Discover gdb disassembly, binary exploitation & reverse-engineering through 14 little challenges.
In the folder for each level you will find:
-
flag - password for next level
-
README.md - how to find the password
-
source.c - the reverse engineered binary
See the subject for more details.
For more gdb & exploitation fun check out the next project OverRide.
Final Score 125/100
First download from 42 RainFall.iso.
On Mac OSX, install VirtualBox.
In VirtualBox create a new VM (click new).
- Name and operating system - Type: Linux, Version: (Oracle 64-bit)
Continue through all the next steps with the default settings:
- Memory size: 4MB
- Hard disk: Create a disk now
- Hard disk file type: VDI(VirtualBox Disk Image)
- Storage on physical hard disk: Dynamically allocated
- File size: 12,00GB
Next click Settings > Network > Adapter 1 > Attached to: Bridged Adapter.
Still in settings click Storage > Right of "Controller: IDE", there is a CD icon with a + sign (add optical drive). Click Add Disk Image, and select RainFall.iso.
Click Start to start the VM, once runnning it should show the VM IP address and prompt user to login.
Log in from a separate shell as user level0 with password level0.
ssh level0@{VM_IP} -p 4242
As user level0 the goal is to read the password for user level1, found at /home/user/level1/.pass. However, user level0 does not have permissions to read this file.
In the home folder for user level0 is a binary level0 with SUID set and owner level1.
This means when we execute the binary level0, we do so with the permissions of user level1.
We must find a vulnerability in the binary level0 with gdb. Then exploit the vulnerability to run system("/bin/sh"), opening a shell as user level1 where we have permissions to read the password.
cat /home/user/level1/.pass
Then log in as user level1.
su level1
Repeat for each level.
For each level, we reverse engineered the original source.c by examining the gdb disassembly of the binary.
Each level's README.md details how to to compile source.c, set SUID, then run with the exploit, demonstrating the same vulnerability.
-
0 - hardcoded password
-
1 - gets() stack overflow
-
2 - gets() stack overflow, return address in heap
-
3 - printf() format string attack
-
4 - printf() format string attack, with %d
-
5 - printf() format string attack, with %d
-
6 - strcpy() buffer overflow
-
7 - strcpy() buffer overflow
-
8 - idiocy
-
9 - memcpy() buffer overflow
-
Bonus 0 - strcpy() buffer overflow
-
Bonus 1 - memcpy() buffer overflow
-
Bonus 2 - strcat() buffer overflow, exploit in env
-
Bonus 3 - strcmp() with empty argument
I wrote this project in a team with the awesome @dfinnis.