This actually made me laugh a little bit as it brought me back to my college days. The first week of February every year was when the yearly OS class covered fork(), and as a result the compute clusters all over campus were basically unusable due to people trying to run their homework. Ahh, memories.
I am surprised by the attitude against what he did, both on reddit and even more so here. Afterall this is "hacker news" and the submission is called "hack your way...". Any definition of hacking that I know includes cleverly exploiting the limitations and boundary cases of a system. I see this attitude as part of a larger trend of "sandbox"-ification, "theme park"-ization of computing.
It is against the rules (and against common etiquette) to DOS the machine in CTF events. I don't see how fork bombing the machine helped him solve any challenges so I can't see how someone could approve to that.
And another way of looking at it is: someone offered you free entertainment and education and you slapped them in the face and ruined the fun for everyone for quite some time. "Hacker" certainly does not include or entitle you to being a dick.
Ugh, this sucks. Got to #3 and which looks pretty challenging for me and took some time to document my steps there and now someone has pulled this again. It just seems childish.
I believe that for each level of the challenge, all users were ssh'ing in to the same user account, so even with per-user process limits a fork bomb would use up all the processes available to the competitors at that level.
Once they've run this for a while, I'd love to see a post and screencast on some of the techniques needed to solve it. I don't know much about this subject, and I'd enjoy having a chance to learn in a setting unlikely to get me arrested.
I would also like to see a detailed explanation of how they prepared the box to safely allow people to play (ie logins, permissions, etc). How to restrict privileges yet allow just enough to make it varied and fun.
I'd love to see how people solved #2, and if they used any special tools like I did or if there's an easier way to do it. And I can't wait to delve deeper into #3 tomorrow :)
If I were in Firefox at the time I would have used Firebug (or I guess Firecookie, I don't remember if Firebug allows native editing of cookies), but I just happened to have Chrome running at the time.
My first thought before I realized you could actually see the php code, was that it was some kind of sanitizing input exploit, maybe SQL injection (with the name or age) or, since the HTML input fields had "length" to go over that.
Once I figured out what to do, it was only a matter of finding the right tool to do it. I didn't realize curl could [edit: --redacted--] (cool!), but I used OWASP ZAP and did a [edit: --redacted--]. Same method, different tool. Btw, thank you for explaining the curl options, I normally don't use curl much, but apparently I should :)
EDIT: Redacted stuff so as not to ruin the fun for others
FYI: the worker process for level05 isn't working anymore (I'm pretty confident it was not me that broke it, btw ;P); even with the simple "hello friend" example (exactly as given in the MOTD on the account), the server always returns "job timed out" (it is now about 3am PST).
(edit:)
...and as of almost 3:30am PST, it is no longer possible to log in to the server. :( (...and while typing the next paragraph, I finally got in, but spawning processes is now taking forever, and the two-second job timeout has worked its way up to almost 5 seconds. Maybe another sill attack.)
(Regardless, overall this has been rather well put together, and quite fun. I taught a freshman class at UCSB/CSS today on "how absinthe, the iPhone 4S jailbreak works", and got a few of the students interested in trying out the CTF to see what they might learn by working on it.)
Yeah, same here. :( Part of me wonders whether someone with access to level06 went mucking around in the /tmp/level05 folder (which is itself 770 root.level06, so a level06 user can probably chmod 000 the queue folders) to keep other people from being able to get past that point.
I actually just found a way to kill the worker process remotely (on my localhost). Perhaps they don't have it hooked up to supervisord for autorestart. It's almost trivial to run sys.exit() on that worker.
That being said, your tmp folder permissions theory is much more interesting though and that would be a brilliant way keep everyone else from catching up. :)
(This would certainly work if you can read my history: I don't consider the level "complete" until I get it down to a short bash one-liner that prints out the password. ;P)
Just a word on level2, I don't think that's a hint, if you think so I'll remove this comment asap.
The login to get on the page is: level02 and the password is what you've found in level01. I.e. The challenge is not to crack that "Authorization required" dialog.
> This one is a web-based vulnerability, so go ahead and point your browser to XXXXX. You'll need to provide the password for level02 using HTTP digest authentication.
Yeah.. but I somewhat didn't realized it was the same l/p of the ssh and was trying to crack it ;) Or, more particularly, find a way around that protection to access the challenge behind it.
I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.
Guys, I gotta say, this is SO much fun! I am actually learning a ton, and while I'm only up to level 3, I feel this is such an awesome learning experience! Plus, I feel totally "leet" for figuring out levels 2 and 3. The world definitely needs more of these.
Same here, but I'm stuck on level 3 though...maybe my strategy is wrong. I am able to execute the function run from /levels/level03 with the following command:
cat /home/level04/.password
But I'm still getting access denied. I thought that would have done it for sure. The program runs under the following credentials:
I mostly live inside a Java world or XCode world, so GDB is almost a totally foreign concept to me - and I definitely welcome the challenge. Never really had to look at assembly before either, so this is a fun learning experience.
I think someone decided to forkbomb it. I'm still logged on and every external command I type gets me "bash: fork: retry: Resource temporarily unavailable".
I was in there 5 minutes ago, did cat /levels/level02.c and then it stopped responding. I don't think cat could crash the server, but if it did, I'm sorry?
For anyone building something similar, I imagine having an elastic load balancer for TCP port 22 with a health check on a web service that spawns a process as each of the user accounts before returning "good", combined with an auto-scaling group to make certain there are always a couple healthy instances, would be an automated way to keep something like this running through fork bombs.
They are asking for code or a brief description of how you proceeded through the steps. If you're going to take the time to document the process (correctly) then it shouldn't matter that you have the root password. Presumably you'd get stuck at some point where you couldn't explain how you achieved the subsequent step.
You should note that the SSH key has been changed.
$ dsocks.sh ssh level01@ctf.stri.pe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11.
Please contact your system administrator.
Add correct host key in /home/jcr/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/jcr/.ssh/known_hosts:8
RSA host key for ctf.stri.pe has changed and you have requested strict checking.
Host key verification failed.
It may be something harmless/simple like round-robin DNS combined with a failure to replicate the key, or more likely, someone has rooted the box.
EDIT: As confirmed by gdb and ab below, there's a good reason for the key change.
Any tips? I want to actually learn from this - I'm not just looking for the answers. But I've read wikipedia on setuid, googled around a bit, and am still not sure what to do.
The setuid flags allows you to run a binary as someone else. Since processes inherit the credentials they have when they run another program, if you find a bug[1] in a setuid program that let's you run another program of your choosing you can gain the credentials of the setuid user.
[1] Buffer over flow, calling exec/system without proper escaping, creating predictable temp files, etc, etc.
You can write to /tmp. But since most people are also doing that, /tmp/date gets overriden frequently. I'd recommend mkdir /tmp/CZ-18; PATH=/tmp/CZ-18:$PATH; And then you can figure it out :)
Yeah, I'm stuck on level 3 as well. I see the printf() bug in capitalize(), but I don't think it's any help. I don't see anything obviously wrong in truncate_and_copy() (the strncpy() call and friends look right). run() is the juicy target, and I know where it's at in memory. There's the obvious comparison bug in main(), and I can use that to call a function pointer other than in the array, but I can't seem to locate a pointer to run(). I thought there might be a way to overflow atoi(), but that doesn't seem useful either.
Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.
Did you really end up using buffer overflow? I've been trying to overflow a different quantity all this time, and I'm quite sure you can't buffer overflow..
Right--no buffer overflow. I did find a way to get my needed function pointer on the stack. Hint: we're lucky that the function pointer doesn't have any null bytes in it...
I'm entirely new to hacking, and as such I'm struggling with level 1. I looked up the system() exploit, and I've managed to compile my own date program, but when I try to read the password from level02, I'm told I don't have permission. Could you point me in the right direction?
level06@ctf6:/tmp/tmp.0fPRsmsetz$ /levels/level06 /home/the-flag/.password %%%%%%%%%
Welcome to the password checker!
........................
Wait, how did you know that the password was %%%%%%%%%?
Level 5 seemed too easy -- it seems like they forgot a much easier exploit. The code was carefully constructed in a way that suggested a pickle injection attack which required understanding the pickle stack machine, but you didn't need that.
Level 6 was interesting. Some people got it with a timing attack. I used a different, more elegant method with a hint from reddit.
It's nearly impossible to debug my should-be-reliable-but-doesn't-work-at-all-and-by-the-way-gdb-affects-memory-layout solution with all the brute forcing going on though. :(
I think the machine was actually hosed due to fork bomb. (I kept bumping the rlimits as more people logged in and ran up against nprocs, but the last time I clearly just bumped nprocs way too high. Live and learn....)
You certainly should be able to solve all of the levels without tons of brute force though.
Wow, I read in this very thread that NX was for sure disabled on level03 so I've been barking up the wrong tree completely. Your direction is brilliant! I never would have come up with that. Here's my attempt: http://pastebin.com/XVkfLaiB
Wait. wtf how is yours working with NX on?
Edit: OH! Yours doesn't actually manipulate the stack so it doesn't get caught? That makes sense. I should have noticed the __stack_chk_fail calls.
For level 06, I came up with a completely different solution. After hitting my head against the wall all day trying to fight with blocking/non-blocking IO, I resorted to a timing attack on the system call which worked really well. Check it out:
i did it a different way to both of you but similar to zx2c4 's :) i found a way to block the child process from writing to stderr. i thought the way they were writing to stderr/ stdout was too much of a coincidence. all stdout writes end with \n
I think people must be brute-forcing level03 instead of figuring out how to calculate the index they need?! That could work but you won't know how address math/pointer math actually works. This isn't really fair to yourself, you'll be skipping out on understanding what a word size is.
But, for those uninterested in the minutiae of how it actually works if you are going to brute force this please compile this application on your OWN 64-bit system (gcc -g -o level03 level03.c) and run your nasty for() loop there so you aren't hosing the processes on this system!
Update: they helped a brother out, and the stack is actually executable on those binaries. I found out after mailing the organizers in exasperation. I was under this impression because newly-compiled binaries had no-exec on the stack, and I was off by a little when I tried to exploit it the first time. Doh!
Ha! Last night I read your comment, assumed you were right, and then came up with a solution that did not assume an executable stack. ;P (I'm actually quite glad, as messing around with the stack would have been much harder.)
For both of you, were your solutions 100% reliable? I ended up with an exploit that required a little brute forcing (i.e., just run it a hundred times or whatever).
Neither of our solutions were "reliable", and also required being run in a loop. (I know this about a1k0n's solution, as he sent me an e-mail asking me about my solution).
I actually have a 100% reliable solution that exploits the executable stack on level 04. No need to guess the address of the stack using one side effect that I found in this specific case:
Awesome!! I totally saw that call instruction, and then went on a wild goose chase thinking about how to get the string into that register, totally missing the fact that some of my earlier attempts at using printf had established that the string already happened to be there to begin with. Now I just feel dumb. ;P
Looking forward to trying this! I bookmarked it for later and noticed the title was just "Stripe Blog". Could you put the title of your blog post in the title tag? Makes bookmarking and also sharing via bit.ly extension much easier :)
I need a tutor for level03! I am SO close but obviously so far. Any one up for checking my current notes and homework and hinting at me as to my next move?
Can anyone give me a hint on level 02? I have absolutely no background in PHP, and only a little in HTML. If you wanna keep the message thread private you can email me too at billyman3 at gmail.
First play with the webpage after entering the correct credentials. Then read through the PHP script that generates that page and understand what's going on behind it. Do you see any vulnerabilities in it?
I'm getting a bunch of "bash: fork: retry: Resource temporarily unavailable" in my SSH session when running commands like `ls`, etc. Could be due to high traffic?
I stuck even at lvl1 but I think how to solve it. Could anyone may help me? I want to learn and I don't want to spoiler here.
Jabber: .thing@jabber.ccc.de
ICQ: 366509265
Copy the source locally, compile it, and use printf("%p") and void* casting on various variables. That will help figure out the required pointer arithmetic.
You will likely encounter stack randomization but there is a way to do it without worrying about that.
uh oh, remote host identification has changed... new host or mitm? as this is a cracker-centric event, i'm now very hesitant to reconnect... perhaps you could publish the correct fingerprint somewhere?
The whole point is that you're supposed to find vulnerabilities in what you have access to and exploit them to view contents of things you don't have permission to.
HINT: For the purpose of this hint we'll assume your script is a bash script. If you've exploited the setuid program to run your script, bash may execute with the elevated permissions, but any program bash runs will run with your permissions.
Anyone else not at all surprised who it is?