Authentication Daemon

There is an authentication daemon waiting on brebera port 24012. You connect to it, supply your password and get authenticated. The semtex 12 password will give you user access, the admin password will give you administrator access...

After authentication you connect to the remote file system reader on port 24013. Depending on your access level you can list files and show them. The semtex 13 password has been located in one of the files on this remote file system. Brebera is fast, can you be faster?

Thanks to bk for this level!

authd.c Source Code

Deja vue

/rdx/vl1b is vortex level1 with a slight modification to make things a little bit harder.

Thanks to andrewg for inspiration.

Suggested reading: manpages: popen, dup2

Level 11 Source Code

Hacking szene

Thanks to zaphod and Mush for finding a bugs in this level

Do you know these hacking movies where they push some buttons, then the evil hacker script window turns up and a percentage bar is showing how far the password cracking has gone?

0%....10%....20%....30%....40%....50%....60%....70%....80%....90%....100% password cracked!

Ever wanted to do it yourself? Here is your chance.

This level implements a weakness in the authentication scheme used by M$ win95 and win98 for the netbios shares.

There is a TCP daemon on brebera port 24019. It authenticates your password. Once you send the correct password, it echoes it back. Well, let the source speak for itself. As far as brute force may take you, a little brain is never bad :P Perhaps you have heard of pqwak?

Level 10 Source Code

Tunneling your firewall

How do you get data through a firewall that is blocking any tcp connection? You just don't use a tcp connection, but instead other packets, that might not be filtered. For example network maintenance protocols like ICMP.

There is a raw socket open on a yet unknown host that listens for icmp packets and forwards them to a tcp server that you cannot reach. Your job is to create a client that communicates with this icmp "server". If everything works, you find yourself in a shell on an unknown system, and can search for the password.

The protocol and the server, that is used by the ICMP tunnel is described in your home directory. If you manage to blackbox analyze it, then you can jump directly from semtex0 to semtex10 :)

You will have to use /rdx/rawwrapper.

rawwrapper.c source code

Non-sniffable data

This level is about some very simple covert channel, about transferring information that cannot possibly be sniffed.
There is a socket file in /rdx/nature. It is a local Unix socket.
Receive data from it until EOF and save it to a file.

Watch the time between the received bytes. Certain delays mean certain bytes that have been left out (have not been sent).

0-1 s : no special data
1-2 s : 'Q'
2-3 s : 'L'
3-4 s : 'A'
4-5 s : 'V'

you have to take these "unsent" data into your output file too, exactly at the places where they occur.

Thus you are receiving data while not receiving anything.

The output file is a .jpg image :)

Multi-vitamin

Getting out of the restricted shell shouldn't take you more than five minutes. Then have a look at /rdx/multivitamin. Try to analyse the algorithm very carefully. There is a weakness that really speeds up your quest...

Multiplication is easy, and so is division...?

You might want to look at http://www.swox.com/gmp/ if you use c. Consider using python for this, as it makes this level a lot easier

Level 7 Source Code

ICMP forging

Send a special ICMP packet to an unknown host. Add the correct payload to it, to make sure you can receive the password. Spoof your origin address and make semtex believe, the packet is really coming from some government server (*.gov) Make sure this server you are sending from has a reverse DNS entry, otherwise you will not receive an answer.

You find more specific information in your home directory.

Reading Material

ICMP Request For Comment
Mixter's raw socket tutorial

Note:

You will have to use /rdx/rawwrapper. Take a look at the source

Random Networking

Make 10 connections to port 24027 from different IP's. On each connection you will receive a string of 10 ASCII characters. XOR this string with the Semtex5 password, character by character. Then send back the 10 characters followed by another string of exactly 10 characters which identifies you (can be anything within A-Z, a-z, 0-9). The first 10 characters that you send, are different on every connection, the last 10 have to be the same. If you do not send the correct string back within 5 seconds you are disconnected. Once connected with at least 10 different IP's You will receive the password on one connection, chosen randomly.

Note: Your connections time out in 2 minutes and you cannot connect from an IP that is still connected.

May the sockets be with you.

Reading Material

Socks5 Request For Comment

Ptrace your way

Pass prints the password for the level you are on. Try to make it print the next level's password.
This time it is not so easy:
pass: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, stripped

Tip :

- Pass uses geteuid() to get its information.
- Read man ptrace

Semtex3 Solutions

look at the readme in your home directory to find cool and interesting solutions to semtex3

Number-Lock Action

You are almost on Semtex 4, there is just one big door before you. It is locked with a number lock.

Analyze and use the locks in /rdx/pointatme to adjust all the numbers in the correct way.
They will open your way to the next level.

Tip :

If you are not good at math, you should consider brute force. Rewrite the program and try all possible combinations of the locks. It wont take more than a few seconds ;)