64Base - Walkthrough
It's been a while since I've been able to work on a vulnhub image. I started looking at recent releases and came across 64base. This VM has a Star Wars theme which is always great. Plus, it was 3mrgnc3's first public VM so I had to check it out!
Protostar - stack4
This is my fifth post on the Protostar series hosted by Exploit Exercises
We start off with understanding what is being asked of us:
This level is at /opt/protostar/bin/stack4
Hints
We start off with understanding what is being asked of us:
About
Stack4 takes a look at overwriting saved EIP and standard buffer overflows.This level is at /opt/protostar/bin/stack4
Hints
- A variety of introductory papers into buffer overflows may help.
- gdb lets you do “run < input”
- EIP is not directly after the end of buffer, compiler padding can also increase the size.
Source code
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
Nebula - level08
This is my ninth post on the Nebula series hosted by Exploit Exercises
We start off with understanding what is being asked of us:
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.
We start off with understanding what is being asked of us:
About
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.
Source code
There is no source code available for this levelProtostar - stack3
This is my fourth post on the Protostar series hosted by Exploit Exercises
We start off with understanding what is being asked of us:
Hints
We start off with understanding what is being asked of us:
About
Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)Hints
- both gdb and objdump is your friend you determining where the win() function lies in memory.
Source code
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } }
Nebula - level07
This is my eighth post on the Nebula series hosted by Exploit Exercises
We start off with understanding what is being asked of us:
The flag07 user was writing their very first perl program that allowed them
to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.
We start off with understanding what is being asked of us:
Level07
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.
Source code
#!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line"; } print("</pre></body></html>"); } # check if Host set. if not, display normal page, etc ping(param("Host"));