Hi people!
It's been a while, this week-end I was idling a bit on the internet when I saw shell-storm had their wargame started and there was 3h left before ending.
Here, no "tutorial" explaining how to pawn the challenges, just summing up the wargame a bit ;).
I decided to take a look and it was quite fun :).
I managed to go up to level6 in 1h20 and got stuck there.
So about the levels :
- level1 : Simple buffer overflow
- level2 : Same but the input string musn't contain 0xCD or 0x2F
- level3 : Buffer overflow in which the buffer MUST start with precise bytes
- level4 : Cleverly get the thing to print the interesting file
- level5 : It has a small protection checking for some input value before triggering the buffer overflow
- level6 : Simple format string
I let you analyze the other levels source code given by shell-storm ;).
So basically, for all the levels, I used these tools :
- metasploit pattern
- gdb
- python
And importantly, bash didn't set euid so we needed to use a payload that fix it : "bash -p payload".
That's all what was needed :).
Thanks Djo for your wargame, was pretty fun :),
m_101
- Challenges resume and sources : ShellStorm's Wargame 2010
It's simpler than that! Much simpler.
RépondreSupprimerLevel 1: Look at the string compare functions.
Level 2: simple buffer overflow
Level 3 you don't need to overflow anything, just 'sneak' around the character check by using back ticks to insert the escape (i.e. semicolon) to execute the command you want.
Level 4: There's a way to sneak '/../s' in there.
Level 5: Use a symlink in temp for 'somefile' actually points to password.