For far to long, I have known about buffer overflows, insecure coding, SQL injections and much more, without actually getting a real grip on things. So, three days ago, I started to play around with the wargames at http://www.overthewire.org/wargames/. I figured that the wargames was listed by difficulty, so I started with with Vortex.
I solved level 0, 1 and 2. Level 0 was quite easy, even thoug I don't usually program in C. Level 1 was the trickiest of them, since it's pretty easy to understand what's going on, but very hard to make the program behave as you want it to (hint: http://www.pixelbeat.org/programming/stdio_buffering/). Level 2 was rather easy, if you think a bit outside the box.
But level 3 is where things escalated quickly(TM)! Level 2 was about creating a "special" tar file. In level 3, you have to craft your own shellcode, which for me seem to be a very steep learning curve! So I figured I'd try one of the other wargames, maybe I could learn something useful and then return to Vortex 3.
I went on to try my luck on the Semtex wargame. Level 0 was easily solved. Level 1 took some time, and a bit of paper and pencil, but was a rather fun level. Level 2 annoyed the hell out of me, since I know exactly what to do, but can't get it to work. (something along the lines of this I believe. )
Sooo, I decided to try yet another wargame. I figured that I would browse the different wargames to read a bit about them (what a great idea).
I found the bandit wargame - for the complete beginner. Basic linux commands and such. I figured that I'd try it. If I can't beat a wargame with basic linux commands, I'm fscked! I actually cheated a bit on level 8, using AWK to find a unique line. (When somebody asked for help about this level, I re-read the manual page for uniq and found a solution). but other than that, it was a pretty fun wargame. I even forwarded the link to a couple of linux using friends, so they can learn a bit more about the commmand line. :-)
Now, I'm going to try the Leviathan wargame, which I will write about later on.
Written by Jannich Brendle fre 22 marts 2013 In Security