WingNews logo WingNews GitHub [2]
top | item 3622559

Hack your way through Stripe's Capture the Flag

391 points| gdb | 14 years ago |stripe.com | reply

199 comments

order
[+] tzs|14 years ago|reply
The asshole who fork bombed it is boasting on Reddit: http://www.reddit.com/r/programming/comments/q1qii/want_to_t...

Anyone else not at all surprised who it is?

[+] bmohlenhoff|14 years ago|reply
This actually made me laugh a little bit as it brought me back to my college days. The first week of February every year was when the yearly OS class covered fork(), and as a result the compute clusters all over campus were basically unusable due to people trying to run their homework. Ahh, memories.
[+] lkozma|14 years ago|reply
I am surprised by the attitude against what he did, both on reddit and even more so here. Afterall this is "hacker news" and the submission is called "hack your way...". Any definition of hacking that I know includes cleverly exploiting the limitations and boundary cases of a system. I see this attitude as part of a larger trend of "sandbox"-ification, "theme park"-ization of computing.
[+] mhartl|14 years ago|reply
Once they've run this for a while, I'd love to see a post and screencast on some of the techniques needed to solve it. I don't know much about this subject, and I'd enjoy having a chance to learn in a setting unlikely to get me arrested.
[+] david_xia|14 years ago|reply
I would also like to see a detailed explanation of how they prepared the box to safely allow people to play (ie logins, permissions, etc). How to restrict privileges yet allow just enough to make it varied and fun.
[+] mirkules|14 years ago|reply
I'd love to see how people solved #2, and if they used any special tools like I did or if there's an easier way to do it. And I can't wait to delve deeper into #3 tomorrow :)
[+] saurik|14 years ago|reply
FYI: the worker process for level05 isn't working anymore (I'm pretty confident it was not me that broke it, btw ;P); even with the simple "hello friend" example (exactly as given in the MOTD on the account), the server always returns "job timed out" (it is now about 3am PST).

(edit:)

...and as of almost 3:30am PST, it is no longer possible to log in to the server. :( (...and while typing the next paragraph, I finally got in, but spawning processes is now taking forever, and the two-second job timeout has worked its way up to almost 5 seconds. Maybe another sill attack.)

(Regardless, overall this has been rather well put together, and quite fun. I taught a freshman class at UCSB/CSS today on "how absinthe, the iPhone 4S jailbreak works", and got a few of the students interested in trying out the CTF to see what they might learn by working on it.)

[+] mpetrov|14 years ago|reply
I'm also stuck at this point. Have the python exploit working on my localhost, now just need to run it live.
[+] nviennot|14 years ago|reply
Same here, I guess we are done. Not my fault ;)
[+] lurker17|14 years ago|reply
Bonus to anyone who gets the answer by intercepting another solver's email message.
[+] sdfjkl|14 years ago|reply
I just hope this machine is isolated from Stripe's network, in case someone makes it to secret level 99.
[+] phzbOx|14 years ago|reply
Just a word on level2, I don't think that's a hint, if you think so I'll remove this comment asap.

The login to get on the page is: level02 and the password is what you've found in level01. I.e. The challenge is not to crack that "Authorization required" dialog.

[+] spicyj|14 years ago|reply
The welcome message says:

> This one is a web-based vulnerability, so go ahead and point your browser to XXXXX. You'll need to provide the password for level02 using HTTP digest authentication.

so no, it's not the challenge. :)

[+] mjijackson|14 years ago|reply
Read this if you're stuck on level 3: http://destroy.net/machines/security/P49-14-Aleph-One
[+] dthunt|14 years ago|reply
<3

I read this back in college, ages ago. Still relevant - not quite up there with K&R as far as technical writing goes, but it does indeed do the job of making a theoretical problem into an understandable & exploitable one, and for that reason "Smashing the Stack For Fun And Profit" is a phrase that has a special place in my heart.

[+] mirkules|14 years ago|reply
Thanks for that link. Reading through one of the first sections about pushing parameters to the stack, I noticed the call:

gcc -S -o example1.s example1.c

However, example1.s looks very different on Mac than on Linux, in particular, on Mac the parameters are pushed in reverse order:

Leh_func_begin2: ...

        movl    $1, %eax
        movl    $2, %ecx
        movl    $3, %edx
        movl    %eax, %edi
        movl    %ecx, %esi
        callq   _function
Whereas on Linux, they are pushed in the order specified in that link:

        movl    $3, %edx
        movl    $2, %esi
        movl    $1, %edi
        call    function
What is the reason behind this? Is it that the stack on OS X is implemented to grow up instead of down?
[+] mirkules|14 years ago|reply
Guys, I gotta say, this is SO much fun! I am actually learning a ton, and while I'm only up to level 3, I feel this is such an awesome learning experience! Plus, I feel totally "leet" for figuring out levels 2 and 3. The world definitely needs more of these.
[+] Rudisimo|14 years ago|reply
Same here, but I'm stuck on level 3 though...maybe my strategy is wrong. I am able to execute the function run from /levels/level03 with the following command:

  cat /home/level04/.password
But I'm still getting access denied. I thought that would have done it for sure. The program runs under the following credentials:

  uid=1003(level03) gid=1004(level03) groups=1001(chroot),1004(level03)
Which is kind of weird since /levels/level03 has a setuid of level04. It could be gdb...
[+] ianbishop|14 years ago|reply
Ah man, I couldn't agree more. I've learned a ton just messing around with the first few, though getting this was a real bummer:

Run till exit from #0 run (str=0xffece7ec "cat /home/level04/.password") at level03.c:53 cat: /home/level04/.password: Permission denied

Ah well, a sign to go to sleep. Tomorrow I'll have to learn more things to figure it out if it's still up.

[+] olalonde|14 years ago|reply
I'm getting the following (no source/binary file... is it part of the challenge or is there something wrong?):

    level01@ctf:~$ pwd;ls -al
    /home/level01
    total 24
    dr-x------ 2 level01 root    4096 2012-02-22 13:28 .
    drwxr-xr-x 9 root    root    4096 2012-02-22 13:28 ..
    -rw-r--r-- 1 level01 level01  220 2010-04-19 02:15 .bash_logout
    -rw-r--r-- 1 level01 level01 3103 2010-04-19 02:15 .bashrc
    -rw------- 1 level01 root      11 2012-02-22 13:28 .password
    -rw-r--r-- 1 level01 level01  675 2010-04-19 02:15 .profile
[+] farnsworth|14 years ago|reply
that's the home directory, i think you want /levels
[+] starnix17|14 years ago|reply
Anyone having trouble connecting to this?
[+] luckygerbils|14 years ago|reply
I think someone decided to forkbomb it. I'm still logged on and every external command I type gets me "bash: fork: retry: Resource temporarily unavailable".

This is why we can't have nice things.

[+] mirkules|14 years ago|reply
I was in there 5 minutes ago, did cat /levels/level02.c and then it stopped responding. I don't think cat could crash the server, but if it did, I'm sorry?
[+] jnorthrop|14 years ago|reply
I am. I think their server must be overloaded. I bookmarked the blog post announcing this and I'm going to try again tomorrow.
[+] sidolin|14 years ago|reply
Doesn't work for me as well. I managed to login an do one ls, but since then it's dead.

Can someone share the source and program of the first level so we can have a look?

[+] rottencupcakes|14 years ago|reply
Maybe they should just publish a VM image.
[+] heywire|14 years ago|reply
Yeah, my connection froze, and now I cannot connect, ssh or http...
[+] gqwo|14 years ago|reply
Am i just too stupid or is there a problem with level2, i can open files like /etc/passwd but not /home/level03/.password
[+] lftl|14 years ago|reply
Pretty sure it's broken right now. It was working earlier, but it returns nothing now, and the password that was in place doesn't work any more.
[+] jcr|14 years ago|reply
You should note that the SSH key has been changed.

  $ dsocks.sh ssh [email protected]
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  74:67:32:4a:04:b8:9f:05:b6:e8:29:43:26:12:75:11.
  Please contact your system administrator.
  Add correct host key in /home/jcr/.ssh/known_hosts to get rid of this message.
  Offending RSA key in /home/jcr/.ssh/known_hosts:8
  RSA host key for ctf.stri.pe has changed and you have requested strict checking.
  Host key verification failed.
It may be something harmless/simple like round-robin DNS combined with a failure to replicate the key, or more likely, someone has rooted the box.

EDIT: As confirmed by gdb and ab below, there's a good reason for the key change.

[+] jetsnoc|14 years ago|reply
It's fun to feel like a nefarious hacker. I'm at level2, see you at level 6 guys!
[+] farnsworth|14 years ago|reply
Any tips? I want to actually learn from this - I'm not just looking for the answers. But I've read wikipedia on setuid, googled around a bit, and am still not sure what to do.
[+] jetsnoc|14 years ago|reply
Stuck at level3 for a minute
[+] jessepollak|14 years ago|reply
anyone have any good resources for understanding the basics of all of this?
[+] olalonde|14 years ago|reply
For level 1 to 3, Google those: system() exploit, never trust user input, buffer overflow
[+] simon_weber|14 years ago|reply
The venerable CMU binary bomb assignment covers a lot of useful concepts.
[+] chubot|14 years ago|reply
4 days later:

level06@ctf6:/tmp/tmp.0fPRsmsetz$ /levels/level06 /home/the-flag/.password %%%%%%%%% Welcome to the password checker! ........................ Wait, how did you know that the password was %%%%%%%%%?

Level 5 seemed too easy -- it seems like they forgot a much easier exploit. The code was carefully constructed in a way that suggested a pickle injection attack which required understanding the pickle stack machine, but you didn't need that.

Level 6 was interesting. Some people got it with a timing attack. I used a different, more elegant method with a hint from reddit.

Very well done, stripe.

[+] chrisacky|14 years ago|reply
Lots of segfaults!

Which by the looks of things, level03 is the furthest anyone is based on logs.

> [32041.680408] level03[17009]: segfault at ffdc50c4 ip 00000000080487b2 sp 00000000ffe0aee0 error 4 in level03[8048000+1000]

[+] tlb|14 years ago|reply
Damn Linux stack randomization. Some amount of brute force seems to be required.
[+] unknown|14 years ago|reply

[deleted]

[+] gdb|14 years ago|reply
I think the machine was actually hosed due to fork bomb. (I kept bumping the rlimits as more people logged in and ran up against nprocs, but the last time I clearly just bumped nprocs way too high. Live and learn....)

You certainly should be able to solve all of the levels without tons of brute force though.