STS: Login - Level 2

This level gives us a binary and some code. There’s also an alternative challenge (I may get to this another time). Here’s the code we are working with:

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#include <unistd.h>

int main(int argc, const char **argv) {

if (argc < 2) { printf("Fail. More Args...\n"); return 1; }

else {

setresuid(geteuid(),geteuid(),geteuid());

char buf2[4096];

char buf[16];

const char password[]="XXXXXXXXXXX";

strncpy(buf, argv[1], sizeof(buf) - 1);

if (strcmp(buf,password) != 0) {

printf("Wrong.\n");

return 1;

}

else {

strcpy(buf2,argv[2]);

printf("%s",buf2);

return 0;

}

}

}

We can see in the code that there are 2 buffers and a that the second buffer uses the insecure strcpy function. However, to get to this segment of code, we need to know the password. In order to get this I ran “strings” on the binary and was able to quickly pickout the password. Now if I run the program with the password, I can pass attempt to overflow the buffer.

$ ./level2 [removed] `python -c 'print "A" * 5000'`

I get a segmentation fault. We can see in gdb that we overwrite the eip with A’s.

overwrote eip

Now all we need to do is craft up our basic exploit and get the key! :)

STS: Logic - Level 1

This challenge was fairly easy like all level 1s. We have a web app with a file upload. The hint tells us that files are uploaded to the /uploads/ folder and to take a look at the users’ home directories for clues. I uploaded a tiny webshell and headed to /home/level1. I noticed that there is a file called “README”. This file says that we are close but to not look so far. Since this is a linux machine, the next obvious place is to check the .bash_history file. Bingo! There’s the password.