Override - Binary Exploitation CTF

A collection of binary exploitation challenges focusing on various vulnerabilities and exploitation techniques. Each level contains a SUID binary that must be exploited to escalate privileges and retrieve the password for the next level.

Project Structure

Each level directory contains:

• source.c: Reconstructed C code mimicking the binary's behavior
• readme.md: Complete documentation including vulnerability analysis, exploitation steps, and prevention methods
• Ressources/: Binary files and helper scripts for testing
• flag: Password for the next level
• Additional helper scripts (Python exploit scripts, C utilities, etc.)

How to Use

1. Connect to the VM: ssh level00@localhost -p 4242
2. Analyze the binary: Use tools like GDB, objdump, or Ghidra
3. Develop exploit: Test locally using files in Ressources/
4. Execute exploit: Gain access and retrieve the password from /home/users/levelXX/.pass

Level Overview

Level 0 - Hardcoded Password

• Vulnerability: Hardcoded Credentials (CWE-798)
• Technique: Reverse engineering to extract hardcoded password
• Key Learning: Never embed credentials in binaries

Level 1 - Buffer Overflow

• Vulnerability: Stack-Based Buffer Overflow (CWE-121)
• Technique: Overwrite return address with shellcode
• Key Learning: Proper bounds checking with buffer operations

Level 2 - Format String Vulnerability

• Vulnerability: Improper Output Neutralization for Logs (CWE-134)
• Technique: Format string exploitation to leak password from stack
• Key Learning: Never pass user input directly to printf; use explicit format strings

Level 3 - Logic Vulnerability with XOR Decryption

• Vulnerability: Insufficient Entropy (CWE-331)
• Technique: Reverse-engineer XOR cipher to calculate correct input
• Key Learning: Custom cryptography is weak; use proven cryptographic libraries

Level 4 - Buffer Overflow with Ptrace Protection

• Vulnerability: Improper Restriction of Operations within Bounds (CWE-119)
• Technique: Buffer overflow with custom shellcode bypassing syscall filtering
• Key Learning: gets() is inherently unsafe; ptrace monitoring isn't foolproof protection

Level 5 - Format String with GOT Overwrite

• Vulnerability: Improper Neutralization of Format String (CWE-134)
• Technique: GOT overwrite using %n format specifier to redirect execution
• Key Learning: Format strings enable arbitrary memory writes; RELRO prevents GOT overwrites

Level 6 - Anti-Debugging with Hash-Based Authentication

• Vulnerability: Predictable Algorithm (CWE-330)
• Technique: Bypass ptrace anti-debugging and reverse-engineer hash algorithm
• Key Learning: Anti-debugging provides no real security; never implement custom cryptography

Level 7 - Integer Overflow to Arbitrary Write

• Vulnerability: Integer Overflow to Buffer Overflow (CWE-190)
• Technique: Integer overflow to bypass array bounds checks and overwrite return address
• Key Learning: Always validate array indices; check for integer overflow before operations

Level 8 - Path Traversal

• Vulnerability: Path Traversal (CWE-22)
• Technique: Exploit relative paths to access files outside intended directory
• Key Learning: Use absolute paths in SUID binaries; validate and canonicalize file paths

Level 9 - Off-by-One Buffer Overflow

• Vulnerability: Off-by-One Error (CWE-193)
• Technique: Off-by-one overwrites length field, enabling buffer overflow to hidden function
• Key Learning: Loop conditions matter (< vs <=); off-by-one errors are subtle but dangerous

Common Themes

Memory Corruption

• Buffer Overflows (Level 1, 4, 7, 9): Stack-based overflows from unbounded input
• Format Strings (Level 2, 5): Arbitrary read/write through printf vulnerabilities
• Off-by-One Errors (Level 9): Subtle boundary mistakes with major impact

Exploitation Techniques

• Return Address Overwrite: Redirect execution flow to shellcode or functions
• GOT Overwrites: Hijack function pointers in Global Offset Table
• Shellcode Injection: Custom assembly payloads in stack or environment
• Integer Overflow: Bypass bounds checks through arithmetic wraparound

Protection Bypass

• Anti-Debugging (Level 3, 4, 6): Ptrace detection and syscall filtering
• Input Validation (Level 3, 6, 7): Logic flaws in security checks
• Custom Cryptography (Level 3, 6): Weak algorithms vulnerable to analysis

Reverse Engineering

• GDB Analysis: Disassembly, breakpoints, register inspection
• Stack Layout: Understanding function prologue/epilogue, local variables
• Assembly Patterns: Recognizing loops, conditionals, function calls
• Algorithm Recovery: Reconstructing logic from machine code

Security Best Practices

Based on vulnerabilities exploited in this project:

1. Input Validation: Never trust user input; validate length, format, and content
2. Safe Functions: Use bounds-checked alternatives (fgets vs gets, snprintf vs sprintf)
3. Format Strings: Always use explicit format specifiers: printf("%s", input)
4. Memory Protection: Enable stack canaries, NX, ASLR, RELRO, PIE
5. Cryptography: Use proven libraries (libsodium, OpenSSL) not custom algorithms
6. Path Handling: Use absolute paths and canonicalization in privileged programs
7. Integer Safety: Check for overflow before arithmetic operations
8. Compiler Flags: Enable warnings and FORTIFY_SOURCE protections

Resources

• CWE - Common Weakness Enumeration
• OWASP Top 10
• Exploit Education
• Shell-Storm Shellcode Database
• GDB Tutorial
• Linux x86 Program Start Up

VM Access

• SSH Port: 4242
• Users: level00-level09
• Password Location: /home/users/levelXX/.pass

Project Completion

This project covers 10 levels of progressively challenging binary exploitation scenarios, from simple hardcoded passwords to complex off-by-one vulnerabilities with PIE bypasses. Each level includes detailed documentation, source code reconstruction, and exploit scripts for educational purposes.