Hacker News new | comments | show | ask | jobs | submit login
Hack your way through Stripe's Capture the Flag (stripe.com)
391 points by gdb 2040 days ago | hide | past | web | 198 comments | favorite



The asshole who fork bombed it is boasting on Reddit: http://www.reddit.com/r/programming/comments/q1qii/want_to_t...

Anyone else not at all surprised who it is?


This actually made me laugh a little bit as it brought me back to my college days. The first week of February every year was when the yearly OS class covered fork(), and as a result the compute clusters all over campus were basically unusable due to people trying to run their homework. Ahh, memories.


I am surprised by the attitude against what he did, both on reddit and even more so here. Afterall this is "hacker news" and the submission is called "hack your way...". Any definition of hacking that I know includes cleverly exploiting the limitations and boundary cases of a system. I see this attitude as part of a larger trend of "sandbox"-ification, "theme park"-ization of computing.


It is against the rules (and against common etiquette) to DOS the machine in CTF events. I don't see how fork bombing the machine helped him solve any challenges so I can't see how someone could approve to that.


the competition wasn't "DOS the box", it was "capture the flag". this is charlie sheen "winning" at best


The competition was "Teach Stripe the fundamentals of computer security". Resource quotas is one of those fundamentals.


Your goal is to read the contents of /home/level02/.password.

Not sure how exhausting resources will advance you toward that goal.


Not sure about Charlie Sheen, but hacking is all about ignoring what the competition is supposed to be and doing what is possible.


And another way of looking at it is: someone offered you free entertainment and education and you slapped them in the face and ruined the fun for everyone for quite some time. "Hacker" certainly does not include or entitle you to being a dick.


Ugh, this sucks. Got to #3 and which looks pretty challenging for me and took some time to document my steps there and now someone has pulled this again. It just seems childish.


LETS HACK HIM

Seriously though, fuck that guy. Half my night was spent waiting on vi.


This person? http://www.linkedin.com/in/teddziuba I don't get the "not surprised" part? :\


ted used to run uncov. think maddox but actually coherent about startups and programming. here is an idea of his now grown up writing style: http://teddziuba.com/2010/10/taco-bell-programming.html and here is an old hackernews post dicussing uncov... http://news.ycombinator.com/item?id=328217


I'm surprised. He is usually at least witty or clever when trolling. Forkbombs are pretty unoriginal if you are older than 14.


That is only one of them and please do not give such people the attention they try to get through this.


Anyone have any suggestions for preventing this on sandbox systems?


Googling it says limit user processes via /etc/security/limits.conf http://goo.gl/RJJhN

Is it not that simple?


I believe that for each level of the challenge, all users were ssh'ing in to the same user account, so even with per-user process limits a fork bomb would use up all the processes available to the competitors at that level.


Once they've run this for a while, I'd love to see a post and screencast on some of the techniques needed to solve it. I don't know much about this subject, and I'd enjoy having a chance to learn in a setting unlikely to get me arrested.


I would also like to see a detailed explanation of how they prepared the box to safely allow people to play (ie logins, permissions, etc). How to restrict privileges yet allow just enough to make it varied and fun.


The big thing is that we are connected into a chroot that has neither /proc nor /sys mounted, and which itself is on a read-only filesystem.


I'd love to see how people solved #2, and if they used any special tools like I did or if there's an easier way to do it. And I can't wait to delve deeper into #3 tomorrow :)


For 2, I just used this short command line:

http://pastebin.com/4nAWNrgV

I've stuck it on pastebin instead of in this comment, so it doesn't spoil it for anyone not looking.


Tool used: One line of javascript, entered in location bar. (Seems Chrome resource inspector doesn't allow the edit I needed.)


Damn, I always forget you can actually just use javascript to "do it", and end up using a Firefox add-on.


If I were in Firefox at the time I would have used Firebug (or I guess Firecookie, I don't remember if Firebug allows native editing of cookies), but I just happened to have Chrome running at the time.


FWIW I looked at the source and recognized the exploit.

From there you basically only need curl.

curl --user user:pw --digest does digest authentication.

curl --verbose will show what headers are being sent down from the server.

curl --headers 'Cookie: blah' will send a header back.

So no special tools required.


My first thought before I realized you could actually see the php code, was that it was some kind of sanitizing input exploit, maybe SQL injection (with the name or age) or, since the HTML input fields had "length" to go over that.

Once I figured out what to do, it was only a matter of finding the right tool to do it. I didn't realize curl could [edit: --redacted--] (cool!), but I used OWASP ZAP and did a [edit: --redacted--]. Same method, different tool. Btw, thank you for explaining the curl options, I normally don't use curl much, but apparently I should :)

EDIT: Redacted stuff so as not to ruin the fun for others


I used a Firefox add-on that lets you [mumble mumble]. I found at least two add-ons that looked like they would work when I googled it.


I love all the different responses on this -- I used OWASP ZAP to do it.


I just posted http://news.ycombinator.com/item?id=3631381 It's a complete walkthrough to the flag.


FYI: the worker process for level05 isn't working anymore (I'm pretty confident it was not me that broke it, btw ;P); even with the simple "hello friend" example (exactly as given in the MOTD on the account), the server always returns "job timed out" (it is now about 3am PST).

(edit:)

...and as of almost 3:30am PST, it is no longer possible to log in to the server. :( (...and while typing the next paragraph, I finally got in, but spawning processes is now taking forever, and the two-second job timeout has worked its way up to almost 5 seconds. Maybe another sill attack.)

(Regardless, overall this has been rather well put together, and quite fun. I taught a freshman class at UCSB/CSS today on "how absinthe, the iPhone 4S jailbreak works", and got a few of the students interested in trying out the CTF to see what they might learn by working on it.)


I'm also stuck at this point. Have the python exploit working on my localhost, now just need to run it live.


Yeah, same here. :( Part of me wonders whether someone with access to level06 went mucking around in the /tmp/level05 folder (which is itself 770 root.level06, so a level06 user can probably chmod 000 the queue folders) to keep other people from being able to get past that point.


I actually just found a way to kill the worker process remotely (on my localhost). Perhaps they don't have it hooked up to supervisord for autorestart. It's almost trivial to run sys.exit() on that worker.

That being said, your tmp folder permissions theory is much more interesting though and that would be a brilliant way keep everyone else from catching up. :)


It does seem to have restarted recently, so perhaps it is auto-restarting. It takes a few minutes, though.


Same here, I guess we are done. Not my fault ;)


Bonus to anyone who gets the answer by intercepting another solver's email message.


I just hope this machine is isolated from Stripe's network, in case someone makes it to secret level 99.


Yep, it's completely isolated. Someone rooting the machine is very much within our threat model :).


Must be fun watching all of the attempts... Do you have any way to monitor progress?


We don't have an exposed way. We'll probably do a summary blog post in the future with stats though!


I would LOVE to see something like a graph with the number of users who are logged in at each level over time and a little log at the bottom.

"User 10.0.0.1 read the level 1 file" "User 10.0.0.1 read the level 3 file"

Then I am a stats junkie


I've been trying to read $ history

Failed. :) I figured that would of been an easy way to progress through the levels. Read bash history from other users.


(This would certainly work if you can read my history: I don't consider the level "complete" until I get it down to a short bash one-liner that prints out the password. ;P)


Just a word on level2, I don't think that's a hint, if you think so I'll remove this comment asap.

The login to get on the page is: level02 and the password is what you've found in level01. I.e. The challenge is not to crack that "Authorization required" dialog.


The welcome message says:

> This one is a web-based vulnerability, so go ahead and point your browser to XXXXX. You'll need to provide the password for level02 using HTTP digest authentication.

so no, it's not the challenge. :)


Yeah.. but I somewhat didn't realized it was the same l/p of the ssh and was trying to crack it ;) Or, more particularly, find a way around that protection to access the challenge behind it.


Read this if you're stuck on level 3: http://destroy.net/machines/security/P49-14-Aleph-One


<3

I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.


Thanks for that link. Reading through one of the first sections about pushing parameters to the stack, I noticed the call:

gcc -S -o example1.s example1.c

However, example1.s looks very different on Mac than on Linux, in particular, on Mac the parameters are pushed in reverse order:

Leh_func_begin2: ...

        movl    $1, %eax
        movl    $2, %ecx
        movl    $3, %edx
        movl    %eax, %edi
        movl    %ecx, %esi
        callq   _function
Whereas on Linux, they are pushed in the order specified in that link:

        movl    $3, %edx
        movl    $2, %esi
        movl    $1, %edi
        call    function
What is the reason behind this? Is it that the stack on OS X is implemented to grow up instead of down?


Guys, I gotta say, this is SO much fun! I am actually learning a ton, and while I'm only up to level 3, I feel this is such an awesome learning experience! Plus, I feel totally "leet" for figuring out levels 2 and 3. The world definitely needs more of these.


Same here, but I'm stuck on level 3 though...maybe my strategy is wrong. I am able to execute the function run from /levels/level03 with the following command:

  cat /home/level04/.password
But I'm still getting access denied. I thought that would have done it for sure. The program runs under the following credentials:

  uid=1003(level03) gid=1004(level03) groups=1001(chroot),1004(level03)
Which is kind of weird since /levels/level03 has a setuid of level04. It could be gdb...


Since gdb is the parent of your process, it's running as level03, not root. You can't use gdb on a setuid binary unless you run gdb itself as root.


Ah man, I couldn't agree more. I've learned a ton just messing around with the first few, though getting this was a real bummer:

Run till exit from #0 run (str=0xffece7ec "cat /home/level04/.password") at level03.c:53 cat: /home/level04/.password: Permission denied

Ah well, a sign to go to sleep. Tomorrow I'll have to learn more things to figure it out if it's still up.


setuid doesn't work inside of GDB. You have to run the program without a debugger to get level04 permissions.

(Disclaimer: I haven't succeeded yet.)


I mostly live inside a Java world or XCode world, so GDB is almost a totally foreign concept to me - and I definitely welcome the challenge. Never really had to look at assembly before either, so this is a fun learning experience.


I'm getting the following (no source/binary file... is it part of the challenge or is there something wrong?):

    level01@ctf:~$ pwd;ls -al
    /home/level01
    total 24
    dr-x------ 2 level01 root    4096 2012-02-22 13:28 .
    drwxr-xr-x 9 root    root    4096 2012-02-22 13:28 ..
    -rw-r--r-- 1 level01 level01  220 2010-04-19 02:15 .bash_logout
    -rw-r--r-- 1 level01 level01 3103 2010-04-19 02:15 .bashrc
    -rw------- 1 level01 root      11 2012-02-22 13:28 .password
    -rw-r--r-- 1 level01 level01  675 2010-04-19 02:15 .profile


that's the home directory, i think you want /levels


Oops, thanks!


Anyone having trouble connecting to this?


I think someone decided to forkbomb it. I'm still logged on and every external command I type gets me "bash: fork: retry: Resource temporarily unavailable".

This is why we can't have nice things.


I was in there 5 minutes ago, did cat /levels/level02.c and then it stopped responding. I don't think cat could crash the server, but if it did, I'm sorry?


pretty sure it wasn't you. but then again, you never know with cats.


cat considered harmful?


To be clear, I'm making a joke riffing on the seminal paper "cat -v considered harmful".


I am. I think their server must be overloaded. I bookmarked the blog post announcing this and I'm going to try again tomorrow.


Yeah, we're rebooting. Should be up in a few more minutes. Sorry about that.


For anyone building something similar, I imagine having an elastic load balancer for TCP port 22 with a health check on a web service that spawns a process as each of the user accounts before returning "good", combined with an auto-scaling group to make certain there are always a couple healthy instances, would be an automated way to keep something like this running through fork bombs.


people were having fun with forkbombs a bit ago.

Presumably we're on the synflood stage now.


Doesn't work for me as well. I managed to login an do one ls, but since then it's dead.

Can someone share the source and program of the first level so we can have a look?


Maybe they should just publish a VM image.


Not a bad idea, but how do you keep people from peeking at the passwords with root access on their own VM?


They are asking for code or a brief description of how you proceeded through the steps. If you're going to take the time to document the process (correctly) then it shouldn't matter that you have the root password. Presumably you'd get stuck at some point where you couldn't explain how you achieved the subsequent step.


How do you keep yourself from rifling through the deck to find the Aces when you play solitaire?


Yeah, my connection froze, and now I cannot connect, ssh or http...


Am i just too stupid or is there a problem with level2, i can open files like /etc/passwd but not /home/level03/.password


Pretty sure it's broken right now. It was working earlier, but it returns nothing now, and the password that was in place doesn't work any more.


We're taking a look! (Bleh, spinup scripts not working as well as you'd like....)


It's working now! Before it wasn't even printing my user agent and info though.


ah, now it works thanks


For a second I thought it was a brilliant trick and the password for level03 was blank.. but no. haha.


You should note that the SSH key has been changed.

  $ dsocks.sh ssh level01@ctf.stri.pe
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11.
  Please contact your system administrator.
  Add correct host key in /home/jcr/.ssh/known_hosts to get rid of this message.
  Offending RSA key in /home/jcr/.ssh/known_hosts:8
  RSA host key for ctf.stri.pe has changed and you have requested strict checking.
  Host key verification failed.
  
It may be something harmless/simple like round-robin DNS combined with a failure to replicate the key, or more likely, someone has rooted the box.

EDIT: As confirmed by gdb and ab below, there's a good reason for the key change.


Not to worry, we spun up a new machine and didn't copy the ssh key from the old one.

2048 74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11 /etc/ssh/ssh_host_rsa_key.pub is correct.


Can anyone from Stripe confirm that this box is not rooted?


Confirmed.


I'm estimating they booted a few new EC2 systems up. Right before the system got a new key it was unavailable.


Rooting the box would not change the key.


Got that also, then keep getting: ssh_exchange_identification: Connection closed by remote host

Looks fun too!


That's what happens when hundreds of people try to SSH into a machine at once :). (That error due to SSH's maxstartups being exceeded.)


Here's the descriptions for all the levels from /usr/local/bin/ctfsh...

https://gist.github.com/1890401


It's fun to feel like a nefarious hacker. I'm at level2, see you at level 6 guys!


Any tips? I want to actually learn from this - I'm not just looking for the answers. But I've read wikipedia on setuid, googled around a bit, and am still not sure what to do.


The setuid flags allows you to run a binary as someone else. Since processes inherit the credentials they have when they run another program, if you find a bug[1] in a setuid program that let's you run another program of your choosing you can gain the credentials of the setuid user.

[1] Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.


My hint for level01 would be to look at the system line, and think about how it is executed.


EDIT: doh, didn't know we had write access to /tmp, that makes it easy


When you first connect, you are in a /tmp/tmp.something directory which you can edit.


You can also do cd $(mktemp -d) and get a new one if you need another one.


You can write to /tmp. But since most people are also doing that, /tmp/date gets overriden frequently. I'd recommend mkdir /tmp/CZ-18; PATH=/tmp/CZ-18:$PATH; And then you can figure it out :)


I now feel like the most awesome tutorial following script kiddie ever.


Remember that you have write access to /tmp(/date) ;)


Stuck at level3 for a minute


Same, the only thing I can think of is doing something with the pointers in the fns variable in main, but I can't quite figure out what to do.


Yeah, I'm stuck on level 3 as well. I see the printf() bug in capitalize(), but I don't think it's any help. I don't see anything obviously wrong in truncate_and_copy() (the strncpy() call and friends look right). run() is the juicy target, and I know where it's at in memory. There's the obvious comparison bug in main(), and I can use that to call a function pointer other than in the array, but I can't seem to locate a pointer to run(). I thought there might be a way to overflow atoi(), but that doesn't seem useful either.

Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.

[edit: Nevermind, I got it. Whew.]


Did you really end up using buffer overflow? I've been trying to overflow a different quantity all this time, and I'm quite sure you can't buffer overflow..


Right--no buffer overflow. I did find a way to get my needed function pointer on the stack. Hint: we're lucky that the function pointer doesn't have any null bytes in it...


Any hints? :)


I've been playing with nm, but without a hex editor I feel crippled :/


gdb works fine.

  (gdb) x/4x fns
0xffeaa0cc: 0x080485e4 0x08048640 0x0804869c 0x08048719

  (gdb) x run
0x804875b <run>: 0x83e58955

  (gdb) gdb) x/40x (void*)fns-0x40
etc.


Well, I got my math right to tweak the index I think and now the system is unavailable. Blasted!


You could also use objdump -d to decompile the binary.


Neither can I... ):


anyone have any good resources for understanding the basics of all of this?


For level 1 to 3, Google those: system() exploit, never trust user input, buffer overflow


I'm entirely new to hacking, and as such I'm struggling with level 1. I looked up the system() exploit, and I've managed to compile my own date program, but when I try to read the password from level02, I'm told I don't have permission. Could you point me in the right direction?


Try to figure out how you could trick a setuid program into running your date program instead of the real one.


Yeah that's not part of the test. Just use your level2 password for the http auth.


thanks! I got 1 and 2 before I saw this, but we'll see how I do on 3.


The venerable CMU binary bomb assignment covers a lot of useful concepts.


Haha we just had that last week ( finished Buffer Overflow Lab a few hours ago! ), its definitely helping.


4 days later:

level06@ctf6:/tmp/tmp.0fPRsmsetz$ /levels/level06 /home/the-flag/.password %%%%%%%%% Welcome to the password checker! ........................ Wait, how did you know that the password was %%%%%%%%%?

Level 5 seemed too easy -- it seems like they forgot a much easier exploit. The code was carefully constructed in a way that suggested a pickle injection attack which required understanding the pickle stack machine, but you didn't need that.

Level 6 was interesting. Some people got it with a timing attack. I used a different, more elegant method with a hint from reddit.

Very well done, stripe.


Lots of segfaults!

Which by the looks of things, level03 is the furthest anyone is based on logs.

> [32041.680408] level03[17009]: segfault at ffdc50c4 ip 00000000080487b2 sp 00000000ffe0aee0 error 4 in level03[8048000+1000]


Damn Linux stack randomization. Some amount of brute force seems to be required.


Spoke too soon, there's a non-brute-force solution.


It's nearly impossible to debug my should-be-reliable-but-doesn't-work-at-all-and-by-the-way-gdb-affects-memory-layout solution with all the brute forcing going on though. :(


Hello from segfault land!


[deleted]


I think the machine was actually hosed due to fork bomb. (I kept bumping the rlimits as more people logged in and ran up against nprocs, but the last time I clearly just bumped nprocs way too high. Live and learn....)

You certainly should be able to solve all of the levels without tons of brute force though.


Oops, thought that no one had commented when I deleted. Sorry.


It's cool, why the delete anyways?


SPOILER SPOILER SPOILER

Don't look at this if you actually want to enjoy the contest.

http://pastebin.com/VJ4xpawq


Wow, I read in this very thread that NX was for sure disabled on level03 so I've been barking up the wrong tree completely. Your direction is brilliant! I never would have come up with that. Here's my attempt: http://pastebin.com/XVkfLaiB

Wait. wtf how is yours working with NX on?

Edit: OH! Yours doesn't actually manipulate the stack so it doesn't get caught? That makes sense. I should have noticed the __stack_chk_fail calls.


For level 06, I came up with a completely different solution. After hitting my head against the wall all day trying to fight with blocking/non-blocking IO, I resorted to a timing attack on the system call which worked really well. Check it out:

https://gist.github.com/1899389 (SPOILERS!)


That's neat. Timing. Awesome.

I made mine a bit more reliable and made a movie.

Source: http://pastebin.com/6M4cq8gB Video: http://www.youtube.com/watch?v=_q2wTd1jgUQ


i did it a different way to both of you but similar to zx2c4 's :) i found a way to block the child process from writing to stderr. i thought the way they were writing to stderr/ stdout was too much of a coincidence. all stdout writes end with \n


Wadja end up doin'? Source?



I had the same solution, just different heuristics..

http://pastebin.com/VfdmgwSA



I keep getting this:

    level01@ctf:/tmp/tmp.c6PoABNv99$ ls
    bash: fork: retry: Resource temporarily unavailable


Someone set us up the (fork)bomb. That didn't take long. Sadly it's a bit silly and ruins all the fun for the rest of us :-/


Could something like this (http://www.cyberciti.biz/tips/linux-limiting-user-process.ht...) be quickly implemented on the server?


Yep, that's why you're seeing that error message rather than the machine immediately grinding to a halt!

(Please don't forkbomb it, though.)


I think people must be brute-forcing level03 instead of figuring out how to calculate the index they need?! That could work but you won't know how address math/pointer math actually works. This isn't really fair to yourself, you'll be skipping out on understanding what a word size is.

But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!


Sociopaths...


Bumping rlimit! Should be good for now.


Just a quick note on the claimed fork bomb. It may not have been all that nice to other users, but there may have been a method to their madness:

http://dtors.org/2010/08/25/reversing-latest-exploid-release...


ASLR and non-executable stack make level 4 a huge pain in the ass. (But it's not me doing that)


Update: they helped a brother out, and the stack is actually executable on those binaries. I found out after mailing the organizers in exasperation. I was under this impression because newly-compiled binaries had no-exec on the stack, and I was off by a little when I tried to exploit it the first time. Doh!


Ha! Last night I read your comment, assumed you were right, and then came up with a solution that did not assume an executable stack. ;P (I'm actually quite glad, as messing around with the stack would have been much harder.)


For both of you, were your solutions 100% reliable? I ended up with an exploit that required a little brute forcing (i.e., just run it a hundred times or whatever).


Neither of our solutions were "reliable", and also required being run in a loop. (I know this about a1k0n's solution, as he sent me an e-mail asking me about my solution).


I actually have a 100% reliable solution that exploits the executable stack on level 04. No need to guess the address of the stack using one side effect that I found in this specific case:

https://gist.github.com/807e81ad64c4e84a7770 (SPOILERS)


Awesome!! I totally saw that call instruction, and then went on a wild goose chase thinking about how to get the string into that register, totally missing the fact that some of my earlier attempts at using printf had established that the string already happened to be there to begin with. Now I just feel dumb. ;P


Trying 0xfff86350 Trying 0xff94b1a0 Trying 0xffdfb0a4 Trying 0xff85e754 $ whoami level05

It is 5am - time for bed =)


For CTF on shared servers, there need to be some explicit rules about DOSing shared resources; otherwise things get really dull really fast.

If people are going to be using brute-force tactics, they're probably each going to need separate virtual machines.


Looking forward to trying this! I bookmarked it for later and noticed the title was just "Stripe Blog". Could you put the title of your blog post in the title tag? Makes bookmarking and also sharing via bit.ly extension much easier :)


I feel like I just leveled up in programming several times by completing level 3 :)


I need a tutor for level03! I am SO close but obviously so far. Any one up for checking my current notes and homework and hinting at me as to my next move?


Can anyone give me a hint on level 02? I have absolutely no background in PHP, and only a little in HTML. If you wanna keep the message thread private you can email me too at billyman3 at gmail.


First play with the webpage after entering the correct credentials. Then read through the PHP script that generates that page and understand what's going on behind it. Do you see any vulnerabilities in it?


If you like this, you may enjoy the ICFP 2006 Cult of the Bound Variable puzzle http://www.boundvariable.org/task.shtml


I'm getting a bunch of "bash: fork: retry: Resource temporarily unavailable" in my SSH session when running commands like `ls`, etc. Could be due to high traffic?


I stuck even at lvl1 but I think how to solve it. Could anyone may help me? I want to learn and I don't want to spoiler here. Jabber: .thing@jabber.ccc.de ICQ: 366509265

Thanks


Did it. Lvl 3 now


I got to level 5, but I think it is time to call it a night


Was up and working, got to level 3, and network died. I love CTF's.. Got a chance to do the CTF @ Sans (netwars) Orlando in 2011, and it was a blast.


I can't stop thinking about this, but I have real work to do. Do you see what you've done Stripe??? :) It's going to be another long night...


I'm getting a Remote Host Identification Changed error, did you guys change your certificate or is someone trying to MITM me?


Any subtle--no spoiler--hints for level03? I got the mem address for run() but can't seem to find the correct index for it.


Copy the source locally, compile it, and use printf("%p") and void* casting on various variables. That will help figure out the required pointer arithmetic.

You will likely encounter stack randomization but there is a way to do it without worrying about that.


Well, it looks like the vm is slammed again. I keep getting failures trying to run a shell after logging in.


Is it intended behaviour for users to be able to access other people's files via /tmp/tmp, tmp/hacks, etc?


Someone already fork-bombed it ;-)


This is fun! Kudos to Stripe for putting this together... level03, working on level04...


Bah. Looks like the server is now not responding. Bummer, because this is really fun.


Is part of the challenge dealing with the server timeouts?

In all seriousness, thanks for this!


uh oh, remote host identification has changed... new host or mitm? as this is a cracker-centric event, i'm now very hesitant to reconnect... perhaps you could publish the correct fingerprint somewhere?


same...hopefully it will get resolved soon.


New host :). We brought up a new machine for this, and didn't copy over the SSH keys.

Never hurts to be paranoid though.


It seems to be down again.


Is this based on the classic digital evolution wargames? :D


im getting this.."bash: fork: retry: Resource temporarily unavailable" each and every time.

is that a sign that i won this game without executing any cli yet?


Aw, sad. The server seems to be non-responsive.


I think we ended up dDosing the machine...


Any tips for level05 (the python one)?


nvm, got it


Is /home/level02/.password empty?


It includes the password for the level02 account.


I can't connect to it.


It looks like the machine is under heavy load. My shell just stopping responding and now ssh hangs while connecting :-(.


sdfh史蒂夫


What am I doing wrong:

Current time: cat: /home/level02/.password: Permission denied

Does someone has a tip?


Saying anything more would be ruining the contest.


The whole point is that you're supposed to find vulnerabilities in what you have access to and exploit them to view contents of things you don't have permission to.


I replaced the date with my own script, but it still gets executed as level01 user


Hint: not all shells blindly run scripts as the setuid user.


HINT: For the purpose of this hint we'll assume your script is a bash script. If you've exploited the setuid program to run your script, bash may execute with the elevated permissions, but any program bash runs will run with your permissions.


[deleted]


SPOILERS!

In all seriousness, you're giving away way too much information, please edit it away!




Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: