Treasure hunt

At the moment I’m having a jolly good time playing the game Treasure hunt. My good friend Peter Terslรธv Forsberg (ptrf) gave an interesting talk about it at 2012.

The game was launched by the two computer science students br0ns and iDolf (nicknames) in May 2012 at DIKU. You’re welcome to try it out at Disguised as a game about being a pirate on the seven seas, the game gives you staged hacking challenges and rewards you with gold when you complete them. Your amount of gold dictates your placement on the game’s scoreboard. It’s all about fun and fame. If you know Project Euler and Capture the flag, look at Tresure hunt as a mixture of those two.

In the above screen shot of my terminal, I solve one of the challenges. Take a look at the lines in the terminal. Come on! Don’t be afraid ๐Ÿ˜› Click on the screen shot to view it in its original size. I’m logged in as the user root. No, root isn’t your usual root user. He has no special privileges at this system. I want to read the file win, since it contains gold and a pointer to the next challenge. The file win, however, can only be read by the users daemon and exploitme. It’s obvious that the user daemon is the administrative user of the system. Since daemon has the ability to e.g. crash the server, I’m guessing that the objective is to read the file win by becoming the user exploitme, not daemon. Of course, the name also hints it strongly ๐Ÿ™‚ The executable assignment3 has the group ID exploitme and has been given the setgid attribute. If I can exploit this executable, i.e. make it do what I want it to do, I can read the file win.

Since I don’t want to spoil the game for other players, I will not publish the details of my solution. I will only say this: My first argument to the assignment3 executable is a portion of homemade 32 bit x86 bytecode that executes /bin/sh by making a Linux sys_execve system call. My second argument overflows the stack of one of the functions in the executable, thereby tricking the executable into executing the first argument.

Now I deserve a beer ๐Ÿ˜€