{% include_relative scripts/level0/shellcode.py %}
{% include_relative scripts/level0/level0.py %}
Flag: oiRJLfkGyb
here is almost as before, but we defuse the SIGTERM by setting our signal handler, in this case, a simple SIG_IGN.
{% include_relative scripts/level1/level1.c %}
{% include_relative scripts/level1/payload.py %}
don’t forget to put the shellcode in an environment variable, and put the address of the shellcode in shellcode_address, in the payload.py file.
Flag: s8gSofSE2b
in this level we can exploit the fact it leaves the file open, and also we can execute our code using the last line that reruns the file, with excel.
{% include_relative scripts/level2/level2.c %}
{% include_relative scripts/level2/read_pass.c %}
Flag: uAcGloJt0Q
Brute forcing
{% include_relative scripts/level3/level3.sh %}
then, we’ll run it in the background and try giving empty string, by entering ctrl-D.
Flag: 7ZPAL8uzpi
In this challenge we exploit the fact we can put input into inp on the stack, which is 2048, and then there will be content on lastname.
When we will manage to win the game, we can insert new-line into the first name, and then lastname will contain garbage values, and there will be no problem when it’ll copy it to buf.
However, the stack isn’t empty… because, we filled it before with our content.
This is the address of inp: 0xffffcb34 and this is of lastname: 0xffffd038.
The diff between them is 1284, and then we need to find how many characters we need to put in lastname until it override the ret-address, in this case we can find it’s 208 bytes.
So, all left is to solve the game.
{% include_relative scripts/level4/level4.py %}
pipe all the data as it was a regular stdin, and when you want to make the attack, you only need to type ATTACK.
I use random 4, and find that in room 10 the WUMPUS is found.
- execute
./level4.py | /manpage/manpage4 -s 4 - input
Nnew line,ATTACKnew line,Snew line,1new line,10new line,\n.
Flag: sxmrfDKUtV
| I’m stuck : |
Flag: sxmrfDKUtV