Homework 5 is over! It was due at 12:00pm MST on Wednesday 9/26/18. At exactly 12:00pm, the homework server became inaccessible.
Homework 5 is a “make-up” homework for homeworks 3 and 4. The challenges are almost identical, and you will have walkthroughs for most of the levels.
In terms of submission and so forth, Homework 5 is based on the same high-level concept as the rest.
There is a
/flag file, and you get to choose one binary on which the SUID flag will be set.
The binaries that you are allowed to choose are all under the
Each program takes user input on stdin and either contains at least one (intentional) vulnerability or performs a license key verification. If you exploit it, you can get it to read the flag and print it out to you.
The up-shot is this: to read the
/flag for a binary, you will have to understand how to exploit it or reverse-engineer its license algorithm.
Homework 5 is intended as a make-up assignment. This is implemented as such:
- For this assignment, each flag will earn three points. This means that you can get on the curve by making it through 24 challenges. After 70 points (23.33333333 flags), you will be graded on a curve.
- After the curve, your percent grade on this assignment will be set to:
hw5_percent = max(hw5_percent, (hw3_percent+hw4_percent)/2)
- After that, if
hw5_percent <= (hw3_percent+hw4_percent)/2, you will be excluded from the curve. Your grade does not suffer, but other students are not penalized by the curve for no reason!
Read the syllabus.html the full details of the grading system.
Every student has a unique set of challenges, generated specifically for them. Thus, collaboration is tricky but also more controllable. The policy for this homework is this: you may help a fellow student on at most four of their challenges.
Accessing Homework 5
We have restored ssh access! Read all about it below.
To start up ssh, you first need to connect as normal, via netcat. The password has been emailed to the class mailing list, and you can check it in the archives.
You can access the HW3 submission and management interface using
netcat, or a similar program:
nc cse466.pwn.college 23
When you use this interface to
Solve Challenge, it will start an ssh server.
It will tell you something like:
[+++] Path to Binary: /pwn/babypwn/babypwn6_testing_14794979742557037701 d2d50525e808 88e473a341b6fa545cf1444f139858bb3e1903db867055e0e777ad48f8c15bc3 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 88e473a341b6 hw5 "/bin/sh -c \"/start\"" 1 second ago Up Less than a second 0.0.0.0:22214->22/tcp hw5_zardus
This means that the container is running on port
You can now ssh in like so:
ssh firstname.lastname@example.org -p 22214
Your password is your asurite.
For scriptable interaction, look into
pwn.remote to connect to the management interface and
pwn.ssh to ssh in.
Exfiltrating the challenges
Now that you have ssh access, you can simply
scp the challenges out!
The port flag for scp is
What tools are useful?
The tools useful in this assignment are similar to the tools useful in homeworks 3 and 4.
Look through all of the resources for homeworks 3 and 4!