I think people must be brute-forcing level03 instead of figuring out how to calculate the index they need?! That could work but you won't know how address math/pointer math actually works. This isn't really fair to yourself, you'll be skipping out on understanding what a word size is.
But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!
I'm getting a bunch of "bash: fork: retry: Resource temporarily unavailable" in my SSH session when running commands like `ls`, etc. Could be due to high traffic?
Any tips? I want to actually learn from this - I'm not just looking for the answers. But I've read wikipedia on setuid, googled around a bit, and am still not sure what to do.
You can write to /tmp. But since most people are also doing that, /tmp/date gets overriden frequently. I'd recommend mkdir /tmp/CZ-18; PATH=/tmp/CZ-18:$PATH; And then you can figure it out :)
The setuid flags allows you to run a binary as someone else. Since processes inherit the credentials they have when they run another program, if you find a bug[1] in a setuid program that let's you run another program of your choosing you can gain the credentials of the setuid user.
[1] Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.
Yeah, I'm stuck on level 3 as well. I see the printf() bug in capitalize(), but I don't think it's any help. I don't see anything obviously wrong in truncate_and_copy() (the strncpy() call and friends look right). run() is the juicy target, and I know where it's at in memory. There's the obvious comparison bug in main(), and I can use that to call a function pointer other than in the array, but I can't seem to locate a pointer to run(). I thought there might be a way to overflow atoi(), but that doesn't seem useful either.
Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.
Did you really end up using buffer overflow? I've been trying to overflow a different quantity all this time, and I'm quite sure you can't buffer overflow..
Right--no buffer overflow. I did find a way to get my needed function pointer on the stack. Hint: we're lucky that the function pointer doesn't have any null bytes in it...
(This would certainly work if you can read my history: I don't consider the level "complete" until I get it down to a short bash one-liner that prints out the password. ;P)
It's nearly impossible to debug my should-be-reliable-but-doesn't-work-at-all-and-by-the-way-gdb-affects-memory-layout solution with all the brute forcing going on though. :(
I'm entirely new to hacking, and as such I'm struggling with level 1. I looked up the system() exploit, and I've managed to compile my own date program, but when I try to read the password from level02, I'm told I don't have permission. Could you point me in the right direction?
The whole point is that you're supposed to find vulnerabilities in what you have access to and exploit them to view contents of things you don't have permission to.
HINT: For the purpose of this hint we'll assume your script is a bash script. If you've exploited the setuid program to run your script, bash may execute with the elevated permissions, but any program bash runs will run with your permissions.
I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.
For anyone building something similar, I imagine having an elastic load balancer for TCP port 22 with a health check on a web service that spawns a process as each of the user accounts before returning "good", combined with an auto-scaling group to make certain there are always a couple healthy instances, would be an automated way to keep something like this running through fork bombs.
I was in there 5 minutes ago, did cat /levels/level02.c and then it stopped responding. I don't think cat could crash the server, but if it did, I'm sorry?
They are asking for code or a brief description of how you proceeded through the steps. If you're going to take the time to document the process (correctly) then it shouldn't matter that you have the root password. Presumably you'd get stuck at some point where you couldn't explain how you achieved the subsequent step.
I think someone decided to forkbomb it. I'm still logged on and every external command I type gets me "bash: fork: retry: Resource temporarily unavailable".
218 comments
[ 2.4 ms ] story [ 254 ms ] thread(Please don't forkbomb it, though.)
But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!
is that a sign that i won this game without executing any cli yet?
[1] Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.
Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.
[edit: Nevermind, I got it. Whew.]
Failed. :) I figured that would of been an easy way to progress through the levels. Read bash history from other users.
"User 10.0.0.1 read the level 1 file" "User 10.0.0.1 read the level 3 file"
Then I am a stats junkie
Which by the looks of things, level03 is the furthest anyone is based on logs.
> [32041.680408] level03[17009]: segfault at ffdc50c4 ip 00000000080487b2 sp 00000000ffe0aee0 error 4 in level03[8048000+1000]
Current time: cat: /home/level02/.password: Permission denied
Does someone has a tip?
I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.
gcc -S -o example1.s example1.c
However, example1.s looks very different on Mac than on Linux, in particular, on Mac the parameters are pushed in reverse order:
Leh_func_begin2: ...
Whereas on Linux, they are pushed in the order specified in that link: What is the reason behind this? Is it that the stack on OS X is implemented to grow up instead of down?Presumably we're on the synflood stage now.
Can someone share the source and program of the first level so we can have a look?
This is why we can't have nice things.