
Hack your way through Stripe's Capture the Flag - gdb
https://stripe.com/blog/capture-the-flag
======
tzs
The asshole who fork bombed it is boasting on Reddit:
[http://www.reddit.com/r/programming/comments/q1qii/want_to_t...](http://www.reddit.com/r/programming/comments/q1qii/want_to_try_your_hand_at_writing_exploits_try/c3u09kc)

Anyone else not at all surprised who it is?

~~~
lkozma
I am surprised by the attitude against what he did, both on reddit and even
more so here. Afterall this is "hacker news" and the submission is called
"hack your way...". Any definition of hacking that I know includes cleverly
exploiting the limitations and boundary cases of a system. I see this attitude
as part of a larger trend of "sandbox"-ification, "theme park"-ization of
computing.

~~~
milkshakes
the competition wasn't "DOS the box", it was "capture the flag". this is
charlie sheen "winning" at best

~~~
Drbble
The competition was "Teach Stripe the fundamentals of computer security".
Resource quotas is one of those fundamentals.

~~~
milkshakes
_Your goal is to read the contents of /home/level02/.password._

Not sure how exhausting resources will advance you toward that goal.

------
mhartl
Once they've run this for a while, I'd love to see a post and screencast on
some of the techniques needed to solve it. I don't know much about this
subject, and I'd enjoy having a chance to learn in a setting unlikely to get
me arrested.

~~~
mirkules
I'd love to see how people solved #2, and if they used any special tools like
I did or if there's an easier way to do it. And I can't wait to delve deeper
into #3 tomorrow :)

~~~
mkopinsky
Tool used: One line of javascript, entered in location bar. (Seems Chrome
resource inspector doesn't allow the edit I needed.)

~~~
Ideka
Damn, I always forget you can actually just use javascript to "do it", and end
up using a Firefox add-on.

~~~
mkopinsky
If I were in Firefox at the time I would have used Firebug (or I guess
Firecookie, I don't remember if Firebug allows native editing of cookies), but
I just happened to have Chrome running at the time.

------
saurik
FYI: the worker process for level05 isn't working anymore (I'm pretty
confident it was not me that broke it, btw ;P); even with the simple "hello
friend" example (exactly as given in the MOTD on the account), the server
always returns "job timed out" (it is now about 3am PST).

(edit:)

...and as of almost 3:30am PST, it is no longer possible to log in to the
server. :( (...and while typing the next paragraph, I finally got in, but
spawning processes is now taking forever, and the two-second job timeout has
worked its way up to almost 5 seconds. Maybe another sill attack.)

(Regardless, overall this has been rather well put together, and quite fun. I
taught a freshman class at UCSB/CSS today on "how absinthe, the iPhone 4S
jailbreak works", and got a few of the students interested in trying out the
CTF to see what they might learn by working on it.)

~~~
mpetrov
I'm also stuck at this point. Have the python exploit working on my localhost,
now just need to run it live.

~~~
saurik
Yeah, same here. :( Part of me wonders whether someone with access to level06
went mucking around in the /tmp/level05 folder (which is itself 770
root.level06, so a level06 user can probably chmod 000 the queue folders) to
keep other people from being able to get past that point.

~~~
mpetrov
I actually just found a way to kill the worker process remotely (on my
localhost). Perhaps they don't have it hooked up to supervisord for
autorestart. It's almost trivial to run sys.exit() on that worker.

That being said, your tmp folder permissions theory is much more interesting
though and that would be a brilliant way keep everyone else from catching up.
:)

~~~
a1k0n
It does seem to have restarted recently, so perhaps it is auto-restarting. It
takes a few minutes, though.

------
lurker17
Bonus to anyone who gets the answer by intercepting another solver's email
message.

~~~
sdfjkl
I just hope this machine is isolated from Stripe's network, in case someone
makes it to secret level 99.

~~~
gdb
Yep, it's completely isolated. Someone rooting the machine is very much within
our threat model :).

~~~
heywire
Must be fun watching all of the attempts... Do you have any way to monitor
progress?

~~~
gdb
We don't have an exposed way. We'll probably do a summary blog post in the
future with stats though!

~~~
chrisacky
I've been trying to read $ history

Failed. :) I figured that would of been an easy way to progress through the
levels. Read bash history from other users.

~~~
saurik
(This would certainly work if you can read my history: I don't consider the
level "complete" until I get it down to a short bash one-liner that prints out
the password. ;P)

------
phzbOx
Just a word on level2, I don't think that's a hint, if you think so I'll
remove this comment asap.

The login to get on the page is: level02 and the password is what you've found
in level01. I.e. The challenge is not to crack that "Authorization required"
dialog.

~~~
spicyj
The welcome message says:

> This one is a web-based vulnerability, so go ahead and point your browser to
> XXXXX. You'll need to provide the password for level02 using HTTP digest
> authentication.

so no, it's not the challenge. :)

~~~
phzbOx
Yeah.. but I somewhat didn't realized it was the same l/p of the ssh and was
trying to crack it ;) Or, more particularly, find a way around that protection
to access the challenge behind it.

------
mjijackson
Read this if you're stuck on level 3:
<http://destroy.net/machines/security/P49-14-Aleph-One>

~~~
dthunt
<3

I read this back in college, ages ago. Still relevant - not quite up there
with K&R as far as technical writing goes, but it does indeed do the job of
making a theoretical problem into an understandable & exploitable one, and for
that reason "Smashing the Stack For Fun And Profit" is a phrase that has a
special place in my heart.

------
mirkules
Guys, I gotta say, this is SO much fun! I am actually learning a ton, and
while I'm only up to level 3, I feel this is such an awesome learning
experience! Plus, I feel totally "leet" for figuring out levels 2 and 3. The
world definitely needs more of these.

~~~
Rudisimo
Same here, but I'm stuck on level 3 though...maybe my strategy is wrong. I am
able to execute the function _run_ from _/levels/level03_ with the following
command:

    
    
      cat /home/level04/.password
    

But I'm still getting access denied. I thought that would have done it for
sure. The program runs under the following credentials:

    
    
      uid=1003(level03) gid=1004(level03) groups=1001(chroot),1004(level03)
    

Which is kind of weird since _/levels/level03_ has a setuid of level04. It
could be gdb...

~~~
thirsteh
Since gdb is the parent of your process, it's running as level03, not root.
You can't use gdb on a setuid binary unless you run gdb itself as root.

------
olalonde
I'm getting the following (no source/binary file... is it part of the
challenge or is there something wrong?):

    
    
        level01@ctf:~$ pwd;ls -al
        /home/level01
        total 24
        dr-x------ 2 level01 root    4096 2012-02-22 13:28 .
        drwxr-xr-x 9 root    root    4096 2012-02-22 13:28 ..
        -rw-r--r-- 1 level01 level01  220 2010-04-19 02:15 .bash_logout
        -rw-r--r-- 1 level01 level01 3103 2010-04-19 02:15 .bashrc
        -rw------- 1 level01 root      11 2012-02-22 13:28 .password
        -rw-r--r-- 1 level01 level01  675 2010-04-19 02:15 .profile

~~~
farnsworth
that's the home directory, i think you want /levels

~~~
olalonde
Oops, thanks!

------
starnix17
Anyone having trouble connecting to this?

~~~
jnorthrop
I am. I think their server must be overloaded. I bookmarked the blog post
announcing this and I'm going to try again tomorrow.

~~~
gdb
Yeah, we're rebooting. Should be up in a few more minutes. Sorry about that.

~~~
saurik
For anyone building something similar, I imagine having an elastic load
balancer for TCP port 22 with a health check on a web service that spawns a
process as each of the user accounts before returning "good", combined with an
auto-scaling group to make certain there are always a couple healthy
instances, would be an automated way to keep something like this running
through fork bombs.

------
gqwo
Am i just too stupid or is there a problem with level2, i can open files like
/etc/passwd but not /home/level03/.password

~~~
lftl
Pretty sure it's broken right now. It was working earlier, but it returns
nothing now, and the password that was in place doesn't work any more.

~~~
gdb
We're taking a look! (Bleh, spinup scripts not working as well as you'd
like....)

~~~
jessepollak
It's working now! Before it wasn't even printing my user agent and info
though.

------
jcr
You should note that the SSH key has been changed.

    
    
      $ dsocks.sh ssh level01@ctf.stri.pe
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
      Someone could be eavesdropping on you right now (man-in-the-middle attack)!
      It is also possible that a host key has just been changed.
      The fingerprint for the RSA key sent by the remote host is
      74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11.
      Please contact your system administrator.
      Add correct host key in /home/jcr/.ssh/known_hosts to get rid of this message.
      Offending RSA key in /home/jcr/.ssh/known_hosts:8
      RSA host key for ctf.stri.pe has changed and you have requested strict checking.
      Host key verification failed.
      

It may be something harmless/simple like round-robin DNS combined with a
failure to replicate the key, or more likely, someone has rooted the box.

EDIT: As confirmed by gdb and ab below, there's a good reason for the key
change.

~~~
mjijackson
Can anyone from Stripe confirm that this box is not rooted?

~~~
gdb
Confirmed.

------
le_isms
Here's the descriptions for all the levels from /usr/local/bin/ctfsh...

<https://gist.github.com/1890401>

------
jetsnoc
It's fun to feel like a nefarious hacker. I'm at level2, see you at level 6
guys!

~~~
farnsworth
Any tips? I want to actually learn from this - I'm not just looking for the
answers. But I've read wikipedia on setuid, googled around a bit, and am still
not sure what to do.

~~~
lftl
My hint for level01 would be to look at the system line, and think about how
it is executed.

~~~
CZ-18
EDIT: doh, didn't know we had write access to /tmp, that makes it easy

~~~
farnsworth
When you first connect, you are in a /tmp/tmp.something directory which you
can edit.

~~~
pvsnp
You can also do cd $(mktemp -d) and get a new one if you need another one.

------
jessepollak
anyone have any good resources for understanding the basics of all of this?

~~~
olalonde
For level 1 to 3, Google those: system() exploit, never trust user input,
buffer overflow

~~~
turkeygizzard
I'm entirely new to hacking, and as such I'm struggling with level 1. I looked
up the system() exploit, and I've managed to compile my own date program, but
when I try to read the password from level02, I'm told I don't have
permission. Could you point me in the right direction?

~~~
robbles
Try to figure out how you could trick a setuid program into running your date
program instead of the real one.

------
chubot
4 days later:

level06@ctf6:/tmp/tmp.0fPRsmsetz$ /levels/level06 /home/the-flag/.password
%%%%%%%%% Welcome to the password checker! ........................ Wait, how
did you know that the password was %%%%%%%%%?

Level 5 seemed too easy -- it seems like they forgot a much easier exploit.
The code was carefully constructed in a way that suggested a pickle injection
attack which required understanding the pickle stack machine, but you didn't
need that.

Level 6 was interesting. Some people got it with a timing attack. I used a
different, more elegant method with a hint from reddit.

Very well done, stripe.

------
chrisacky
Lots of segfaults!

Which by the looks of things, level03 is the furthest anyone is based on logs.

> [32041.680408] level03[17009]: segfault at ffdc50c4 ip 00000000080487b2 sp
> 00000000ffe0aee0 error 4 in level03[8048000+1000]

~~~
tlb
Damn Linux stack randomization. Some amount of brute force seems to be
required.

~~~
tlb
Spoke too soon, there's a non-brute-force solution.

~~~
swolchok
It's nearly impossible to debug my should-be-reliable-but-doesn't-work-at-all-
and-by-the-way-gdb-affects-memory-layout solution with all the brute forcing
going on though. :(

------
zx2c4
SPOILER SPOILER SPOILER

Don't look at this if you actually want to enjoy the contest.

<http://pastebin.com/VJ4xpawq>

~~~
mpetrov
For level 06, I came up with a completely different solution. After hitting my
head against the wall all day trying to fight with blocking/non-blocking IO, I
resorted to a timing attack on the system call which worked really well. Check
it out:

<https://gist.github.com/1899389> (SPOILERS!)

~~~
benmmurphy
i did it a different way to both of you but similar to zx2c4 's :) i found a
way to block the child process from writing to stderr. i thought the way they
were writing to stderr/ stdout was too much of a coincidence. all stdout
writes end with \n

~~~
zx2c4
Wadja end up doin'? Source?

~~~
benmmurphy
<https://gist.github.com/1914845>

~~~
vd83
I had the same solution, just different heuristics..

<http://pastebin.com/VfdmgwSA>

------
pavel_lishin
I keep getting this:

    
    
        level01@ctf:/tmp/tmp.c6PoABNv99$ ls
        bash: fork: retry: Resource temporarily unavailable

~~~
sdfjkl
Someone set us up the (fork)bomb. That didn't take long. Sadly it's a bit
silly and ruins all the fun for the rest of us :-/

~~~
dbalatero
Could something like this ([http://www.cyberciti.biz/tips/linux-limiting-user-
process.ht...](http://www.cyberciti.biz/tips/linux-limiting-user-
process.html)) be quickly implemented on the server?

~~~
ab
Yep, that's why you're seeing that error message rather than the machine
immediately grinding to a halt!

(Please don't forkbomb it, though.)

------
jcr
Just a quick note on the claimed fork bomb. It may not have been all that nice
to other users, but there may have been a method to their madness:

[http://dtors.org/2010/08/25/reversing-latest-exploid-
release...](http://dtors.org/2010/08/25/reversing-latest-exploid-release/)

~~~
a1k0n
ASLR and non-executable stack make level 4 a huge pain in the ass. (But it's
not me doing that)

~~~
a1k0n
Update: they helped a brother out, and the stack is actually executable on
those binaries. I found out after mailing the organizers in exasperation. I
was under this impression because newly-compiled binaries had no-exec on the
stack, and I was off by a little when I tried to exploit it the first time.
Doh!

~~~
saurik
Ha! Last night I read your comment, assumed you were right, and then came up
with a solution that did not assume an executable stack. ;P (I'm actually
quite glad, as messing around with the stack would have been much harder.)

~~~
swolchok
For both of you, were your solutions 100% reliable? I ended up with an exploit
that required a little brute forcing (i.e., just run it a hundred times or
whatever).

~~~
saurik
Neither of our solutions were "reliable", and also required being run in a
loop. (I know this about a1k0n's solution, as he sent me an e-mail asking me
about my solution).

~~~
mpetrov
I actually have a 100% reliable solution that exploits the executable stack on
level 04. No need to guess the address of the stack using one side effect that
I found in this specific case:

<https://gist.github.com/807e81ad64c4e84a7770> (SPOILERS)

~~~
saurik
Awesome!! I totally saw that call instruction, and then went on a wild goose
chase thinking about how to get the string into that register, totally missing
the fact that some of my earlier attempts at using printf had established that
the string already happened to be there to begin with. Now I just feel dumb.
;P

------
ioquatix
Trying 0xfff86350 Trying 0xff94b1a0 Trying 0xffdfb0a4 Trying 0xff85e754 $
whoami level05

It is 5am - time for bed =)

------
azernik
For CTF on shared servers, there need to be some explicit rules about DOSing
shared resources; otherwise things get really dull really fast.

If people are going to be using brute-force tactics, they're probably each
going to need separate virtual machines.

------
RegEx
Looking forward to trying this! I bookmarked it for later and noticed the
title was just "Stripe Blog". Could you put the title of your blog post in the
title tag? Makes bookmarking and also sharing via bit.ly extension much easier
:)

------
jarin
I feel like I just leveled up in programming several times by completing level
3 :)

~~~
jetsnoc
I need a tutor for level03! I am SO close but obviously so far. Any one up for
checking my current notes and homework and hinting at me as to my next move?

------
semisight
Can anyone give me a hint on level 02? I have absolutely no background in PHP,
and only a little in HTML. If you wanna keep the message thread private you
can email me too at billyman3 at gmail.

~~~
david_xia
First play with the webpage after entering the correct credentials. Then read
through the PHP script that generates that page and understand what's going on
behind it. Do you see any vulnerabilities in it?

------
Drbble
If you like this, you may enjoy the ICFP 2006 Cult of the Bound Variable
puzzle <http://www.boundvariable.org/task.shtml>

------
dbalatero
I'm getting a bunch of "bash: fork: retry: Resource temporarily unavailable"
in my SSH session when running commands like `ls`, etc. Could be due to high
traffic?

------
z02d
I stuck even at lvl1 but I think how to solve it. Could anyone may help me? I
want to learn and I don't want to spoiler here. Jabber: .thing@jabber.ccc.de
ICQ: 366509265

Thanks

~~~
z02d
Did it. Lvl 3 now

------
dillona
I got to level 5, but I think it is time to call it a night

------
spydum
Was up and working, got to level 3, and network died. I _love_ CTF's.. Got a
chance to do the CTF @ Sans (netwars) Orlando in 2011, and it was a blast.

------
heywire
I can't stop thinking about this, but I have real work to do. Do you see what
you've done Stripe??? :) It's going to be another long night...

------
pranjalv123
I'm getting a Remote Host Identification Changed error, did you guys change
your certificate or is someone trying to MITM me?

------
mds_
Any subtle--no spoiler--hints for level03? I got the mem address for run() but
can't seem to find the correct index for it.

~~~
chubot
Copy the source locally, compile it, and use printf("%p") and void* casting on
various variables. That will help figure out the required pointer arithmetic.

You will likely encounter stack randomization but there is a way to do it
without worrying about that.

------
emeraldd
Well, it looks like the vm is slammed again. I keep getting failures trying to
run a shell after logging in.

------
mekarpeles
Is it intended behaviour for users to be able to access other people's files
via /tmp/tmp, tmp/hacks, etc?

------
zobzu
Someone already fork-bombed it ;-)

------
heywire
This is fun! Kudos to Stripe for putting this together... level03, working on
level04...

------
balloot
Bah. Looks like the server is now not responding. Bummer, because this is
really fun.

------
sgricci
Is part of the challenge dealing with the server timeouts?

In all seriousness, thanks for this!

------
jazzychad
uh oh, remote host identification has changed... new host or mitm? as this is
a cracker-centric event, i'm now very hesitant to reconnect... perhaps you
could publish the correct fingerprint somewhere?

~~~
jessepollak
same...hopefully it will get resolved soon.

~~~
gdb
New host :). We brought up a new machine for this, and didn't copy over the
SSH keys.

Never hurts to be paranoid though.

------
ryan-c
It seems to be down again.

------
gravitronic
Is this based on the classic digital evolution wargames? :D

------
akukurt
im getting this.."bash: fork: retry: Resource temporarily unavailable" each
and every time.

is that a sign that i won this game without executing any cli yet?

------
mjijackson
Aw, sad. The server seems to be non-responsive.

------
toblender
I think we ended up dDosing the machine...

------
CZ-18
Any tips for level05 (the python one)?

~~~
CZ-18
nvm, got it

------
jtchang
Is /home/level02/.password empty?

~~~
jc4p
It includes the password for the level02 account.

------
why-el
I can't connect to it.

------
albertogh
It looks like the machine is under heavy load. My shell just stopping
responding and now ssh hangs while connecting :-(.

------
qdqss
sdfh史蒂夫

------
ghost91
What am I doing wrong:

Current time: cat: /home/level02/.password: Permission denied

Does someone has a tip?

~~~
jc4p
The whole point is that you're supposed to find vulnerabilities in what you
have access to and exploit them to view contents of things you don't have
permission to.

~~~
ghost91
I replaced the date with my own script, but it still gets executed as level01
user

~~~
necubi
Hint: not all shells blindly run scripts as the setuid user.

