The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it’s hard to appreciate just how exploitable they are until you’ve written a SQL injection of your own.
We built Stripe Capture the Flag, a security wargame inspired by SmashTheStack’s IO, to help the community (as well our team!) practice identifying and exploiting common security problems.
After completing our CTF, you should have a greatly improved understanding of how attackers will try to break your code (and hopefully will have fun in the process!).
You can begin Stripe’s CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26YEb2.
Your goal is to read the contents of /home/level02/.password. In /levels/level01, you’ll find a setuid binary owned by level02 (as well as its source code) — you will probably find it useful.
Once you have the password, you can ssh in as level02. There are six levels in all; once you’ve logged in as level06 your goal is to read the password from /home/the-flag/.password.
⁕ ⁕ ⁕
If you’ve successfully captured the flag, let us know at ctf@stripe.com! We’ll send a special-edition Stripe CTF T-shirt to anyone who successfully captures the flag. Include the following information in your email:
The password to the-flag.
Code or a brief description of how you escalated through each level.
After reading the description… I give up.
eli7e h4x0r
I got up to level 3 so far. First 2 are pretty easy. First one is a sudo explot and the second is a PHP Session/Cookie hack
Little more difficult than guessing a friends FB password =)
The box is getting hammered. Hard to do anything on it.
hmmm…how do you trick level03.c into executing the run() function?
I just got back from out of town I will mess with this shortly
looks like level 3 requires messing with memory locations and the pointer they setup… it’s a bit over my head for sure.
^^ buffer overflows and null pointers =)
This is where my ssh connection kicked me. Will play more tonight.
I assume the box isn’t using address layout randomization so its just a simple buffer over flow that needs to be fuzzed? control EIP and win?
Is the binary suid?
I’ll give this a shot later…
(Someone fork-bombed this and brought everything to a grinding halt… hah. http://www.reddit.com/r/programming/comments/q1qii/want_to_try_your_hand_at_writing_exploits_try/c3u09kc)
Acutally, the /r/netsec guys said it is using randomization IIRC
yes, the binary is suid, so if you get it to call the run function and pass it something runable, you’ll be able to get at the .password file.
I really have never researched or learned about buffer overflows.
Maybe you need to run it with a debugger like GDB?
Ok so now that I slept level 1 is easy…
Just export a new path and create a script to cat the password file.
yep, that was a good an easy lesson for script writers to learn why they should use full paths when calling executable in code.
And yeah, level3 will likely require debugging…gonna have to go back and learn/re-learn that stuff.
I need to figure out level2 I assume you fuck around with the cookie since it opens a file
I guess that or the user agent…
Work said I can spend tomorrow fucking around with it lol
I agree.
Know what? If they can get into my shit, they can have it. lol.
Your welcome.
Level 2 was easier for me being a web app guy. Here is a hint, look at this line. The output is displaying a local file and passes in a string from a cookie without doing any checks. You need a tool for Chrome/Firefox that will let you edit a cookie that gets set.
$out = file_get_contents(‘/tmp/level02/’.$_COOKIE[‘user_details’]);
There is another way to alter the cookie…I won’t hint at it though, since I cheated
fyi, this whole thing has got me looking at other capture the flags, which led to me needing to learn how buffer overflow attacks work…which lead to my mind being blown
if anyone wants info on buffer overflows, I highly suggest fuzzynop’s channel on youtube, watch “buffer over tutorial 1-8”
also, get the livecd for the book “Art of Exploitation” here http://nostarch.com/hacking2.htm#toc
after watching and learning the above method, I was able to exploit a buffer overflow vuln :tup: