We found a simple web application that robots made to serve tmp files for debugging purposes. SSH into the machine as firstname.lastname@example.org and exploit the web app to read their secret.
Title: Bunyan (200)
The challenge consists of web server written in Go.
This challenge is a remote exploitation challenge in a text-based adventure game. The game binary is quite complicated for a C program, using a bunch of structs and unions to store the game data. The bug which can be exploited is not one of the standard memory corruption bugs, but is instead an error in the way the game logic deals with these structures.
Here’s how we found the bug, and how we exploited it.
Challenge #11 consists of two binaries, chal1 and chal2. As if exploiting one binary
wasn’t worth any points!
Chal1 is an NX-protected x86-64 binary with fixed addresses for libc and ASLR for the stack.
It suffers from a strcpy() vulnerability. A string is copied from argv to a fixed size buffer.
But not before we overcome the fact that the binary exits when there are *any* arguments
at all. Luckily, when there are 0 elements in argv, argv points to envp.
While the convention for environment variables is “VARNAME=value”, the kernel does not
enforce it, it just copies NULL-terminated strings. This means we can put any binary data
on the top of the process’ stack, encoding the NULL-bytes by just starting another string.