218 comments

[ 2.4 ms ] story [ 254 ms ] thread
I keep getting this:

    level01@ctf:/tmp/tmp.c6PoABNv99$ ls
    bash: fork: retry: Resource temporarily unavailable
Someone set us up the (fork)bomb. That didn't take long. Sadly it's a bit silly and ruins all the fun for the rest of us :-/
Sociopaths...
(comment deleted)
I think people must be brute-forcing level03 instead of figuring out how to calculate the index they need?! That could work but you won't know how address math/pointer math actually works. This isn't really fair to yourself, you'll be skipping out on understanding what a word size is.

But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!

Bumping rlimit! Should be good for now.
Yeah it sucks I thought I was going to have fun tonight but the script kiddies had to go and ruin it by hosing the machine.
I'm getting a bunch of "bash: fork: retry: Resource temporarily unavailable" in my SSH session when running commands like `ls`, etc. Could be due to high traffic?
(comment deleted)
(comment deleted)
(comment deleted)
im getting this.."bash: fork: retry: Resource temporarily unavailable" each and every time.

is that a sign that i won this game without executing any cli yet?

It's fun to feel like a nefarious hacker. I'm at level2, see you at level 6 guys!
Any tips? I want to actually learn from this - I'm not just looking for the answers. But I've read wikipedia on setuid, googled around a bit, and am still not sure what to do.
My hint for level01 would be to look at the system line, and think about how it is executed.
EDIT: doh, didn't know we had write access to /tmp, that makes it easy
When you first connect, you are in a /tmp/tmp.something directory which you can edit.
You can also do cd $(mktemp -d) and get a new one if you need another one.
Remember that you have write access to /tmp(/date) ;)
You can write to /tmp. But since most people are also doing that, /tmp/date gets overriden frequently. I'd recommend mkdir /tmp/CZ-18; PATH=/tmp/CZ-18:$PATH; And then you can figure it out :)
I now feel like the most awesome tutorial following script kiddie ever.
The setuid flags allows you to run a binary as someone else. Since processes inherit the credentials they have when they run another program, if you find a bug[1] in a setuid program that let's you run another program of your choosing you can gain the credentials of the setuid user.

[1] Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.

Stuck at level3 for a minute
Same, the only thing I can think of is doing something with the pointers in the fns variable in main, but I can't quite figure out what to do.
I've been playing with nm, but without a hex editor I feel crippled :/
gdb works fine.

  (gdb) x/4x fns
0xffeaa0cc: 0x080485e4 0x08048640 0x0804869c 0x08048719

  (gdb) x run
0x804875b <run>: 0x83e58955

  (gdb) gdb) x/40x (void*)fns-0x40
etc.
Well, I got my math right to tweak the index I think and now the system is unavailable. Blasted!
You could also use objdump -d to decompile the binary.
Neither can I... ):
Yeah, I'm stuck on level 3 as well. I see the printf() bug in capitalize(), but I don't think it's any help. I don't see anything obviously wrong in truncate_and_copy() (the strncpy() call and friends look right). run() is the juicy target, and I know where it's at in memory. There's the obvious comparison bug in main(), and I can use that to call a function pointer other than in the array, but I can't seem to locate a pointer to run(). I thought there might be a way to overflow atoi(), but that doesn't seem useful either.

Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.

[edit: Nevermind, I got it. Whew.]

Did you really end up using buffer overflow? I've been trying to overflow a different quantity all this time, and I'm quite sure you can't buffer overflow..
Right--no buffer overflow. I did find a way to get my needed function pointer on the stack. Hint: we're lucky that the function pointer doesn't have any null bytes in it...
(comment deleted)
(comment deleted)
(comment deleted)
Bonus to anyone who gets the answer by intercepting another solver's email message.
I just hope this machine is isolated from Stripe's network, in case someone makes it to secret level 99.
Yep, it's completely isolated. Someone rooting the machine is very much within our threat model :).
Must be fun watching all of the attempts... Do you have any way to monitor progress?
We don't have an exposed way. We'll probably do a summary blog post in the future with stats though!
I've been trying to read $ history

Failed. :) I figured that would of been an easy way to progress through the levels. Read bash history from other users.

(This would certainly work if you can read my history: I don't consider the level "complete" until I get it down to a short bash one-liner that prints out the password. ;P)
I would LOVE to see something like a graph with the number of users who are logged in at each level over time and a little log at the bottom.

"User 10.0.0.1 read the level 1 file" "User 10.0.0.1 read the level 3 file"

Then I am a stats junkie

Lots of segfaults!

Which by the looks of things, level03 is the furthest anyone is based on logs.

> [32041.680408] level03[17009]: segfault at ffdc50c4 ip 00000000080487b2 sp 00000000ffe0aee0 error 4 in level03[8048000+1000]

Damn Linux stack randomization. Some amount of brute force seems to be required.
Spoke too soon, there's a non-brute-force solution.
It's nearly impossible to debug my should-be-reliable-but-doesn't-work-at-all-and-by-the-way-gdb-affects-memory-layout solution with all the brute forcing going on though. :(
(comment deleted)
anyone have any good resources for understanding the basics of all of this?
The venerable CMU binary bomb assignment covers a lot of useful concepts.
Haha we just had that last week ( finished Buffer Overflow Lab a few hours ago! ), its definitely helping.
For level 1 to 3, Google those: system() exploit, never trust user input, buffer overflow
thanks! I got 1 and 2 before I saw this, but we'll see how I do on 3.
I'm entirely new to hacking, and as such I'm struggling with level 1. I looked up the system() exploit, and I've managed to compile my own date program, but when I try to read the password from level02, I'm told I don't have permission. Could you point me in the right direction?
Try to figure out how you could trick a setuid program into running your date program instead of the real one.
Yeah that's not part of the test. Just use your level2 password for the http auth.
I'm getting the following (no source/binary file... is it part of the challenge or is there something wrong?):

    level01@ctf:~$ pwd;ls -al
    /home/level01
    total 24
    dr-x------ 2 level01 root    4096 2012-02-22 13:28 .
    drwxr-xr-x 9 root    root    4096 2012-02-22 13:28 ..
    -rw-r--r-- 1 level01 level01  220 2010-04-19 02:15 .bash_logout
    -rw-r--r-- 1 level01 level01 3103 2010-04-19 02:15 .bashrc
    -rw------- 1 level01 root      11 2012-02-22 13:28 .password
    -rw-r--r-- 1 level01 level01  675 2010-04-19 02:15 .profile
(comment deleted)
that's the home directory, i think you want /levels
What am I doing wrong:

Current time: cat: /home/level02/.password: Permission denied

Does someone has a tip?

Saying anything more would be ruining the contest.
(comment deleted)
The whole point is that you're supposed to find vulnerabilities in what you have access to and exploit them to view contents of things you don't have permission to.
I replaced the date with my own script, but it still gets executed as level01 user
Hint: not all shells blindly run scripts as the setuid user.
HINT: For the purpose of this hint we'll assume your script is a bash script. If you've exploited the setuid program to run your script, bash may execute with the elevated permissions, but any program bash runs will run with your permissions.
This is fun! Kudos to Stripe for putting this together... level03, working on level04...
Is /home/level02/.password empty?
It includes the password for the level02 account.
Read this if you're stuck on level 3: http://destroy.net/machines/security/P49-14-Aleph-One
<3

I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.

Thanks for that link. Reading through one of the first sections about pushing parameters to the stack, I noticed the call:

gcc -S -o example1.s example1.c

However, example1.s looks very different on Mac than on Linux, in particular, on Mac the parameters are pushed in reverse order:

Leh_func_begin2: ...

        movl    $1, %eax
        movl    $2, %ecx
        movl    $3, %edx
        movl    %eax, %edi
        movl    %ecx, %esi
        callq   _function
Whereas on Linux, they are pushed in the order specified in that link:

        movl    $3, %edx
        movl    $2, %esi
        movl    $1, %edi
        call    function
What is the reason behind this? Is it that the stack on OS X is implemented to grow up instead of down?
Anyone having trouble connecting to this?
I am. I think their server must be overloaded. I bookmarked the blog post announcing this and I'm going to try again tomorrow.
people were having fun with forkbombs a bit ago.

Presumably we're on the synflood stage now.

Yeah, we're rebooting. Should be up in a few more minutes. Sorry about that.
For anyone building something similar, I imagine having an elastic load balancer for TCP port 22 with a health check on a web service that spawns a process as each of the user accounts before returning "good", combined with an auto-scaling group to make certain there are always a couple healthy instances, would be an automated way to keep something like this running through fork bombs.
I was in there 5 minutes ago, did cat /levels/level02.c and then it stopped responding. I don't think cat could crash the server, but if it did, I'm sorry?
pretty sure it wasn't you. but then again, you never know with cats.
(comment deleted)
cat considered harmful?
To be clear, I'm making a joke riffing on the seminal paper "cat -v considered harmful".
Doesn't work for me as well. I managed to login an do one ls, but since then it's dead.

Can someone share the source and program of the first level so we can have a look?

Yeah, my connection froze, and now I cannot connect, ssh or http...
Maybe they should just publish a VM image.
Not a bad idea, but how do you keep people from peeking at the passwords with root access on their own VM?
They are asking for code or a brief description of how you proceeded through the steps. If you're going to take the time to document the process (correctly) then it shouldn't matter that you have the root password. Presumably you'd get stuck at some point where you couldn't explain how you achieved the subsequent step.
How do you keep yourself from rifling through the deck to find the Aces when you play solitaire?
I think someone decided to forkbomb it. I'm still logged on and every external command I type gets me "bash: fork: retry: Resource temporarily unavailable".

This is why we can't have nice things.

Someone already fork-bombed it ;-)
Aw, sad. The server seems to be non-responsive.
It looks like the machine is under heavy load. My shell just stopping responding and now ssh hangs while connecting :-(.
Bah. Looks like the server is now not responding. Bummer, because this is really fun.
I can't connect to it.
(comment deleted)
Is this based on the classic digital evolution wargames? :D