In Level11 we are given the following code:
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <fcntl.h> #include <stdio.h> #include <sys/mman.h> /* * Return a random, non predictable file, and return the file descriptor for it. */ int getrand(char **path) { char *tmp; int pid; int fd; srandom(time(NULL)); tmp = getenv("TEMP"); pid = getpid(); asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid, 'A' + (random() % 26), '0' + (random() % 10), 'a' + (random() % 26), 'A' + (random() % 26), '0' + (random() % 10), 'a' + (random() % 26)); fd = open(*path, O_CREAT|O_RDWR, 0600); unlink(*path); return fd; } void process(char *buffer, int length) { unsigned int key; int i; key = length & 0xff; for(i = 0; i < length; i++) { buffer[i] ^= key; key -= buffer[i]; } system(buffer); } #define CL "Content-Length: " int main(int argc, char **argv) { char line[256]; char buf[1024]; char *mem; int length; int fd; char *path; if(fgets(line, sizeof(line), stdin) == NULL) { errx(1, "reading from stdin"); } if(strncmp(line, CL, strlen(CL)) !
In Level10 we are given a vulnerable piece of code:
#include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <string.h> int main(int argc, char **argv) { char *file; char *host; if(argc < 3) { printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]); exit(1); } file = argv[1]; host = argv[2]; if(access(argv[1], R_OK) == 0) { int fd; int ffd; int rc; struct sockaddr_in sin; char buffer[4096]; printf("Connecting to %s:18211 .
In Level09 we are given the following PHP code and are said that it is execute with a SUID wrapper:
function spam($email) { $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email; } function markup($filename, $use_me) { $contents = file_get_contents($filename); $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents); $contents = preg_replace("/\[/", "<", $contents); $contents = preg_replace("/\]/", ">", $contents); return $contents; } $output = markup($argv[1], $argv[2]); print $output; This code takes two arguments, the first one is a file containing email address in the format:
In Level08 we are given a network capture file: capture.pcap. If we open it with Wireshark we will only find one TCP Stream. We will use Follow TCP Stream to visualize it:
{% img /images/tcpstream.png 500 %}
We can see that the user was trying to login into the wwwbugs server and the login failed. We can assume that it was the flag08 user trying to log in and sending his flag08 password by mistake… Yep, I know it is assuming too much, but anyway, that all we got.
In Level07 we are given the source code of a perl script:
#!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line"; } print("</pre></body></html>"); } # check if Host set. if not, display normal page, etc ping(param("Host")); It looks like its vulnerable to command injection on line 12. Bit how and where is it deployed.
In Level06 all we are said is that flag06 user comes from a legacy unix system. There is nothing special in his home folder. Lets take a look at the /etc/passwd file:
level06@nebula:/home/flag06$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:104::/var/run/dbus:/bin/false nebula:x:1000:1000:nebula,,,:/home/nebula:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin level00:x:1001:1001::/home/level00:/bin/sh flag00:x:999:999::/home/flag00:/bin/sh level01:x:1002:1002::/home/level01:/bin/sh flag01:x:998:998::/home/flag01:/bin/sh level02:x:1003:1003::/home/level02:/bin/sh flag02:x:997:997::/home/flag02:/bin/sh level03:x:1004:1004::/home/level03:/bin/sh flag03:x:996:996::/home/flag03:/bin/sh level04:x:1005:1005::/home/level04:/bin/sh flag04:x:995:995::/home/flag04:/bin/sh level05:x:1006:1006::/home/level05:/bin/sh flag05:x:994:994::/home/flag05:/bin/sh level06:x:1007:1007::/home/level06:/bin/sh flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh level07:x:1008:1008::/home/level07:/bin/sh flag07:x:992:992::/home/flag07:/bin/sh level08:x:1009:1009::/home/level08:/bin/sh flag08:x:991:991::/home/flag08:/bin/sh level09:x:1010:1010::/home/level09:/bin/sh flag09:x:990:990::/home/flag09:/bin/sh level10:x:1011:1011::/home/level10:/bin/sh flag10:x:989:989::/home/flag10:/bin/sh level11:x:1012:1012::/home/level11:/bin/sh flag11:x:988:988::/home/flag11:/bin/sh level12:x:1013:1013::/home/level12:/bin/sh flag12:x:987:987::/home/flag12:/bin/sh level13:x:1014:1014::/home/level13:/bin/sh flag13:x:986:986::/home/flag13:/bin/sh level14:x:1015:1015::/home/level14:/bin/sh flag14:x:985:985::/home/flag14:/bin/sh level15:x:1016:1016::/home/level15:/bin/sh flag15:x:984:984::/home/flag15:/bin/sh level16:x:1017:1017::/home/level16:/bin/sh flag16:x:983:983::/home/flag16:/bin/sh level17:x:1018:1018::/home/level17:/bin/sh flag17:x:982:982::/home/flag17:/bin/sh level18:x:1019:1019::/home/level18:/bin/sh flag18:x:981:981::/home/flag18:/bin/sh level19:x:1020:1020::/home/level19:/bin/sh flag19:x:980:980::/home/flag19:/bin/sh Nice, we can try to crack it with John the Ripper (this remainds me my collage days …).
In Level05 we are pointed to the flag05 user directory. There we can find a .ssh directory so we can assume that flag05 uses ssh keys to login into his account and also a .backup folder:
level05@nebula:~$ ls -la /home/flag05 total 36 drwxr-x--- 5 flag05 level05 4096 Nov 20 16:49 . drwxr-xr-x 43 root root 4096 Nov 20 2011 .. drwxr-xr-x 2 flag05 flag05 4096 Nov 20 2011 .backup -rw------- 1 flag05 flag05 8 Nov 20 16:49 .
In Level04 we are given the code of a program owned by flag04 user:
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> int main(int argc, char **argv, char **envp) { char buf[1024]; int fd, rc; if(argc == 1) { printf("%s [file to read]\n", argv[0]); exit(EXIT_FAILURE); } if(strstr(argv[1], "token") != NULL) { printf("You may not access '%s'\n", argv[1]); exit(EXIT_FAILURE); } fd = open(argv[1], O_RDONLY); if(fd == -1) { err(EXIT_FAILURE, "Unable to open %s", argv[1]); } rc = read(fd, buf, sizeof(buf)); if(rc == -1) { err(EXIT_FAILURE, "Unable to read fd %d", fd); } write(1, buf, rc); } The program opens a file passed as first argument if the name does not contain the token string so we cannot use it to open our target token file … or can we?
In Level03 we are said that the program on /flag03 is run by cron every X minutes. If we have a look at the code we can see that it will execute the files in the writable.d directory and then remove them:
level03@nebula:/home/flag03$ cat writable.sh #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done Ok, so whatever we put in writable.d will be execute by someone else … but who?
Level02 is about command injection. We are given the following vulnerable code:
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer); } As shown in the code, the program will use the USER environment variable to build the command executed by system so all we need to do is inject our getflag command: