This folder contains solutions for the Maze wargame from OverTheWire.
in this level we exploit race condition. first it checks access to a file, and then change to higher privileges and print the content of the file. so, we will link it to maze0 privilege, and before it opens the file for reading, we’ll change to maze1 privilege.
{% include_relative scripts/level0/link_script.sh %}
{% include_relative scripts/level0/run_script.sh %}
then, we’ll run this
./link_script.sh &
./run_script.sh | grep -av "maze0"
Flag: kfL7RRfpkY
in this challange, we need to create our own libc.so.4 that will be used by the program.
{% include_relative scripts/level1/hook.c %}
, you need to adjust the addresses on the stack of the (maybe) local variables.
the commands for compiling and linking the so file, here.
gcc -m32 -shared -fPIC -o libc.so.4 hook.c -ldl
notice the tmp dir you’re working on can’t be something that mktemp has made, it won’t work properly.
Flag: PBeZRPjetr
in this challange, we inject short code that pushes the shellcode address, and then executes the shellcode.
{% include_relative scripts/level2/level2.py %}
Flag: DSEiCewQOv
in this challange, we need to give in argv[1] 0x1337c0de.
i simply run this command: /maze/maze3 $(echo -e '\xde\xc0\x37\x13')
Flag: vghylBpihH
in this challenge we override one address, and put there value that will fit our needs. also, we need to give short script in bash that will open shell, i do it using the following commands:
{% include_relative scripts/level4/code.c %}
, we will use this file as shebang.
- then, we need to put the payload into our file, lets say it’s input
python3 level5.py > inputand of course, change to executablechmod +x input.
the whole process:
cat > code.c
gcc -m32 code.c -o code
python3 level4.py > input
chmod +x input
Flag: fobwgnzRy0
simple reverse engineering can show us that for the username: username, the password should be <>A7?B7:
so, give these credentials:
username: username
password: <>A7?B7:
Flag: dOM2C7ZKlG
i decompiled maze 6, here you can see the source code.
in this challenge we use buffer overflow to override the file. we make our own File* struct, and put there in the write buffer our address, the address of the exit function in plt, and then we’ll write there the shellcode.
- this is a regular FILE* struct, when we open
filefor writing. -
the words i marked are: _IO_write_base, _IO_write_ptr, _IO_write_end
-
we need to find the address of exit in the plt record
so, the address of exit function in plt is 0x0804b208 - we need to inject our shellcode and find its address, we need to find the address of our malware FILE* struct.
we can see that the address of shellcode is 0xffffd204and address of our malware FILE* struct0xffffd158
for summary, we need to find this values:
FILE_struct_address = 0xffffd158
plt_exit_address = 0x0804b208
shellcode_address = 0xffffd204
the code can be found here [level7.py]
{% include_relative scripts/level6/level6.py %}
Flag: B6XkM3Syq6
we will exploit the line marked, and override the ret-address by giving value of 0x44 in the size, while the ret-address is at 0x40.
in the payload all the staff is \x00, with one exception, when we pass arg4 which contains the size.
we do it using buffer overflow
i marked important values: arg1, arg2, arg3, arg4, fd. (in this order), so we can see that arg4 is found after 46 bytes.
now, all left is to create your shellcode in environment variable and put the address in the code, in shellcode_address.
{% include_relative scripts/level7/level7.py %}
Flag: eQdZB1qy6L
in this stage we need to open a socket on port 1337, and send data. then, we exploit format string attack, in snprintf
you can run this commands:
./level8.py &> /dev/null &
and then
/maze/maze8
the code can be found here [level8.py]
{% include_relative scripts/level8/level8.py %}
Flag: TtMMzTuXyi