./crackme2: Permission denied
If you encountered the above, it means the user does not have executable permission to the file. Run the below to add executable permission for the user:
$ chmod 744 crackme2
or
$ chmod u+x crackme2
Trying running the executable file again
$ ./crackme2
>>> Access Denied
OMG! Access denied?! This shows the file has some type of access that you don't have and/or a password attached to it. And you don't even know where to write this password to gain access even if you know it.
So, first thing first! We need to check if this file is stripped or not. Why?
Use the file command to determine the type of your file. The command tests each argument in an attempt to categorize it based on the below:
- filesystem test
- magic test
- language test
$ file crackme2
>>> crackme2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e707426293fb8df389849d6d43665deb4e0229c2, not stripped
It's not stripped; indicating the file contains some information and symbols.
Next, let us do a ltrace on the file.
ltrace is a program that simply runs the specified command until it exits. It intercepts and records the dynamic library calls which are called by the executed process and the signals which are received by that process. It can also intercept and print the system calls executed by the program.
$ ltrace ./crackme2
>>> __libc_start_main(0x400876, 1, 0x7ffed3761ee8, 0x400a60 <unfinished ...>
strncmp("HOSTNAME=28baaff6813f", "jennieandjayloveasm=", 20) = -34
strncmp("LANGUAGE=en_US:en", "jennieandjayloveasm=", 20) = -30
strncmp("PWD=/root/alx-low_level_programm"..., "jennieandjayloveasm=", 20) = -26
strncmp("TZ=America/Los_Angeles", "jennieandjayloveasm=", 20) = -22
strncmp("HOME=/root", "jennieandjayloveasm=", 20) = -34
strncmp("LANG=en_US.UTF-8", "jennieandjayloveasm=", 20) = -30
strncmp("LS_COLORS=rs=0:di=01;34:ln=01;36"..., "jennieandjayloveasm=", 20) = -30
strncmp("LESSCLOSE=/usr/bin/lesspipe %s %"..., "jennieandjayloveasm=", 20) = -30
strncmp("TERM=xterm", "jennieandjayloveasm=", 20) = -22
strncmp("LESSOPEN=| /usr/bin/lesspipe %s", "jennieandjayloveasm=", 20) = -30
strncmp("SHLVL=1", "jennieandjayloveasm=", 20) = -23
strncmp("LC_ALL=en_US.UTF-8", "jennieandjayloveasm=", 20) = -30
strncmp("PATH=/usr/local/sbin:/usr/local/"..., "jennieandjayloveasm=", 20) = -26
strncmp("OLDPWD=/etc", "jennieandjayloveasm=", 20) = -27
strncmp("_=/usr/bin/ltrace", "jennieandjayloveasm=", 20) = -11
puts("Access Denied"Access Denied
) = 14
+++ exited (status 1) +++
Gotcha!!! From the look of the above trace, you could observe that this program is accessing the environment variables like PATH, HOSTNAME, HOME, LANG, et al. Using the strncmp function in C language, it is comparing the first 20 characters with jennieandjayloveasm=. It is searching the environment variable for a name with jennieandjayloveasm.
Let us give this program what it is looking for by creating a variable with that name with any value of choice.
$ export jennieandjayloveasm=alvicci
Let us confirm that the variable was created successfully
$ echo $jennieandjayloveasm
>>> alvicci
Now, let us re-run the ltrace on the file
$ ltrace ./crackme2
>>> __libc_start_main(0x400876, 1, 0x7fffd90db8d8, 0x400a60 <unfinished ...>
strncmp("HOSTNAME=28baaff6813f", "jennieandjayloveasm=", 20) = -34
strncmp("LANGUAGE=en_US:en", "jennieandjayloveasm=", 20) = -30
strncmp("PWD=/root/alx-low_level_programm"..., "jennieandjayloveasm=", 20) = -26
strncmp("TZ=America/Los_Angeles", "jennieandjayloveasm=", 20) = -22
strncmp("HOME=/root", "jennieandjayloveasm=", 20) = -34
strncmp("LANG=en_US.UTF-8", "jennieandjayloveasm=", 20) = -30
strncmp("LS_COLORS=rs=0:di=01;34:ln=01;36"..., "jennieandjayloveasm=", 20) = -30
strncmp("jennieandjayloveasm=alvicci", "jennieandjayloveasm=", 20) = 0
MD5_Init(0x7fffd90db740, 0x400af6, 20, 61) = 1
strlen("alvicci") = 7
MD5_Update(0x7fffd90db740, 0x7fffd90ddf20, 7, 0x7fffd90ddf20) = 1
MD5_Final(0x7fffd90db7a0, 0x7fffd90db740, 0x7fffd90db740, 0x69636369) = 1
sprintf("ab", "%02x", 0xab) = 2
sprintf("11", "%02x", 0x11) = 2
sprintf("4a", "%02x", 0x4a) = 2
sprintf("86", "%02x", 0x86) = 2
sprintf("d9", "%02x", 0xd9) = 2
sprintf("a0", "%02x", 0xa0) = 2
sprintf("af", "%02x", 0xaf) = 2
sprintf("b8", "%02x", 0xb8) = 2
sprintf("da", "%02x", 0xda) = 2
sprintf("d6", "%02x", 0xd6) = 2
sprintf("36", "%02x", 0x36) = 2
sprintf("8c", "%02x", 0x8c) = 2
sprintf("bd", "%02x", 0xbd) = 2
sprintf("53", "%02x", 0x53) = 2
sprintf("7a", "%02x", 0x7a) = 2
sprintf("c1", "%02x", 0xc1) = 2
strcmp("e99a18c428cb38d5f260853678922e03"..., "ab114a86d9a0afb8dad6368cbd537ac1"...) = 4
puts("Access Denied"Access Denied
) = 14
+++ exited (status 1) +++
Nice! It went farther than the initial trial that we did. So, it checked the environment variable for the file and after locating it, it checked the length of the value using the strlen function.
From the look of it, it seems it calculate the MD5 hash of the environment variable value and compare it to a predefined MD5 in the program itself using the strcmp function.
It is comparing the hash value of the environment variable with a predefined MD5 hash value e99a18c428cb38d5f260853678922e03 in the program using the strcmp function.
To confirm the actual password, you should try decrypting the MD5 hash value to the string. You can use md5online website for this.
After converting, the result is "abc123".
To confirm if the password is correct, let us replace the value of the environment variable jennieandjayloveasm with abc123.
$ export jennieandjayloveasm=abc123
Then, let us run your executable file.
$ ./crackme2
>>> Access Granted
Wheeeeeeew!
You have the password to the file.
You now have access to the file.
Are you still here?
I love you more! 💕
How did I come about this? I am currently enrolled in the ALX software engineering programme. And in one of the projects, we were asked to create a file that contains the password to an executable file.
image: from gettyimages
Thanks for reading. This was a long read and I hope it's helpful.
Signing out: Your friendly beginner ❤
Posted on March 29, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.