This folder contains solutions for the Utumno wargame from OverTheWire.
when i run the file, it says to read it, however i don’t have read permissions. so, i decided to try hooking the file, using hooking the put function.
After i saw the hooking works, i read the stack using printf("%p %p %p %p %p %p %p %p\n"), and then i saw addresses that starts with 0x804, maybe indicates on local variables on the stack, that might contain the password.
{% include_relative scripts/level0/hook.c %}
, you need to adjust the addresses on the stack of the (maybe) local variables.
the commands for compiling and linking the so file, here.
gcc -m32 -shared -fPIC -o hook.so hook.c -ldl
LD_PRELOAD=./hook.so /utumno/utumno0
Flag: ytvWa6DzmL
here, we need to put our shellcode after “sh_”. there is a small problem that we can’t use “\” in the shell code, because this char can’t be in filname
{% include_relative scripts/level1/level1.py %}
{% include_relative scripts/level1/script.sh %}
In the shellcode it tries to execute this command: system("sh"), so it means we need to link it to /bin/sh.
put the code in the files cat > script.sh and cat > shellcode.py
these are the commands that you need to run.
chmod +x script.sh
ln -sf /bin/sh sh
./script.sh
lastly, run this: /utumno/utumno1 .
Flag: RdUzprHKSm
first we can see there is no protection, and also ASLR disabled.
then, after analyzing the code i realized that i can pass at the 9th place of envp some content that will be written to a buffer, and also i found out that the ret address is found in the stack after 16 bytes. so, what we need to do is override the ret address and put our shellcode.
because we run with envp, it overrides our regular SHELLCODE environment variable.
we need to find the address of the shellcode, try debugging and find it. for example:
(here i debug and put breakpoint on where the main of /utumno/utumno2 is find, it won’t change because ASLR is turned off)
{% include_relative scripts/level2/level2.c %}
, only change the address_of_shellcode variable and this should work.
Flag: h3kVKJZuid
first we can see there is no protection, and also ASLR disabled.
i decompiled the file using ghidra, and find out that we can manipulate our input in order to override the return address to our shellcode address.
{% include_relative scripts/level3/shellcode.py %}
, that runs: execve('/bin/cat','/tmp/passwwd')
{% include_relative scripts/level3/level3.py %}
, you need to change the address of the shellcode based on the address of your environment variable.
also, you need to run this command: ln -sf /etc/utumno_pass/utumno4 /tmp/passwwd
Flag: qHWLExh7C5
first we can see there is no protection, and also ASLR disabled.
in this level we do buffer overflow, but we also need to pass one check, this check:
check that the len of the buffer answer on specific rule.
here you can find the shellcode shellcode.py
{% include_relative scripts/level4/level4.py %}
, you need to change the address of the shellcode based on the address of your environment variable.
Flag: vY134qxapL
same as level3, took the code from there.
{% include_relative scripts/level5/level5.c %}
Flag: aGlKWrixsh
first i took the code and decompiled it using ghidra.
i can see integer overflow, that we can give it negative value and go back in the memory.
the idea behind the attack is to override where the return address is found, and put our shellcode address.
we can see that the address of the auStack_34 is located in [ebp-0x34], so if we’ll set arg1 = -1, we can override the address. than, we need to find where on the stack the return address is found, take this memory location, and this will be the new address of our auStack_34
{% include_relative scripts/level6/level6.py %}
.
Flag: VHOuCx7iA5
here we override the ebp stored register, and put there our address. in the code it called buffer_address, you need to put there the address of the buffer.
also, there is address for the shellcode, which stored in shellcode_address.
{% include_relative scripts/level7/level7.py %}
, you need to fill these two fields with correct addresses.
Flag: oqnM7PWFIn