dimanche 29 août 2010

[Wargame] Shell-Storm August 2010

Hi people!

It's been a while, this week-end I was idling a bit on the internet when I saw shell-storm had their wargame started and there was 3h left before ending.

Here, no "tutorial" explaining how to pawn the challenges, just summing up the wargame a bit ;).

I decided to take a look and it was quite fun :).

I managed to go up to level6 in 1h20 and got stuck there.

So about the levels :
- level1 : Simple buffer overflow
- level2 : Same but the input string musn't contain 0xCD or 0x2F
- level3 : Buffer overflow in which the buffer MUST start with precise bytes
- level4 : Cleverly get the thing to print the interesting file
- level5 : It has a small protection checking for some input value before triggering the buffer overflow
- level6 : Simple format string
I let you analyze the other levels source code given by shell-storm ;).

So basically, for all the levels, I used these tools :
- metasploit pattern
- gdb
- python

And importantly, bash didn't set euid so we needed to use a payload that fix it : "bash -p payload".

That's all what was needed :).

Thanks Djo for your wargame, was pretty fun :),


- Challenges resume and sources : ShellStorm's Wargame 2010

1 commentaire :

  1. It's simpler than that! Much simpler.

    Level 1: Look at the string compare functions.
    Level 2: simple buffer overflow
    Level 3 you don't need to overflow anything, just 'sneak' around the character check by using back ticks to insert the escape (i.e. semicolon) to execute the command you want.
    Level 4: There's a way to sneak '/../s' in there.
    Level 5: Use a symlink in temp for 'somefile' actually points to password.