bronies Web (800 pts) ------------------- We are trying to break into eXtreme Secure Solutions, where The Plague works as a system adminstrator. We have found that their internal company login page is at http://portal.essolutions.largestctf.com/. Recon has also revealed that The Plague likes to browse this site during work hours: http://22.214.171.124/ using the username ponyboy2004. Remember, our main target is to break into the company portal, *not* the pony site.
ezhp Pwnables (200 pts) ------------------- Luckily when you travel back in time, you still get to use all your knowledge from the present. With that knowledge in hand, breaking into this service (at 126.96.36.199:9174) owned by The Plague shouldn't be hard at all.
To set the picture, let’s identify the binary
:::bash izsh@box:~$ file ezhp ezhp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x5fa5bd76db306497b549ea3b0466cd9e9afa2705, stripped izsh@box:~$ readelf -l ezhp | grep STACK GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
__nightmares__ Pwning (375 pts) ------------------- The Plague is building an army of evil hackers, and they are starting off by teaching them python with this simple service. Maybe if you could get full access to this system, at 188.8.131.52:9990, you would be able to find out more about The Plague's evil plans.
This server simply evaluates any Python expression provided - with an attempt at sandboxing it.