A Simple Cracked P$$wrd

Heavens — Tue, 29 Mar 2022 06:52:18 +0000

What is a passworded file without a "possward"?

With the advancement of the digital age; digital security is becoming much more important for safety. And with attackers getting so skilled, the need for an improvement for stronger security begs for exploration and implementation.

Anyhoo, I am not here for that. I'm here to show how a simple password file that is coded in C programming language can be hacked in a simple way. I will be running this on my Ubuntu machine.

You can access the file crackme2 here.

You may need to install the openssl library to run the crakme2 program: sudo apt install libssl-dev
Edit the source list sudo nano /etc/apt/sources.list to add the following line: deb http://security.ubuntu.com/ubuntu xenial-security main Then sudo apt update and sudo apt install libssl1.0.0

Let us run the file:

$ ./crackme2
>>> bash: ./crackme2: Permission denied

If you encountered the above, it means the user does not have executable permission to the file. Run the below to add executable permission for the user:

$ chmod 744 crackme2

$ chmod u+x crackme2

Trying running the executable file again

$ ./crackme2
>>> Access Denied

OMG! Access denied?! This shows the file has some type of access that you don't have and/or a password attached to it. And you don't even know where to write this password to gain access even if you know it.

So, first thing first! We need to check if this file is stripped or not. Why?

Use the file command to determine the type of your file. The command tests each argument in an attempt to categorize it based on the below:

filesystem test
magic test
language test

$ file crackme2
>>> crackme2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e707426293fb8df389849d6d43665deb4e0229c2, not stripped

It's not stripped; indicating the file contains some information and symbols.

Next, let us do a ltrace on the file.
ltrace is a program that simply runs the specified command until it exits. It intercepts and records the dynamic library calls which are called by the executed process and the signals which are received by that process. It can also intercept and print the system calls executed by the program.

$ ltrace ./crackme2
>>> __libc_start_main(0x400876, 1, 0x7ffed3761ee8, 0x400a60 <unfinished ...>
strncmp("HOSTNAME=28baaff6813f", "jennieandjayloveasm=", 20)                              = -34
strncmp("LANGUAGE=en_US:en", "jennieandjayloveasm=", 20)                                  = -30
strncmp("PWD=/root/alx-low_level_programm"..., "jennieandjayloveasm=", 20)                = -26
strncmp("TZ=America/Los_Angeles", "jennieandjayloveasm=", 20)                             = -22
strncmp("HOME=/root", "jennieandjayloveasm=", 20)                                         = -34
strncmp("LANG=en_US.UTF-8", "jennieandjayloveasm=", 20)                                   = -30
strncmp("LS_COLORS=rs=0:di=01;34:ln=01;36"..., "jennieandjayloveasm=", 20)                = -30
strncmp("LESSCLOSE=/usr/bin/lesspipe %s %"..., "jennieandjayloveasm=", 20)                = -30
strncmp("TERM=xterm", "jennieandjayloveasm=", 20)                                         = -22
strncmp("LESSOPEN=| /usr/bin/lesspipe %s", "jennieandjayloveasm=", 20)                    = -30
strncmp("SHLVL=1", "jennieandjayloveasm=", 20)                                            = -23
strncmp("LC_ALL=en_US.UTF-8", "jennieandjayloveasm=", 20)                                 = -30
strncmp("PATH=/usr/local/sbin:/usr/local/"..., "jennieandjayloveasm=", 20)                = -26
strncmp("OLDPWD=/etc", "jennieandjayloveasm=", 20)                                        = -27
strncmp("_=/usr/bin/ltrace", "jennieandjayloveasm=", 20)                                  = -11
puts("Access Denied"Access Denied
)                                                                     = 14
+++ exited (status 1) +++

Gotcha!!! From the look of the above trace, you could observe that this program is accessing the environment variables like PATH, HOSTNAME, HOME, LANG, et al. Using the strncmp function in C language, it is comparing the first 20 characters with jennieandjayloveasm=. It is searching the environment variable for a name with jennieandjayloveasm.
Let us give this program what it is looking for by creating a variable with that name with any value of choice.

$ export jennieandjayloveasm=alvicci

Let us confirm that the variable was created successfully

$ echo $jennieandjayloveasm
>>> alvicci

Now, let us re-run the ltrace on the file

$ ltrace ./crackme2
>>> __libc_start_main(0x400876, 1, 0x7fffd90db8d8, 0x400a60 <unfinished ...>
strncmp("HOSTNAME=28baaff6813f", "jennieandjayloveasm=", 20)                              = -34
strncmp("LANGUAGE=en_US:en", "jennieandjayloveasm=", 20)                                  = -30
strncmp("PWD=/root/alx-low_level_programm"..., "jennieandjayloveasm=", 20)                = -26
strncmp("TZ=America/Los_Angeles", "jennieandjayloveasm=", 20)                             = -22
strncmp("HOME=/root", "jennieandjayloveasm=", 20)                                         = -34
strncmp("LANG=en_US.UTF-8", "jennieandjayloveasm=", 20)                                   = -30
strncmp("LS_COLORS=rs=0:di=01;34:ln=01;36"..., "jennieandjayloveasm=", 20)                = -30
strncmp("jennieandjayloveasm=alvicci", "jennieandjayloveasm=", 20)                        = 0
MD5_Init(0x7fffd90db740, 0x400af6, 20, 61)                                                = 1
strlen("alvicci")                                                                         = 7
MD5_Update(0x7fffd90db740, 0x7fffd90ddf20, 7, 0x7fffd90ddf20)                             = 1
MD5_Final(0x7fffd90db7a0, 0x7fffd90db740, 0x7fffd90db740, 0x69636369)                     = 1
sprintf("ab", "%02x", 0xab)                                                               = 2
sprintf("11", "%02x", 0x11)                                                               = 2
sprintf("4a", "%02x", 0x4a)                                                               = 2
sprintf("86", "%02x", 0x86)                                                               = 2
sprintf("d9", "%02x", 0xd9)                                                               = 2
sprintf("a0", "%02x", 0xa0)                                                               = 2
sprintf("af", "%02x", 0xaf)                                                               = 2
sprintf("b8", "%02x", 0xb8)                                                               = 2
sprintf("da", "%02x", 0xda)                                                               = 2
sprintf("d6", "%02x", 0xd6)                                                               = 2
sprintf("36", "%02x", 0x36)                                                               = 2
sprintf("8c", "%02x", 0x8c)                                                               = 2
sprintf("bd", "%02x", 0xbd)                                                               = 2
sprintf("53", "%02x", 0x53)                                                               = 2
sprintf("7a", "%02x", 0x7a)                                                               = 2
sprintf("c1", "%02x", 0xc1)                                                               = 2
strcmp("e99a18c428cb38d5f260853678922e03"..., "ab114a86d9a0afb8dad6368cbd537ac1"...)      = 4
puts("Access Denied"Access Denied
)                                                                     = 14
+++ exited (status 1) +++

Nice! It went farther than the initial trial that we did. So, it checked the environment variable for the file and after locating it, it checked the length of the value using the strlen function.
From the look of it, it seems it calculate the MD5 hash of the environment variable value and compare it to a predefined MD5 in the program itself using the strcmp function.

It is comparing the hash value of the environment variable with a predefined MD5 hash value e99a18c428cb38d5f260853678922e03 in the program using the strcmp function.

To confirm the actual password, you should try decrypting the MD5 hash value to the string. You can use md5online website for this.

After converting, the result is "abc123".
To confirm if the password is correct, let us replace the value of the environment variable jennieandjayloveasm with abc123.

$ export jennieandjayloveasm=abc123

Then, let us run your executable file.

$ ./crackme2
>>> Access Granted

Wheeeeeeew!
You have the password to the file.
You now have access to the file.

Are you still here?
I love you more! 💕

How did I come about this? I am currently enrolled in the ALX software engineering programme. And in one of the projects, we were asked to create a file that contains the password to an executable file.

image: from gettyimages

Thanks for reading. This was a long read and I hope it's helpful.

Signing out: Your friendly beginner ❤

Print vs Return in Python

Heavens — Sun, 20 Mar 2022 04:47:32 +0000

I pondered on what my first post will be, like the luck of the genie, someone asked the below question and I jumped on it.

"Please, what's the difference in using return or print in a function for python?"

Let me paint a really "long in a short story" here:

Return - Come back
Print - Shout or do something
Function_name - Your errand boy

So, you sent your guy to buy something for you. Let us say, Chicken Republic's burger (my fav ❤) with the Monster drink and gave him your ATM card and PIN (hope you trust this friend though - I won't be held accountable. Lol 😁).
You told him on getting to the location, he should drop a flash on your mobile phone number.
When he's done with the purchase and paid successfully, he should bring the items to you.

Now, when he brings the items, you have unlimited options of things to do with them.
You can either:

eat it
drink it
give to a friend
keep it
throw it away ...et al

Using the above, the print in a function is like the dropped-flash that you asked your friend to give to you when he's at the location. When you call a function, you should do something.
However, when you return a value, just like when you asked your guy to come back with the items, you are instructing the function to come back with something.
This something can be used in any way that you like. Store in a variable, do nothing, used in an expression, et al.

Now, let me add the samples:

def say_name():
    name = 'alvicci'
    print("My name is {:s}".format(name))

If you call the function, it will print the next line:

say_name()
My name is alvicci

However, let us use the same function, but this time instead of using print, let us use the return keyword.

def say_name():
    name = 'alvicci'
    return("My name is {:s}".format(name))

If you call the above function, nothing happens. You didn't tell it to do something but to return something.
What do we do to things that we receive? Lord and master, over to you, lordship. 😎
Let me use what was returned to do something:

print("What is your name? ")
print(say_name())

We called the function in the print function. So, it will evaluate the function, say_name() first and give the return value to the print function.
Now, you have given the print function something. And the print function always displays to the console what it was given.
The output will look like this:

What is your name? 
My name is alvicci

This is my first attempt ✍ and I hope you find this helpful. However, I'm still learning and growing!

DEV Community: Heavens

A Simple Cracked P*$$w*rd

Print vs Return in Python

A Simple Cracked P$$wrd