Lab Instructions

Overview

In each lab (every week), you are asked to solve a set of challenges (typically 10 challenges except for the first two weeks). In each challenge, you have to submit three things, namely, a flag, the exploit, and its write-up via scoreboard: the flag you got from the challenge, the exploit that you wrote, and the write-up that summarizes how you formulated the exploit (see below).

A flag is an ASCII string that matches with a regular expression of CS519{[^}]+}, and you can find it either in the challenge program or in the challenge directory (usually as a ‘flag’ file). Your job is to read this flag by exploiting the distributed challenges.

Taking actions #1 (Registration)

  1. You should provide your own public key to us. You can use the key that you use for connecting other servers (if you have one), otherwise, please generate your private and public key pair.
# In Linux (Ubuntu)
[host] $ sudo apt-get install openssh-client

# For both Linux and MacOS
[host] $ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.

# select your key location
Enter file in which to save the key (/home/YOUR_ID/.ssh/id_ecdsa):
=> type YOUR_LOCATION or use the default path

# type password
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

# check your key location
Your identification has been saved in YOUR_LOCATION.
Your public key has been saved in YOUR_LOCATION.

Do not forget where you store your private key and the passphrase for it. Please send us your public key id_rsa.pub or id_ecdsa.pub via e-mail cs519.cand@gmail.com, with the following information:

Name: Yeongjin Jang (your name please)
OSU-ID: 979797199
username: blue9057
Team name on the scoring site: blue9057

Please do not send your private key to us.

  1. Register your account
  • Visit the submission site: here. You will use the registration menu.
  1. Connect to the course server
# make sure you are on the campus network.
# otherwise, please use OSU VPN
# http://oregonstate.edu/helpdocs/network-and-phone/virtual-private-network-vpn

# login to the course server
# Replate YOURID to the username that you send to us in the e-mail message above...
[host] $ ssh YOURID@vm-ctf1.eecs.oregonstate.edu

# let's start lab01!
[CTF_server] $ cd /home/labs/
[CTF server] $ cd week1
[CTF server] $ cat README
[CTF server] $ ./crackme0x00
  1. Submit your solution and flag
# Submit Flag
  1) Visit the scoring website
     https://ctf.unexploitable.systems

  2) Choose the challenge name from the correct week-X set

  3) Submit the flag!


# Submit Writeup
  (will be announced later)

# NOTE. you don't get a score until you submit writeup
# NOTE. you can also submit your flag and writeup through the class website

Taking actions #2 (Building local environment)

Although you can solve all challenges in the remote server, it may be inconvenient because you may not be able to install your own toolbox. In this case, you can build your own environment. However, you still have to read the flag on the course server (vm-ctf1.eecs.oregonstate.edu).

To build your own environment:

  1. Download and install Virtualbox/Vagrant

Note: Ubuntu users may want to use the following commands to install Virtualbox and Vagrant

[host] $ sudo apt-get install virtualbox
[host] $ sudo apt-get install vagrant
  1. Install and run a VM
# Windows
# create directory to store the repo and the VM
[host] C:\XXXX\YYYY> mkdir cs519
[host] C:\XXXX\YYYY> cd cs519

# clone VM-installing scripts
[host] C:\XXXX\YYYY\cs519> git clone https://github.com/cs519-osu/vagrant-script
[host] C:\XXXX\YYYY\cs519> cd vagrant-script

# install the VM
[host] C:\XXXX\YYYY\cs519\vagrant-script> install_vm.bat


# Linux / MacOS
# create a directory that stores the VM
[host] $ mkdir cs519 # you can change directory name;
[host] $ cd cs519

# Clone a setup script
[host] $ git clone https://github.com/cs519-osu/vagrant-script

# Get into the setup script directory
[host] $ cd vagrant-script

# run script to install a VM (Ubuntu 16.04.3 LTS 64-bit)
# This would take some time...
[host] $ ./install_vm.sh


# After installting the VM,
# Windows / Linux / MacOS
# Run the VM
[host] $ vagrant up

# After running the VM, you can get a shell from it by running:
[host] $ vagrant ssh

# If you need terminal program for windows, you can download one from
# here: https://hyper.is/
  1. Once you have the VM up and running, let’s initialize your VM for this course:
# it's time for setting up your environment
#
[vm] $ fetch week1
...
[vm] $ cd week1
[vm] $ ls
README    ; general info
bin/      ; scripts
challenges/ ; binaries for week1
...

# initialize your working environment (need to be done once per lab, if required)
[vm] $ ./bin/init
  1. In case if you do not want to install a new VM and you have an Ubuntu VM, please take the following route:
# clone vagrant script
[vm] $ git clone https://github.com/cs519-osu/vagrant-script
[vm] $ cd vagrant-script

# install apt packages
[vm] $ sudo ./ubuntu/pkg_install.sh

# install pip packages
# (run with sudo if you are using root-privileged pip repository)
[vm] $ ./ubuntu/pip_install.sh

# Install PEDA, bashrc, and vimrc
# (Please run at the top directory of the repository,
# i.e., run with ./ubuntu/ prefix)
[vm] $ ./ubuntu/others_setup.py

Write-up sample

In this problem, ebp and ret value are protected by gsstack. while
debugging, you can see all ebp and ret values are keep tracking and
storing somewhere. However, when you make an input large enough, you
will see that a function pointer will be overwritten. And the
overwritten value will be store in EAX and make it jump at
<main+96>. I put my shellcode as env, get the address, and put it. In
my case, the function pointer(0x08048b0a at 0xbffff654) was
overwritten. So we could learn, we could jump using the weakpoint even
though the stackshiled is working on.

  $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')