Security - Pentest - Part III - Break the Box RainFall

This virtual machine is provided by school 42 to improve security skills.

🔧 System Requirements:

• Operating System: x86-64 architecture
• Software: Virtualization Software, python3, pwntools, GDB, GEF, wget (or similar)

Usage

• To download RainFall.iso

  wget https://cdn.intra.42.fr/isos/RainFall.iso

• Use a 64-bit virtual machine to run this iso.
• Configure Host-only Adapter (or similar) to get the iso in local Network
• SSH Port: 4242

  ssh -p 4242 levelX@<ip>

Overview

Contrary to general practice in CTF challenges, a detailed walkthrough to solve the challenge in interactive mode is provided in each level directory. The Goal is simple :

• Get the levelX's password in the .pass file is located in the home directory of each corresponding user.
• Login to the next levelXX's account.
• To begin, the first user is level0 and its password is level0
• After user level9, there are four user bonus, from bonus0 to bonus3
• The last user is end.

level0@RainFall:~$ ./level0 $(exploit)
$ cat /home/user/level1/.pass
?????????????????????
$ exit
level0@RainFall:~$ su level1
Password:
level1@RainFall:~$ _

Summary

• level0 : Reverse Engineering
• level1 : Stack Buffer Overflow - Victory Function
• level2 : Stack Buffer Overflow - Heap Exploit
• level3 : Format String
• level4 : Format String
• level5 : Format String - GOT rewrited
• level6 : Heap Buffer Overflow
• level7 : Heap Buffer Overflow - GOT rewrited
• level8 : Heap Exploit
• level9 : Heap Exploit
• bonus0 : Stack Buffer Overflow
• bonus1 : Stack Buffer Overflow - Int Overflow
• bonus2 : Stack Buffer Overflow - Environment Variable
• bonus3 : Reverse Engineering

The userX password is stocked in file flag of user<X - 1>, if you want to connect directly to a user.