Homework 5 is over! It was due at 12:00pm MST on Wednesday 9/26/18. At exactly 12:00pm, the homework server became inaccessible.

Homework 5 is a “make-up” homework for homeworks 3 and 4. The challenges are almost identical, and you will have walkthroughs for most of the levels.

In terms of submission and so forth, Homework 5 is based on the same high-level concept as the rest. There is a /flag file, and you get to choose one binary on which the SUID flag will be set. The binaries that you are allowed to choose are all under the /pwn directory.

Each program takes user input on stdin and either contains at least one (intentional) vulnerability or performs a license key verification. If you exploit it, you can get it to read the flag and print it out to you.

The up-shot is this: to read the /flag for a binary, you will have to understand how to exploit it or reverse-engineer its license algorithm.

Homework 5 is intended as a make-up assignment. This is implemented as such:

Read the syllabus.html the full details of the grading system.

Collaboration Policy

Every student has a unique set of challenges, generated specifically for them. Thus, collaboration is tricky but also more controllable. The policy for this homework is this: you may help a fellow student on at most four of their challenges.

Accessing Homework 5

We have restored ssh access! Read all about it below.

To start up ssh, you first need to connect as normal, via netcat. The password has been emailed to the class mailing list, and you can check it in the archives.

You can access the HW3 submission and management interface using netcat, or a similar program:

nc 23

When you use this interface to Solve Challenge, it will start an ssh server. It will tell you something like:

[+++] Path to Binary: /pwn/babypwn/babypwn6_testing_14794979742557037701
CONTAINER ID        IMAGE               COMMAND                   CREATED             STATUS                  PORTS                   NAMES
88e473a341b6        hw5                 "/bin/sh -c \"/start\""   1 second ago        Up Less than a second>22/tcp   hw5_zardus

This means that the container is running on port 22214! You can now ssh in like so:

ssh -p 22214

Your password is your asurite.

For scriptable interaction, look into pwn.remote to connect to the management interface and pwn.ssh to ssh in.

Exfiltrating the challenges

Now that you have ssh access, you can simply scp the challenges out! The port flag for scp is -P, not -p.

What tools are useful?

The tools useful in this assignment are similar to the tools useful in homeworks 3 and 4.

Other resources

Look through all of the resources for homeworks 3 and 4!