OverTheWire.org
Hacker Community
Contribute to OverTheWire ?
Click here!
News (2012-01-07):
Best wishes for 2012 ! We released the HES2010 wargame ! Read more...
Discuss this level on the forum

Level 0

Level0 is a remote format string intended to get you started with blacksun. It is a remote format string bug with you being able to see the reply, with address space randomisation enabled. You'll need to use the direct parameter access method to analyse the stack and to manipulate it.

Once getting access to a shell, read /etc/motd for more information

Binary information
Stack smashing protection (SSP):Enabled
Postition Independent Executable (PIE):Enabled
Address space layout randomisation (ASLR):Enabled
Non-executable pages:None / disabled
Location:

Connect to blacksun.overthewire.org on port 79

Alternatively, there is a debug version on port 78 if you need help understanding what you're seeing

Code listing (level0.c)
 1 #include <stdlib.h>
 2 #include <unistd.h>
 3 #include <string.h>
 4 #include <stdio.h>
 5 #include <sys/types.h>
 6 #include <pwd.h>
 7 #include <fcntl.h>
 8 
 9 void query(char *username);
10 
11 
12 int main()
13 {
14 	int y0;	 // special marker, you can use this for when you're doing exploition analysis to find where main is on the stack etc.
15 	int cont;
16 	char username[256];
17 	char blah[20];
18 	
19 	//setvbuf(stdin, NULL, _IONBF, 0);
20 	//setvbuf(stdout, NULL, _IONBF, 0);
21 
22 #ifdef DEBUG
23 	y0 = open("/proc/self/maps", O_RDONLY);
24 
25 	while((cont = read(y0, username, sizeof(username))) > 0) {
26 		write(1, username, cont);
27 	}
28 	close(y0);
29 #endif
30 	
31 	printf("--> Blacksun level 0\r\n");
32 	printf("by Andrew Griffiths (andrewg@felinemenace.org)\r\n");
33 	printf("/-------------------------------------------------\\ \r\n");
34 	printf("|Use netcat as opposed to telnet -- telnet sends  |\r\n");
35 	printf("|certain control charachers and will fuck up your |\r\n");
36 	printf("|connection. This won't be a problem if you're    |\r\n"); 
37 	printf("|coding the program to connect.                   |\r\n");
38 	printf("\\-------------------------------------------------/\r\n\r\n");
39 
40 	memset(username, 0, sizeof(username));
41 	cont = 1;
42 
43 	while(cont) {
44 		printf("Enter request number: ");
45 		fflush(stdout);
46 		fgets(blah, sizeof(blah)-1, stdin);
47 		y0 = atoi(blah);
48 		
49 #ifdef DEBUG
50 		printf("blah: %p\n", blah);
51 		printf("username: %p\n", username);
52 		printf("y0: %p\n", &y0);
53 #endif
54 		
55 		cont = (y0 != 0);
56 		
57 		printf("Enter the username you'd like to query: ");
58 		fflush(stdout);
59 		gets(username);
60 
61 		username[strlen(username)] = 0;
62 		
63 		
64 		query(username);
65 
66 	}
67 	
68 	return 0;
69 }
70 
71 
72 void query(char *username)
73 {
74 	struct passwd *pw;
75 	char response[4096];
76 	
77 	pw = getpwnam(username);
78 
79 	if(pw) {
80 		sprintf(response, "Username: %s, uid: %d, gid: %d, gecos: %s, dir: %s, shell: %s\n\n", pw->pw_name, pw->pw_uid, pw->pw_gid, pw->pw_gecos, pw->pw_dir, pw->pw_shell); 
81 	} else {
82 		sprintf(response, "%s does not exist on this system, according to getpwnam().\n\n", username);
83 	}
84 
85 #ifdef DEBUG
86 	printf("response: %p\n", response);
87 #endif
88 	
89 	printf(response);
90 }