Anyone else not at all surprised who it is?
Not sure how exhausting resources will advance you toward that goal.
Seriously though, fuck that guy. Half my night was spent waiting on vi.
Is it not that simple?
I've stuck it on pastebin instead of in this comment, so it doesn't spoil it for anyone not looking.
From there you basically only need curl.
curl --user user:pw --digest does digest authentication.
curl --verbose will show what headers are being sent down from the server.
curl --headers 'Cookie: blah' will send a header back.
So no special tools required.
Once I figured out what to do, it was only a matter of finding the right tool to do it. I didn't realize curl could [edit: --redacted--] (cool!), but I used OWASP ZAP and did a [edit: --redacted--]. Same method, different tool. Btw, thank you for explaining the curl options, I normally don't use curl much, but apparently I should :)
EDIT: Redacted stuff so as not to ruin the fun for others
...and as of almost 3:30am PST, it is no longer possible to log in to the server. :( (...and while typing the next paragraph, I finally got in, but spawning processes is now taking forever, and the two-second job timeout has worked its way up to almost 5 seconds. Maybe another sill attack.)
(Regardless, overall this has been rather well put together, and quite fun. I taught a freshman class at UCSB/CSS today on "how absinthe, the iPhone 4S jailbreak works", and got a few of the students interested in trying out the CTF to see what they might learn by working on it.)
That being said, your tmp folder permissions theory is much more interesting though and that would be a brilliant way keep everyone else from catching up. :)
"User 10.0.0.1 read the level 1 file"
"User 10.0.0.1 read the level 3 file"
Then I am a stats junkie
I figured that would of been an easy way to progress through the levels. Read bash history from other users.
The login to get on the page is: level02 and the password is what you've found in level01. I.e. The challenge is not to crack that "Authorization required" dialog.
> This one is a web-based vulnerability, so go ahead and point your browser to XXXXX. You'll need to provide the password for level02 using HTTP digest authentication.
so no, it's not the challenge. :)
I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.
gcc -S -o example1.s example1.c
However, example1.s looks very different on Mac than on Linux, in particular, on Mac the parameters are pushed in reverse order:
movl $1, %eax
movl $2, %ecx
movl $3, %edx
movl %eax, %edi
movl %ecx, %esi
movl $3, %edx
movl $2, %esi
movl $1, %edi
uid=1003(level03) gid=1004(level03) groups=1001(chroot),1004(level03)
Run till exit from #0 run (str=0xffece7ec "cat /home/level04/.password") at level03.c:53
cat: /home/level04/.password: Permission denied
Ah well, a sign to go to sleep. Tomorrow I'll have to learn more things to figure it out if it's still up.
(Disclaimer: I haven't succeeded yet.)
level01@ctf:~$ pwd;ls -al
dr-x------ 2 level01 root 4096 2012-02-22 13:28 .
drwxr-xr-x 9 root root 4096 2012-02-22 13:28 ..
-rw-r--r-- 1 level01 level01 220 2010-04-19 02:15 .bash_logout
-rw-r--r-- 1 level01 level01 3103 2010-04-19 02:15 .bashrc
-rw------- 1 level01 root 11 2012-02-22 13:28 .password
-rw-r--r-- 1 level01 level01 675 2010-04-19 02:15 .profile
This is why we can't have nice things.
Presumably we're on the synflood stage now.
Can someone share the source and program of the first level so we can have a look?
$ dsocks.sh ssh email@example.com
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/jcr/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/jcr/.ssh/known_hosts:8
RSA host key for ctf.stri.pe has changed and you have requested strict checking.
Host key verification failed.
EDIT: As confirmed by gdb and ab below, there's a good reason for the key change.
2048 74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11 /etc/ssh/ssh_host_rsa_key.pub is correct.
Looks fun too!
 Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.
Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.
[edit: Nevermind, I got it. Whew.]
(gdb) x/4x fns
(gdb) x run
(gdb) gdb) x/40x (void*)fns-0x40
level06@ctf6:/tmp/tmp.0fPRsmsetz$ /levels/level06 /home/the-flag/.password %%%%%%%%%
Welcome to the password checker!
Wait, how did you know that the password was %%%%%%%%%?
Level 5 seemed too easy -- it seems like they forgot a much easier exploit. The code was carefully constructed in a way that suggested a pickle injection attack which required understanding the pickle stack machine, but you didn't need that.
Level 6 was interesting. Some people got it with a timing attack. I used a different, more elegant method with a hint from reddit.
Very well done, stripe.
Which by the looks of things, level03 is the furthest anyone is based on logs.
> [32041.680408] level03: segfault at ffdc50c4 ip 00000000080487b2 sp 00000000ffe0aee0 error 4 in level03[8048000+1000]
You certainly should be able to solve all of the levels without tons of brute force though.
Don't look at this if you actually want to enjoy the contest.
Wait. wtf how is yours working with NX on?
Edit: OH! Yours doesn't actually manipulate the stack so it doesn't get caught? That makes sense. I should have noticed the __stack_chk_fail calls.
I made mine a bit more reliable and made a movie.
bash: fork: retry: Resource temporarily unavailable
(Please don't forkbomb it, though.)
But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!
It is 5am - time for bed =)
If people are going to be using brute-force tactics, they're probably each going to need separate virtual machines.
You will likely encounter stack randomization but there is a way to do it without worrying about that.
In all seriousness, thanks for this!
Never hurts to be paranoid though.
is that a sign that i won this game without executing any cli yet?
Current time: cat: /home/level02/.password: Permission denied
Does someone has a tip?
In all seriousness, you're giving away way too much information, please edit it away!