10 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex2.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 |
6 | int main(int argc, char **argv)
7 | {
8 | char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };
9 | execv(args[0], args);
10 | }
11 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit27.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 27
5 | ---
6 | Level Goal
7 | ----------
8 | Good job getting a shell! Now hurry and grab the password for bandit27!
9 |
10 | Commands you may need to solve this level
11 | -----------------------------------------
12 | ls
13 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex12.server.h:
--------------------------------------------------------------------------------
1 | struct auth {
2 | unsigned int token;
3 | unsigned int perms;
4 | unsigned int timestamp;
5 | };
6 |
7 |
8 | struct sharea {
9 | int sem;
10 | unsigned int bitmap;
11 | struct auth list[32];
12 | };
13 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit33.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 33
5 | ---
6 |
7 | Level Goal
8 | ----------
9 | After all this `git` stuff, it's time for another escape. Good luck!
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | sh, man
14 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex7.c:
--------------------------------------------------------------------------------
1 | int main(int argc, char **argv)
2 | {
3 | char buf[58];
4 | u_int32_t hi;
5 | if((hi = crc32(0, argv[1], strlen(argv[1]))) == 0xe1ca95ee) {
6 | strcpy(buf, argv[1]);
7 | } else {
8 | printf("0x%08x\n", hi);
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex9.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 9
5 | ---
6 | BlackBox
7 | --------
8 | There is no information available for this level. Login to
9 | [vortex.labs.overthewire.org][] and check it out.
10 |
11 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
12 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 5
5 | ---
6 | Level Info
7 | ----------
8 |
9 | FA can break a known key length as well. Lets try one last
10 | polyalphabetic cipher, but this time the key length is unknown.
11 | Note: the text is writen in American English
12 |
13 | Enjoy.
14 |
15 |
16 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 2
5 | ---
6 | Level Goal
7 | ----------
8 | Create a special tar file
9 |
10 | Helpful Reading Material
11 | ------------------------
12 | [GNU tar manual][]
13 |
14 | {% include showFile.html path="vortex2.c" %}
15 |
16 | [GNU tar manual]: http://linux.die.net/man/1/tar
17 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 1
5 | ---
6 | Simple encryption
7 | -----------------
8 | A password has been crypted using the /semtex/semtex1 tool.
9 | The crypted password is HRXDZNWEAWWCP.
10 | You have to reverse engineer the algorithm and decrypt the password.
11 | You might try the -v switch for encrypt.
12 |
13 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex13.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 13
5 | ---
6 | Inconveniences
7 | --------------
8 | How big is your shellcode? This level has a non-executable stack.
9 | You must login to [vortex.labs.overthewire.org][] to complete this
10 | level.
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 7
5 | ---
6 | Gentleman, start your disassemblers
7 |
8 | **Material:**
9 |
10 | [IDA Pro Freeware][]
11 |
12 | [IDA Pro Demo][]
13 |
14 | [IDA Pro Freeware]: http://www.hex-rays.com/idapro/idadownfreeware.htm
15 | [IDA Pro Demo]: http://www.hex-rays.com/idapro/idadowndemo.htm
16 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex16.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 16
5 | ---
6 | The BOFH
7 | --------
8 | This level requires finding 100 bits out of a 128 bit randomly
9 | generated hashed key. You must login to
10 | [vortex.labs.overthewire.org][] to complete this level.
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 5
5 | ---
6 | Level 5 is a series of relatively simple logic/math games.
7 |
8 | The game 3 is always solvable - if you are stuck on it you may wish to
9 | reverse engineer the applicable part of the binary ;) Granted, the
10 | coding for that was horrible, but it'd give you a way to solve it.
11 |
--------------------------------------------------------------------------------
/wargames/vortex/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | title: Vortex
5 | ---
6 |
7 | Vortex
8 | ======
9 |
10 | The Vortex wargame is currently composed of 27 levels. Most files you
11 | need are in /vortex/. Special thanks to the many people who have helped
12 | setup and maintain this wargame.
13 |
14 | Many thanks to those who have made sure all levels can be played
15 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex17.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 17
5 | ---
6 | Working Backwards
7 | -----------------
8 | This level requires you to work backwards to find out what's
9 | happening then exploit it. You must login to
10 | [vortex.labs.overthewire.org][] to complete this level.
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex20.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 20
5 | ---
6 | Remote Integer Fun
7 | ------------------
8 | The source code for the exploitable application can be found in
9 | "/home/vortex20". You must login to [vortex.labs.overthewire.org][]
10 | to complete this level.
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex11.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 11
5 | ---
6 | Deja vue
7 | --------
8 | /rdx/vl1b is vortex semtex1 with a slight modification to make
9 | things a little bit harder.
10 |
11 | Thanks to andrewg for inspiration.
12 |
13 | Suggested reading
14 | -----------------
15 | manpages: popen, dup2
16 |
17 | {% include showFile.html path="semtex11.c" %}
18 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex12.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 12
5 | ---
6 | We don't want no executable stack
7 | ---------------------------------
8 | Exploit this level knowing that the stack is not executable. You
9 | must login to [vortex.labs.overthewire.org][] to complete this
10 | level..
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex23.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 23
5 | ---
6 | The Properties of a Mirror
7 | --------------------------
8 | It's time for some independent research, the title of this level
9 | serves as quite a hint. You must login to
10 | [vortex.labs.overthewire.org][] to complete this level.
11 |
12 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
13 |
--------------------------------------------------------------------------------
/information/website.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: Edit Website
5 | ---
6 |
7 | Editing this website
8 | ====================
9 |
10 | If you spot an error on this webpage, you may correct it yourself
11 | by cloning this website from
12 | and submitting a pull request.
13 |
14 | Thank you very much for your help!!
15 |
16 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex10.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 10
5 | ---
6 | Random?
7 | -------
8 | Read in 20 integers and write the seed used to generate those
9 | numbers in unsigned little endian format. You have a time limit of
10 | 30 seconds to do this. You must login to
11 | [vortex.labs.overthewire.org][]
12 |
13 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
14 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 2
5 | ---
6 | Dynamic tricks
7 | --------------
8 | This program checks your user ID.
9 |
10 | Perhaps you can trick it, so that it thinks you have a different one.
11 |
12 | Think dynamically.
13 |
14 | Reading Material
15 | ----------------
16 | - [Link][]
17 |
18 | [Link]: http://www.google.com/search?q=linux+function+interception
19 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit19.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 19
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a file **readme** in
9 | the homedirectory. Unfortunately, someone has modified **.bashrc**
10 | to log you out when you log in with SSH.
11 |
12 | Commands you may need to solve this level
13 | -----------------------------------------
14 | ssh, ls, cat
15 |
16 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex8.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 8
5 | ---
6 | Some simple reverse engineering
7 | -------------------------------
8 | Disassemble this dynamically linked executable.
9 |
10 | Reading Material
11 | ----------------
12 | - [Reverse Engineering][]
13 |
14 | [Reverse Engineering]: https://web.archive.org/web/20160315083251/http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/
15 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit10.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 10
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the file **data.txt**
9 | in one of the few human-readable strings, preceded by several '='
10 | characters.
11 |
12 | Commands you may need to solve this level
13 | -----------------------------------------
14 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
15 |
16 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 3
5 | ---
6 | Level 3 is a remote heap corruption issue. Source code can be found in
7 | /drifter/drifter3_src/. It is linked against an ancient malloc
8 | implementation so it should be easily exploitable :)
9 |
10 | [Once upon a free()...][] - suitable reading material, amongst others.
11 |
12 | [Once upon a free()...]: http://phrack.org/archives/issues/57/9.txt
13 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 0
5 | ---
6 | Level Info
7 | ----------
8 | Welcome to Krypton! The first level is easy. The following string
9 | encodes the password using Base64:
10 |
11 | S1JZUFRPTklTR1JFQVQ=
12 |
13 | Use this password to log in to krypton.labs.overthewire.org with
14 | username krypton1 using SSH on port 2231. You can find the files for other levels in
15 | /krypton/
16 |
17 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit8.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 8
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the file **data.txt**
9 | next to the word **millionth**
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | [man](https://manpages.ubuntu.com/manpages/noble/man1/man.1.html),
14 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
15 |
--------------------------------------------------------------------------------
/js/updatedmarkers.js:
--------------------------------------------------------------------------------
1 | // These numbers indicate to the browser since which timestamp there is new
2 | // content for a certain pathname. If the value listed here is higher
3 | // than the value the browser has stored in localStorage, an "updated" text balloon
4 | // is shown over the link of the menu item.
5 | //
6 | // make sure these numbers only go up...
7 | // format: YYYYMMDDHHMM
8 |
9 | updatedmarkers = {
10 | "/information/donate.html": 201901072331,
11 | };
12 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit25.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 25
5 | ---
6 | Level Goal
7 | ----------
8 | A daemon is listening on port 30002 and will give you the password for
9 | bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode.
10 | There is no way to retrieve the pincode except by going through all of the 10000
11 | combinations, called brute-forcing.
12 | You do not need to create new connections each time
13 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter14.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 14
5 | ---
6 | This level utilises code from several places. The main vulnerable code
7 | lies in a 3rd party library. The other code present may allow you to
8 | more easily gain code execution.
9 |
10 | The library code can be found in /drifter/drifter14_src/
11 |
12 | If you're feeling kind hearted, you may wish to tell the developer of
13 | the bugs you found in the library code :-)
14 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex15.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 15
5 | ---
6 | Weak Encryption
7 | ---------------
8 | You have found an encrypted file, decrypt it (some reversing, crypt
9 | and general analysis needed, and if you're lazy, the password is
10 | 8-bytes long and contains values between A and Z). You must login to
11 | [vortex.labs.overthewire.org][] to complete this level.
12 |
13 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
14 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit22.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 22
5 | ---
6 | Level Goal
7 | ----------
8 | A program is running automatically at regular intervals from
9 | **cron**, the time-based job scheduler. Look in **/etc/cron.d/** for
10 | the configuration and see what command is being executed.
11 |
12 | Commands you may need to solve this level
13 | -----------------------------------------
14 | cron, crontab, crontab(5) (use "man 5 crontab" to access this)
15 |
16 |
--------------------------------------------------------------------------------
/information/staff.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: Staff
5 | ---
6 |
7 | Staff
8 | =====
9 |
10 | The OverTheWire staff consists of volunteers that spend their spare time and
11 | money maintaining the infrastructure and creating new games.
12 |
13 | - Kylir
14 | - semchapeu
15 | - Steven "Steven" Van Acker
16 | - Wrennnnnnn
17 | - ypsehlig
18 |
19 | If you need to, you may [contact us through chat].
20 |
21 | [contact us through chat]: /information/chat.html
22 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 5
5 | ---
6 | MD5 Brute Force
7 | ---------------
8 | A password is required for the next level. vortex5.c and md5.h.
9 | a-z,A-Z,0-9 is the search space. The password length is 5 chars
10 | long, it was originally 7 chars long.
11 |
12 | Collision(s) tested : 489265082 in 217 second(s), 361 millisec, 101 microsec.
13 | Average of 2250932.1 hashes/sec.
14 |
15 | {% include showFile.html path="vortex5.c" %}
16 |
17 |
--------------------------------------------------------------------------------
/information/alumni.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: Alumni
5 | ---
6 |
7 | OverTheWire Alumni
8 | ==================
9 |
10 | OverTheWire (formerly known as PullThePlug.org) has been staffed
11 | by many volunteers over the years. We appreciate all of them and their efforts.
12 |
13 | - Andrew "andrewg" Griffiths
14 | - Daniel "arcanum" Alvarez
15 | - "aton"
16 | - Bob "bk" Krouse
17 | - Brian "dies" G.
18 | - Samy "Samy" Al Bahra
19 | - Ken "misery" D.
20 | - morla
21 |
22 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 4
5 | ---
6 | Ptrace your way
7 | ---------------
8 |
9 | Pass prints the password for the level you are on. Try to make it print
10 | the next level's password.
11 | This time it is not so easy:
12 |
13 | /semtex/semtex4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.15, stripped
14 |
15 | Tip :
16 | - Pass uses geteuid() to get its information.
17 | - Read man ptrace
18 |
19 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit28.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 28
5 | ---
6 | Level Goal
7 | ----------
8 | There is a git repository at `ssh://bandit27-git@bandit.labs.overthewire.org/home/bandit27-git/repo` via the port `2220`. The password for the user `bandit27-git` is the same as for the user `bandit27`.
9 |
10 | Clone the repository and find the password for the next level.
11 |
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | git
16 |
17 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit29.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 29
5 | ---
6 | Level Goal
7 | ----------
8 | There is a git repository at `ssh://bandit28-git@bandit.labs.overthewire.org/home/bandit28-git/repo` via the port `2220`. The password for the user `bandit28-git` is the same as for the user `bandit28`.
9 |
10 | Clone the repository and find the password for the next level.
11 |
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | git
16 |
17 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit30.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 30
5 | ---
6 | Level Goal
7 | ----------
8 | There is a git repository at `ssh://bandit29-git@bandit.labs.overthewire.org/home/bandit29-git/repo` via the port `2220`. The password for the user `bandit29-git` is the same as for the user `bandit29`.
9 |
10 | Clone the repository and find the password for the next level.
11 |
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | git
16 |
17 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit31.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 31
5 | ---
6 | Level Goal
7 | ----------
8 | There is a git repository at `ssh://bandit30-git@bandit.labs.overthewire.org/home/bandit30-git/repo` via the port `2220`. The password for the user `bandit30-git` is the same as for the user `bandit30`.
9 |
10 | Clone the repository and find the password for the next level.
11 |
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | git
16 |
17 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit32.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 32
5 | ---
6 | Level Goal
7 | ----------
8 | There is a git repository at `ssh://bandit31-git@bandit.labs.overthewire.org/home/bandit31-git/repo` via the port `2220`. The password for the user `bandit31-git` is the same as for the user `bandit31`.
9 |
10 | Clone the repository and find the password for the next level.
11 |
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | git
16 |
17 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex26.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 26
5 | ---
6 | Create your own challenges
7 | --------------------------
8 | {% include beginNote.html title="Vortex is complete" %}
9 | This description is kept for historical reasons, but should not be followed.
10 | We are no longer expanding Vortex with new levels.
11 | {% include endNote.html %}
12 |
13 | Due to the overwhelming flood of new levels, vortex26 shall be to
14 | make a level, along with exploit, and email it to andrewg.
15 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex11.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 |
5 | int main(int argc, char **argv) {
6 | char *p;
7 | char *q;
8 | char *r;
9 | char *s;
10 | if (argc < 3)
11 | {
12 | exit(0);
13 | }
14 | p = (char *) malloc(0x800);
15 | q = (char *) malloc(0x10);
16 | r = (char *) malloc(0x800);
17 | strcpy(r , argv[1]);
18 | s = (char *) malloc(0x10);
19 | strncpy(s , argv[2], 0xf);
20 | exit(0);
21 | }
22 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit11.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 11
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the file **data.txt**,
9 | which contains base64 encoded data
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
14 |
15 | Helpful Reading Material
16 | ------------------------
17 | - [Base64 on Wikipedia][]
18 |
19 | [Base64 on Wikipedia]: https://en.wikipedia.org/wiki/Base64
20 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 1
5 | ---
6 | Level Info
7 | ----------
8 | The password for level 2 is in the file 'krypton2'. It is
9 | 'encrypted' using a simple rotation. It is also in non-standard
10 | ciphertext format. When using alpha characters for cipher text it is
11 | normal to group the letters into 5 letter clusters, regardless of
12 | word boundaries. This helps obfuscate any patterns. This file has
13 | kept the plain text word boundaries and carried them to the cipher
14 | text. Enjoy!
15 |
16 |
--------------------------------------------------------------------------------
/css/wechall.css:
--------------------------------------------------------------------------------
1 | #wechallform {
2 | position: absolute;
3 | background: #122639;
4 | color: white;
5 | padding: 10px;
6 | padding-left: 70px;
7 | padding-right: 0px;
8 | width: 200px;
9 |
10 | right: 30px;
11 | top: 80px;
12 |
13 | border-radius: 15px;
14 | box-shadow: 0 3px 0.7px 1px #777777, 0 -7px rgba(0, 0, 0, 0.4) inset;
15 |
16 | background-image:url('/img/wechall.gif');
17 | background-size: auto 30px;
18 | background-position: left center;
19 | background-repeat:no-repeat;
20 | }
21 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit20.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 20
5 | ---
6 | Level Goal
7 | ----------
8 | To gain access to the next level, you should use the setuid binary
9 | in the homedirectory. Execute it without arguments to find out how
10 | to use it. The password for this level can be found in the usual
11 | place (/etc/bandit\_pass), after you have used the setuid binary.
12 |
13 | Helpful Reading Material
14 | ------------------------
15 | - [setuid on Wikipedia][]
16 |
17 | [setuid on Wikipedia]: https://en.wikipedia.org/wiki/Setuid
18 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit9.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 9
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the file **data.txt**
9 | and is the only line of text that occurs only once
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
14 |
15 | Helpful Reading Material
16 | ------------------------
17 | - [Piping and Redirection][]
18 |
19 | [Piping and Redirection]: https://ryanstutorials.net/linuxtutorial/piping.php
20 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 7
5 | ---
6 | Multi-vitamin
7 | -------------
8 | Getting out of the restricted shell shouldn't take you more than
9 | five minutes. Then have a look at /rdx/multivitamin. Try to analyse
10 | the algorithm very carefully. There is a weakness that really speeds
11 | up your quest...\
12 |
13 | **Multiplication is easy, and so is division...?**
14 | You might want to look at [http://gmplib.org/][] if you use c.
15 |
16 | {% include showFile.html path="semtex7.c" %}
17 |
18 | [http://gmplib.org/]: http://gmplib.org/
19 |
--------------------------------------------------------------------------------
/_includes/information.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | {% include menu_item.html link="/information/donate.html" name="Donate!" %}
4 | {% include menu_item.html link="/information/chat.html" name="Contact via Chat" %}
5 | {% include menu_item.html link="/information/website.html" name="Edit website" %}
6 | {% include menu_item.html link="/information/wechall.html" name="WeChall Scoreboard" %}
7 |
8 | {% include menu_item.html link="/information/staff.html" name="Staff" %}
9 | {% include menu_item.html link="/information/alumni.html" name="Alumni" %}
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 3
5 | ---
6 | Number-Lock Action
7 | ------------------
8 | You are almost on Semtex 3, there is just one big door before you.
9 | It is locked with a number lock.
10 | **Analyze** and use the locks in /semtex/semtex3 to adjust all the
11 | numbers in the correct way.
12 | They will open your way to the next level.
13 |
14 | Tip :
15 | **If you are not good at math, you should consider brute force.
16 | Rewrite the program and try all possible combinations of the locks.
17 | It wont take more than a few seconds ;)**
18 |
19 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit12.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 12
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the file **data.txt**,
9 | where all lowercase (a-z) and uppercase (A-Z) letters have been
10 | rotated by 13 positions
11 |
12 | Commands you may need to solve this level
13 | -----------------------------------------
14 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
15 |
16 | Helpful Reading Material
17 | ------------------------
18 | - [Rot13 on Wikipedia][]
19 |
20 | [Rot13 on Wikipedia]: https://en.wikipedia.org/wiki/ROT13
21 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 1
5 | ---
6 | Canary Values
7 | -------------
8 | We are looking for a specific value in ptr. You may need to consider
9 | how bash handles EOF..
10 |
11 | Reading Material
12 | ----------------
13 | - [Smashing the Stack for Fun and Profit][]
14 | - [Smashing The Modern Stack For Fun And Profit][]
15 |
16 | {% include showFile.html path="vortex1.c" %}
17 |
18 | [Smashing the Stack for Fun and Profit]: http://www.phrack.com/issues/49/14.html#article
19 | [Smashing The Modern Stack For Fun And Profit]: https://www.exploit-db.com/papers/13162/
20 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 6
5 | ---
6 | Generic Binary Exploitation
7 | ---------------------------
8 | You must disassemble this level's exploitable application in order
9 | to find the hole.
10 |
11 | Reading Material
12 | ----------------
13 | - [Reconstructing Binaries to C For Beginners][]
14 | - [Reverse Engineering - Functions... functions! functions!? sheesh][]
15 |
16 | [Reconstructing Binaries to C For Beginners]: http://www.exploit-db.com/papers/13216/
17 | [Reverse Engineering - Functions... functions! functions!? sheesh]: http://www.exploit-db.com/papers/13215/
18 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 7
5 | ---
6 | Checksum Fun
7 | ------------
8 | This level requires CRC\_32(argv[1], strlen(argv[1])) to be
9 | 0xe1ca95ee. You might need to extract the crc tables from the
10 | program.
11 |
12 | Reading Material
13 | ----------------
14 | - [CRC and How to Reverse It][]
15 | - [CRC and How to Reverse It (mirror)]
16 |
17 | {% include showFile.html path="vortex7.c" %}
18 |
19 | [CRC and How to Reverse It]: http://www.woodmann.com/fravia/crctut1.htm
20 | [CRC and How to Reverse It (mirror)]: http://taz.newffr.com/TAZ/Reverse_Engineering/CRC.html
21 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit18.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 18
5 | ---
6 | Level Goal
7 | ----------
8 | There are 2 files in the homedirectory: **passwords.old and
9 | passwords.new**. The password for the next level is in
10 | **passwords.new** and is the only line that has been changed between
11 | **passwords.old and passwords.new**
12 |
13 | **NOTE: if you have solved this level and see 'Byebye!' when trying
14 | to log into bandit18, this is related to the next level, bandit19**
15 |
16 | Commands you may need to solve this level
17 | -----------------------------------------
18 | cat, grep, ls, diff
19 |
20 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun4.function.c:
--------------------------------------------------------------------------------
1 | PHP_FUNCTION(dovuln)
2 | {
3 | zval **p_str, **p_len;
4 | char *str, *smashme;
5 | int argc = ZEND_NUM_ARGS(), len = 42, strlen;
6 |
7 | if (argc < 2 || argc > 3 || zend_get_parameters_ex(argc, &p_str, &p_len) == FAILURE) {
8 | WRONG_PARAM_COUNT;
9 | }
10 |
11 | convert_to_string_ex(p_str);
12 | convert_to_long_ex(p_len);
13 | len = Z_LVAL_PP(p_len);
14 | str = Z_STRVAL_PP(p_str);
15 | strlen = Z_STRLEN_PP(p_str);
16 | smashme = emalloc(len);
17 | memcpy(smashme, str, strlen); //xxx
18 | }
19 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex12.daemon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #define _GNU_SOURCE
8 | #include
9 |
10 |
11 | #define TARGET_UID 1998
12 |
13 | int daemonize()
14 | {
15 | int ret = -1;
16 |
17 | if((daemon(0, 0)) == -1)
18 | return ret;
19 |
20 | if((setresgid(TARGET_UID, TARGET_UID, TARGET_UID)) == -1)
21 | return ret;
22 | if((setresuid(TARGET_UID, TARGET_UID, TARGET_UID)) == -1)
23 | return ret;
24 |
25 | ret = 0;
26 |
27 | return ret;
28 |
29 | }
30 |
--------------------------------------------------------------------------------
/wargames/formulaone/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: formulaone
4 | title: FormulaOne
5 | ---
6 |
7 | FormulaOne
8 | ====
9 |
10 | FormulaOne is a wargame that has been rescued from the demise of
11 | **intruded.net**, previously hosted on formulaone.intruded.net.
12 |
13 |
14 | FormulaOne's levels are called **formulaone0, formulaone1, ... etc.** and can be accessed
15 | on **formulaone.labs.overthewire.org** through SSH on port 2232.
16 |
17 | Data for the levels can be found in **/formulaone/**.
18 |
19 | *The source code for the first level can be accessed by logging in to a wargame hosted on the same server.
20 | Your first task is figuring out which wargame that is.*
21 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit26.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 26
5 | ---
6 | Level Goal
7 | ----------
8 | Logging in to bandit26 from bandit25 should be fairly easy...
9 | The shell for user bandit26 is not **/bin/bash**, but something else.
10 | Find out what it is, how it works and how to break out of it.
11 |
12 | > NOTE: if you're a Windows user and typically use Powershell to
13 | > `ssh` into bandit: Powershell is known to cause issues with the
14 | > intended solution to this level. You should use command prompt
15 | > instead.
16 |
17 | Commands you may need to solve this level
18 | -----------------------------------------
19 | ssh, cat, more, vi, ls, id, pwd
20 |
21 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | level: 1
5 | ---
6 | Level1 is a trivial stack buffer overflow. Note that you'll probably
7 | find it easier to use the compiled version than compiling it from
8 | source.
9 |
10 | ### Binary information
11 |
12 | | Stack smashing protection (SSP): | Disabled |
13 | | Postition Independent Executable (PIE): | Disabled |
14 | | Address space layout randomisation (ASLR): | Enabled - No PIE|
15 | | Non-executable pages: | None / disabled |
16 | |--------------------------------------------:+:----------------|
17 | | Location: | /levels/level1 |
18 |
19 | {% include showFile.html path="blacksun1.c" %}
20 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex25.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 25
5 | ---
6 | Crackploit
7 | ----------
8 | {% include beginNote.html title="Vortex 25 → 26 is missing" %}
9 | This level seems to have been lost, but we leave its description
10 | here for historical reasons.
11 | {% include endNote.html %}
12 |
13 | There are two challenges for this level. One is to work out the
14 | password for the binary (a dictionary search should get it), and
15 | then work how you can exploit the level. A world readable binary is
16 | in /levels/decode. You must login to [vortex.labs.overthewire.org][]
17 | to complete this level.
18 |
19 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
20 |
--------------------------------------------------------------------------------
/information/donate.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: Donating
5 | ---
6 |
7 | Donating
8 | ========
9 |
10 | We gladly accept donations to keep our infrastructure running!
11 | We prefer receiving monthly donations via Patreon, since this allows us to give perks to sponsors.
12 | However, PayPal donations are also an option.
13 |
14 |
22 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit23.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 23
5 | ---
6 | Level Goal
7 | ----------
8 | A program is running automatically at regular intervals from
9 | **cron**, the time-based job scheduler. Look in **/etc/cron.d/** for
10 | the configuration and see what command is being executed.
11 |
12 | **NOTE:** Looking at shell scripts written by other people is a
13 | very useful skill. The script for this level is intentionally made
14 | easy to read. If you are having problems understanding what it does,
15 | try executing it to see the debug information it prints.
16 |
17 | Commands you may need to solve this level
18 | -----------------------------------------
19 | cron, crontab, crontab(5) (use "man 5 crontab" to access this)
20 |
21 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 4
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a hidden file in the
9 | **inhere** directory.
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
14 | ,
15 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
16 | ,
17 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
18 | ,
19 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
20 | ,
21 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
22 | ,
23 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
24 |
25 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 0
5 | ---
6 | Level Goal
7 | ----------
8 | Your goal is to connect to port 5842 on vortex.labs.overthewire.org
9 | and read in 4 unsigned integers in host byte order. Add these
10 | integers together and send back the results to get a username and
11 | password for vortex1. This information can be used to log in using
12 | SSH.
13 |
14 | **Note:** vortex is on an 32bit x86 machine (meaning, a little endian
15 | architecture)
16 |
17 | Helpful Reading Material
18 | ------------------------
19 | - [C Programming Introduction][]
20 | - [Network Programming Tutorial][]
21 |
22 | [C Programming Introduction]: http://beej.us/guide/bgc/
23 | [Network Programming Tutorial]: http://beej.us/guide/bgnet/
24 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | level: 3
5 | ---
6 | Level3 is a blast from the past, with not much details and a sstriped
7 | binary!
8 |
9 | Experiment around / partially disassemble level3, work out what it
10 | wants, and how to exploit it. Some bruteforcing may be required ;)
11 |
12 | ### Binary information
13 |
14 | | Stack smashing protection (SSP): | Enabled |
15 | | Postition Independent Executable (PIE): | Disabled |
16 | | Address space layout randomisation (ASLR): | Enabled |
17 | | Non-executable pages: | None / disabled |
18 | |--------------------------------------------:+:----------------|
19 | | Location: | /levels/level3 |
20 |
21 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex12.sem.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 |
4 | /* Get the semaphore and busy wait if held already */
5 |
6 | void down(int *sem)
7 | {
8 | retry:
9 | while(*sem)
10 | sleep(5);
11 | (*sem)++;
12 | if(*sem > 1) {
13 | (*sem)--;
14 | goto retry;
15 | }
16 | return;
17 | }
18 |
19 | /* Try and get the semaphore, but return 0 if held */
20 |
21 | int try_down(int *sem)
22 | {
23 | if(*sem)
24 | return 0;
25 | (*sem)++;
26 | if(*sem > 1) {
27 | (*sem)--;
28 | return 0;
29 | }
30 | return *sem;
31 | }
32 |
33 | /* Release the semaphore */
34 |
35 | void up(int *sem)
36 | {
37 | *sem = 0;
38 | }
39 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit21.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 21
5 | ---
6 | Level Goal
7 | ----------
8 | There is a setuid binary in the homedirectory that does the
9 | following: it makes a connection to localhost on the port you
10 | specify as a commandline argument. It then reads a line of text from
11 | the connection and compares it to the password in the previous level
12 | (bandit20). If the password is correct, it will transmit the
13 | password for the next level (bandit21).
14 |
15 | **NOTE:** Try connecting to your own network daemon to see if it
16 | works as you think
17 |
18 | Commands you may need to solve this level
19 | -----------------------------------------
20 | ssh, nc, cat, bash, screen, tmux, Unix 'job control' (bg, fg, jobs, &, CTRL-Z, ...)
21 |
22 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit24.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 24
5 | ---
6 | Level Goal
7 | ----------
8 | A program is running automatically at regular intervals from
9 | **cron**, the time-based job scheduler. Look in **/etc/cron.d/** for
10 | the configuration and see what command is being executed.
11 |
12 | **NOTE:** This level requires you to create your own first
13 | shell-script. This is a very big step and you should be proud of
14 | yourself when you beat this level!
15 |
16 | **NOTE 2:** Keep in mind that your shell script is removed once
17 | executed, so you may want to keep a copy around...
18 |
19 | Commands you may need to solve this level
20 | -----------------------------------------
21 | chmod, cron, crontab, crontab(5) (use "man 5 crontab" to access this)
22 |
23 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex3.c:
--------------------------------------------------------------------------------
1 | /*
2 | * 0xbadc0ded.org Challenge #02 (2003-07-08)
3 | *
4 | * Joel Eriksson
5 | */
6 |
7 | #include
8 | #include
9 | #include
10 |
11 | unsigned long val = 31337;
12 | unsigned long *lp = &val;
13 |
14 | int main(int argc, char **argv)
15 | {
16 | unsigned long **lpp = &lp, *tmp;
17 | char buf[128];
18 |
19 | if (argc != 2)
20 | exit(1);
21 |
22 | strcpy(buf, argv[1]);
23 |
24 | if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
25 | exit(2);
26 |
27 | tmp = *lpp;
28 | **lpp = (unsigned long) &buf;
29 | // *lpp = tmp; // Fix suggested by Michael Weissbacher @mweissbacher 2013-06-30
30 |
31 | exit(0);
32 | }
33 |
34 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 6
5 | ---
6 | Level 6 is a simple remote daemon with a particular vulnerability. In
7 | what I intended for this level, it is running in a vulnerable state :P
8 |
9 | **Reading material:**
10 |
11 | [Advances in format string exploitation][]
12 |
13 | [Format String Technique][]
14 |
15 | [Exploiting Format String Vulnerabilities][]
16 |
17 | As usual when I grab random code and look over it, someone might want to
18 | tell the developer :P
19 |
20 | [Advances in format string exploitation]: http://www.phrack.org/archives/59/p59-0x07.txt
21 | [Format String Technique]: http://julianor.tripod.com/bc/NN-formats.txt
22 | [Exploiting Format String Vulnerabilities]: http://doc.bughunter.net/format-string/exploit-fs.html
23 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit14.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 14
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in
9 | **/etc/bandit\_pass/bandit14 and can only be read by user
10 | bandit14**. For this level, you don't get the next password, but you
11 | get a private SSH key that can be used to log into the next level.
12 | Look at the commands that logged you into previous bandit levels,
13 | and find out how to use the key for this level.
14 |
15 | Commands you may need to solve this level
16 | -----------------------------------------
17 | ssh, scp, umask, chmod, cat, nc, install
18 |
19 | Helpful Reading Material
20 | ------------------------
21 | - [SSH/OpenSSH/Keys][]
22 |
23 | [SSH/OpenSSH/Keys]: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
24 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex14.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 14
5 | ---
6 | Bad Encryption
7 | --------------
8 | Based on something seen in the "real world", it has weak encryption
9 | usage, used over a TCP/IP connection. This level requires you to
10 | apply some logic to the challenge at hand. You must login to
11 | [vortex.labs.overthewire.org][] to complete this level.
12 |
13 | The \> indicates traffic "from the server, to the client", and the <
14 | indicates traffic "from the client, to the server".
15 |
16 | If you need some hints, consider how you can divide and conquer the
17 | problem. For example, does it look like symmetric encryption, or
18 | asymmetric encryption? How can you further classify them?
19 |
20 | [vortex.labs.overthewire.org]: ssh://vortex.labs.overthewire.org:2228
21 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit13.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 13
5 | ---
6 |
7 | ## Level Goal
8 |
9 | The password for the next level is stored in the file **data.txt**,
10 | which is a hexdump of a file that has been repeatedly compressed.
11 | For this level it may be useful to create a directory under /tmp in
12 | which you can work. Use mkdir with a hard to guess directory name.
13 | Or better, use the command "mktemp -d".
14 | Then copy the datafile using cp, and rename it using mv (read the
15 | manpages!)
16 |
17 | ## Commands you may need to solve this level
18 |
19 | grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir,
20 | cp, mv, file
21 |
22 | ## Helpful Reading Material
23 |
24 | - [Hex dump on Wikipedia][]
25 |
26 | [Hex dump on Wikipedia]: https://en.wikipedia.org/wiki/Hex_dump
27 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 4
5 | ---
6 | To exec or not to exec
7 | ----------------------
8 | This is the common format string bug, exploit it with care though as
9 | a check is made with argc. What is the layout of a process's memory?
10 | How are programs executed?
11 |
12 | Reading Material
13 | ----------------
14 | - [Format String Technique][]
15 | - [Exploiting Format String Vulnerabilities][]
16 | - [Bypassing StackGuard and StackShield][]
17 |
18 | {% include showFile.html path="vortex4.c" %}
19 |
20 | [Format String Technique]: http://julianor.tripod.com/bc/NN-formats.txt
21 | [Exploiting Format String Vulnerabilities]: http://julianor.tripod.com/bc/formatstring-1.2.pdf
22 | [Bypassing StackGuard and StackShield]: http://www.phrack.org/issues.html?issue=56&id=5#article
23 |
--------------------------------------------------------------------------------
/_includes/otwuserdir.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | export OTWUSERDIR=""
4 |
5 |
6 |
7 |
8 |
27 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 5
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in the only human-readable
9 | file in the **inhere** directory. Tip: if your terminal is messed
10 | up, try the "reset" command.
11 |
12 | Commands you may need to solve this level
13 | -----------------------------------------
14 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
15 | ,
16 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
17 | ,
18 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
19 | ,
20 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
21 | ,
22 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
23 | ,
24 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
25 |
26 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 1
5 | ---
6 | Level 1 is a file parsing / heap corruption bug, with C++ classes.
7 |
8 | There is no need to mess around with heap exploitation, and C++ lends
9 | itself to relatively straight forward exploitation.
10 |
11 | [SMASHING C++ VPTRS][] - Although keep in mind that compiler changes can
12 | influence how things are laid out.
13 |
14 | When looking over the below code, keep in mind what needs to be done to
15 | enable debugging, and what SetBuffer does.
16 |
17 | One last hint: In order to correctly overflow the objects / pointers,
18 | the allocation size will have to be similar to the class size ;) Even
19 | blindly messing around will lead to code execution sooner or later
20 |
21 | [SMASHING C++ VPTRS]: http://www.phrack.org/issues.html?issue=56&id=8
22 |
--------------------------------------------------------------------------------
/patreon/patreon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import sys, json, csv, pprint
4 |
5 | patrons = []
6 |
7 | with open(sys.argv[1]) as csvfile:
8 | csvrows = csv.DictReader(csvfile)
9 | for row in csvrows:
10 | name = row["Name"]
11 | pledge = float(row["Pledge $"].replace("$",""))
12 | lifetime = float(row["Lifetime $"].replace("$",""))
13 | status = row["Patron Status"]
14 | details = row["Additional Details"]
15 | since = row["Patronage Since Date"]
16 |
17 | if details != "":
18 | name = details
19 |
20 | if status == "Active patron":
21 | if lifetime > 0 and pledge >= 5:
22 | patrons += [(name, lifetime, since)]
23 |
24 | patreons = sorted(patrons, key=lambda x: x[2])
25 |
26 | for (name, lifetime, since) in patreons:
27 | print "* {}".format(name)
28 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 0
5 | ---
6 | Get a shell
7 | -----------
8 | semtex.labs.overthewire.org
9 |
10 | | x86/elf: | Connect to port 24000 |
11 | | amd64/elf: | Connect to port 24001 |
12 | | ppc/mach-O: | Connect to port 24002 |
13 |
14 |
15 | Receive data until the port is closed.
16 |
17 | Every second byte you receive is trash, ignore it.
18 | The other bytes are an executable that shows you the password.
19 |
20 | Then login to [semtex1@semtex.labs.overthewire.org][] on port 2229
21 |
22 | **Thanks to mrx for the amd64 and ppc binaries!**
23 |
24 | Reading Material
25 | ----------------
26 | - [Beej's guide to network programming][]
27 |
28 | [semtex1@semtex.labs.overthewire.org]: ssh://semtex1@semtex.labs.overthewire.org:2229
29 | [Beej's guide to network programming]: http://beej.us/guide/bgnet/
30 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex8.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 8
5 | ---
6 | Non-sniffable data
7 | ------------------
8 | This level is about some very simple covert channel, about
9 | transferring information that cannot possibly be sniffed.
10 | There is a socket file in /rdx/nature. It is a local Unix socket.
11 | Receive data from it until EOF and save it to a file.
12 |
13 | Watch the time between the received bytes. Certain delays mean
14 | certain bytes that have been left out (have not been sent).
15 |
16 | 0-1 s : no special data
17 | 1-2 s : 'Q'
18 | 2-3 s : 'L'
19 | 3-4 s : 'A'
20 | 4-5 s : 'V'
21 |
22 | you have to take these "unsent" data into your output file too,
23 | exactly at the places where they occur.
24 |
25 | Thus you are receiving data while not receiving anything.
26 |
27 | The output file is a .jpg image :)
28 |
29 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 6
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a file somewhere under
9 | the **inhere** directory and has all of the following properties:
10 | - human-readable
11 | - 1033 bytes in size
12 | - not executable
13 |
14 | Commands you may need to solve this level
15 | -----------------------------------------
16 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
17 | ,
18 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
19 | ,
20 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
21 | ,
22 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
23 | ,
24 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
25 | ,
26 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
27 |
28 |
--------------------------------------------------------------------------------
/wargames/abraxas/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listgames: true
4 | title: [RELEASED] Abraxas (HES2011)
5 | ---
6 |
7 | [RELEASED] Abraxas (HES2011)
8 | ============================
9 |
10 | This wargame was introduced at the [Hackito Ergo Sum (HES)][HES] 2011 conference in Paris and is centered around
11 | the **fictitious company dildosfromspace.com**
12 |
13 | The wargame has its own website with the entire backstory. You can find it [here][backstory].
14 |
15 | As of September 2011, the Abraxas game has been released to the public and can be downloaded [here][DownloadAbraxas].
16 |
17 | The following instructions are also included on the diskimage:
18 |
19 | {% include showFile.html path="instructions.txt" %}
20 |
21 | [HES]: http://hackitoergosum.org/
22 | [DownloadAbraxas]: http://images.overthewire.org/Abraxas%20-%20OverTheWire%20Wargame.ova
23 | [backstory]: http://agent7a69.blogspot.com
24 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 3
5 | ---
6 | Level Info
7 | ----------
8 | Well done. You've moved past an easy substitution cipher.
9 |
10 | The main weakness of a simple substitution cipher is repeated use of
11 | a simple key. In the previous exercise you were able to introduce
12 | arbitrary plaintext to expose the key. In this example, the cipher
13 | mechanism is not available to you, the attacker.
14 |
15 | However, you have been lucky. You have intercepted more than one
16 | message. The password to the next level is found in the file
17 | 'krypton4'. You have also found 3 other files. (found1, found2,
18 | found3)
19 |
20 | You know the following important details:
21 |
22 | - The message plaintexts are in American English (\*\*\* very important) -
23 | They were produced from the same key (\*\*\* even better!)
24 |
25 | Enjoy.
26 |
27 |
28 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex1.c:
--------------------------------------------------------------------------------
1 | #define _GNU_SOURCE
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", NULL); printf("%p %p\n", &ptr,ptr); }
8 |
9 | void print(unsigned char *buf, int len)
10 | {
11 | int i;
12 |
13 | printf("[ ");
14 | for(i=0; i < len; i++) printf("%x ", buf[i]);
15 | printf(" ]\n");
16 | }
17 |
18 | int main()
19 | {
20 | unsigned char buf[512];
21 | unsigned char *ptr = buf + (sizeof(buf)/2);
22 | unsigned int x;
23 |
24 | while((x = getchar()) != EOF) {
25 | switch(x) {
26 | case '\n': print(buf, sizeof(buf)); continue; break;
27 | case '\\': ptr--; break;
28 | default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break;
29 | }
30 | }
31 | printf("All done\n");
32 | return 0;
33 | }
34 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex11.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 11
5 | ---
6 | Chunk Corruption
7 | ----------------
8 | You must corrupt the heap in order to gain arbitrary control of this
9 | program. Do recall, the application is using phkmalloc.
10 |
11 | Reading Material
12 | ----------------
13 | - [BSD Heap Smashing][]
14 | - [Once upon a free()][]
15 | - [Advanced Doug Lea's malloc exploits][]
16 | - [Exploiting the Wilderness][]
17 |
18 | {% include showFile.html path="vortex11.c" %}
19 | {% include showFile.html path="phkmalloc.c" %}
20 |
21 | [BSD Heap Smashing]: http://www.ouah.org/BSD-heap-smashing.txt
22 | [Once upon a free()]: http://www.phrack.org/issues.html?issue=57&id=9#article
23 | [Advanced Doug Lea's malloc exploits]: http://www.phrack.org/issues.html?issue=61&id=6#article
24 | [Exploiting the Wilderness]: http://archive.cert.uni-stuttgart.de/vuln-dev/2004/02/msg00025.html
25 |
--------------------------------------------------------------------------------
/wargames/hes2010/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listgames: true
4 | title: [RELEASED] HES2010
5 | ---
6 |
7 | [RELEASED] HES2010
8 | ==================
9 |
10 | This wargame was introduced at the [Hackito Ergo Sum (HES)][HES] 2010 conference in Paris and is centered around
11 | the **fictitious company dirty-underwear.com**
12 |
13 | The winners of this wargame at HES2010 were **CCCP and morla**.
14 |
15 | As of January 2012, the HES2010 game has been released to the public and can be downloaded [here][DownloadHES2010].
16 |
17 | The wargame has its own local website on the virtual machine. Once the VM is running, you can find it at http://192.168.66.66
18 |
19 | The following instructions are also included on the diskimage:
20 |
21 | {% include showFile.html path="instructions.txt" %}
22 |
23 | [HES]: http://hackitoergosum.org/
24 | [DownloadHES2010]: http://images.overthewire.org/HES2010 - OverTheWire Wargame.ova
25 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 7
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored **somewhere on the
9 | server** and has all of the following properties:
10 | - owned by user bandit7
11 | - owned by group bandit6
12 | - 33 bytes in size
13 |
14 | Commands you may need to solve this level
15 | -----------------------------------------
16 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
17 | ,
18 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
19 | ,
20 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
21 | ,
22 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
23 | ,
24 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
25 | ,
26 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
27 | ,
28 | [grep](https://manpages.ubuntu.com/manpages/noble/man1/grep.1.html)
29 |
30 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 6
5 | ---
6 | ICMP forging
7 | ------------
8 | Send a special ICMP packet to an unknown host. Add the correct
9 | payload to it, to make sure you can receive the password. Spoof your
10 | origin address and make semtex believe, the packet is really coming
11 | from some government server (\*.gov) Make sure this server you are
12 | sending from has a reverse DNS entry, otherwise you will not receive
13 | an answer.
14 |
15 | You find more specific information in your home directory.
16 | ** Note: You will have to use /semtex/semtexraw. Take a look at the source**
17 |
18 | Reading Material
19 | ----------------
20 | - [ICMP Request For Comment][]
21 | - [Mixter's raw socket tutorial][]
22 |
23 | {% include showFile.html path="semtex6.rawwrapper.c" %}
24 |
25 | [ICMP Request For Comment]: http://www.faqs.org/rfcs/rfc792.html
26 | [Mixter's raw socket tutorial]: http://mixter.void.ru/rawip.html
27 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 3
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a file called `--spaces
9 | in this filename--` located in the home directory
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
14 | ,
15 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
16 | ,
17 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
18 | ,
19 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
20 | ,
21 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
22 | ,
23 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
24 |
25 | Helpful Reading Material
26 | ------------------------
27 | - [Google Search for "spaces in filename"][]
28 |
29 | [Google Search for "spaces in filename"]: https://www.google.com/search?q=spaces+in+filename
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Wargames
2 |
3 | The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
4 |
5 | If you have a problem, a question or a suggestion, you can join us via [chat](http://overthewire.org/information/chat.html).
6 |
7 | **!!! Do not file issues for game-related questions. This repository is for the website only !!!**
8 |
9 | ## Contributing to this website
10 |
11 | You can clone the repository and make changes to the website by issuing pull requests.
12 | To verify that your edits are looking like they should, you can host a local copy of this
13 | website using [jekyll][].
14 |
15 | After installing jekyll, use the following command in the same directory as this README file,
16 | to start a local webserver:
17 |
18 | ```
19 | jekyll serve
20 | ```
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 | [jekyll]: https://jekyllrb.com/
47 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit16.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 16
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level can be retrieved by submitting the
9 | password of the current level to **port 30001 on localhost** using
10 | SSL/TLS encryption.
11 |
12 | **Helpful note: Getting "DONE", "RENEGOTIATING" or "KEYUPDATE"? Read the
13 | "CONNECTED COMMANDS" section in the manpage.**
14 |
15 | Commands you may need to solve this level
16 | -----------------------------------------
17 | ssh, telnet, nc, ncat, socat, openssl, s\_client, nmap, netstat, ss
18 |
19 | Helpful Reading Material
20 | ------------------------
21 | - [Secure Socket Layer/Transport Layer Security on Wikipedia][]
22 | - [OpenSSL Cookbook - Testing with OpenSSL][]
23 |
24 | [Secure Socket Layer/Transport Layer Security on Wikipedia]: https://en.wikipedia.org/wiki/Transport_Layer_Security
25 | [OpenSSL Cookbook - Testing with OpenSSL]: https://www.feistyduck.com/library/openssl-cookbook/online/testing-with-openssl/index.html
26 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit17.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 17
5 | ---
6 | Level Goal
7 | ----------
8 | The credentials for the next level can be retrieved by submitting the
9 | password of the current level to **a port on localhost in the range
10 | 31000 to 32000**. First find out which of these ports have a server
11 | listening on them. Then find out which of those speak SSL/TLS and which
12 | don't. There is only 1 server that will give the next credentials, the
13 | others will simply send back to you whatever you send to it.
14 |
15 | **Helpful note: Getting "DONE", "RENEGOTIATING" or "KEYUPDATE"? Read the
16 | "CONNECTED COMMANDS" section in the manpage.**
17 |
18 | Commands you may need to solve this level
19 | -----------------------------------------
20 | ssh, telnet, nc, ncat, socat, openssl, s\_client, nmap, netstat, ss
21 |
22 | Helpful Reading Material
23 | ------------------------
24 | - [Port scanner on Wikipedia][]
25 |
26 | [Port scanner on Wikipedia]: https://en.wikipedia.org/wiki/Port_scanner
27 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex9.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 9
5 | ---
6 | Tunneling your firewall
7 | -----------------------
8 | How do you get data through a firewall that is blocking any tcp
9 | connection? You just don't use a tcp connection, but instead other
10 | packets, that might not be filtered. For example network maintenance
11 | protocols like ICMP.
12 |
13 | There is a raw socket open on a yet unknown host that listens for
14 | icmp packets and forwards them to a tcp server that you cannot
15 | reach. Your job is to create a client that communicates with this
16 | icmp "server". If everything works, you find yourself in a shell on
17 | an unknown system, and can search for the password.
18 |
19 | The protocol and the server, that is used by the ICMP tunnel is
20 | described in your home directory. If you manage to blackbox analyze
21 | it, then you can jump directly from semtex0 to semtex10 :)
22 |
23 | You will have to use /rdx/rawwrapper.
24 |
25 | {% include showFile.html path="semtex9.rawwrapper.c" %}
26 |
27 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex10.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 10
5 | ---
6 | Hacking szene
7 | -------------
8 | **Thanks to zaphod and Mush for finding a bugs in this level**
9 |
10 | Do you know these hacking movies where they push some buttons, then
11 | the evil hacker script window turns up and a percentage bar is
12 | showing how far the password cracking has gone?
13 |
14 |
15 | 0%....10%....20%....30%....40%....50%....60%....70%....80%....90%....100%
16 | password cracked!
17 |
18 | Ever wanted to do it yourself? Here is your chance.\
19 |
20 | This level implements a weakness in the authentication scheme used
21 | by M$ win95 and win98 for the netbios shares.
22 |
23 | There is a TCP daemon on brebera port 24019. It authenticates your
24 | password. Once you send the correct password, it echoes it back.
25 | Well, let the source speak for itself. As far as brute force may
26 | take you, a little brain is never bad :P Perhaps you have heard of
27 | pqwak?
28 |
29 | {% include showFile.html path="semtex10.c" %}
30 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex11.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 |
7 | // code by andrewg, modified by aton
8 |
9 | #define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); }
10 |
11 | void print(unsigned char *buf, int len)
12 | {
13 | int i;
14 |
15 | printf("[ ");
16 | for(i=0; i < len; i++) printf("%x ", buf[i]);
17 | printf(" ]\n");
18 | }
19 |
20 | int main()
21 | {
22 | unsigned char buf[512];
23 | unsigned char *ptr = buf + (sizeof(buf)/2);
24 | unsigned int x;
25 |
26 | while((x = getchar()) != EOF) {
27 | switch(x) {
28 | case '\n': print(buf, sizeof(buf)); continue; break;
29 | case '\\': ptr--; break;
30 | default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++; break;
31 | }
32 | }
33 | printf("All done\n");
34 | }
35 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex12.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 12
5 | ---
6 | Authentication Daemon
7 | ---------------------
8 | There is an authentication daemon waiting on brebera port 24012. You
9 | connect to it, supply your password and get authenticated. The
10 | semtex 12 password will give you user access, the admin password
11 | will give you administrator access...
12 |
13 | After authentication you connect to the remote file system reader
14 | on port 24013. Depending on your access level you can list files and
15 | show them. The semtex 13 password has been located in one of the
16 | files on this remote file system. Brebera is fast, can you be
17 | faster?
18 |
19 | Thanks to bk for this level!
20 |
21 | {% include showFile.html path="semtex12.authd.c" %}
22 | {% include showFile.html path="semtex12.daemon.c" %}
23 | {% include showFile.html path="semtex12.reader.c" %}
24 | {% include showFile.html path="semtex12.sem.c" %}
25 | {% include showFile.html path="semtex12.sem.h" %}
26 | {% include showFile.html path="semtex12.server.h" %}
27 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: vortex
4 | level: 3
5 | ---
6 | A Stack Overflow with a Difference
7 | ----------------------------------
8 | This level is pretty straight forward. Just sit down and understand
9 | what the code is doing. Your shellcode will require a
10 | setuid(LEVEL4\_UID) since bash drops effective privileges. You could
11 | alternatively write a quick setuid(geteuid()) wrapper around bash.
12 |
13 | **NOTE:** ctors/dtors might no longer be writable, although this
14 | level is compiled with *-Wl,-z,norelro*. Lookup some information
15 | about this e.g. [here][]
16 |
17 | Reading Material
18 | ----------------
19 | - [Smashing the Stack for Fun and Profit][]
20 | - [Bypassing StackGuard and StackShield][]
21 |
22 | {% include showFile.html path="vortex3.c" %}
23 |
24 | [here]: http://unix.stackexchange.com/questions/8062/dtors-looks-writable-but-attempts-to-write-segfault
25 | [Smashing the Stack for Fun and Profit]: http://phrack.org/issues/49/14.html#article
26 | [Bypassing StackGuard and StackShield]: http://www.phrack.org/issues.html?issue=56&id=5#article
27 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | level: 5
5 | ---
6 | Random Networking
7 | -----------------
8 | Make 10 connections to port 24027 from different IP's. On each
9 | connection you will receive a string of 10 ASCII characters. XOR
10 | this string with the Semtex5 password, character by character. Then
11 | send back the 10 characters followed by another string of exactly 10
12 | characters which identifies you (can be anything within A-Z, a-z,
13 | 0-9). The first 10 characters that you send, are different on every
14 | connection, the last 10 have to be the same. If you do not send the
15 | correct string back within 5 seconds you are disconnected. Once
16 | connected with at least 10 different IP's You will receive the
17 | password on one connection, chosen randomly.
18 |
19 | **Note: Your connections time out in 2 minutes and you cannot connect from an IP that is still connected. May the sockets be with you. **
20 |
21 | Reading Material
22 | ----------------
23 | - [Socks5 Request For Comment][]
24 |
25 | [Socks5 Request For Comment]: http://www.faqs.org/rfcs/rfc1928.html
26 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 0
5 | ---
6 | Level Goal
7 | ----------
8 | The goal of this level is for you to log into the game using SSH.
9 | The host to which you need to connect is
10 | **bandit.labs.overthewire.org**, on port 2220.
11 | The username is **bandit0** and the password is **bandit0**. Once
12 | logged in, go to the [Level 1][] page to find out how to beat Level
13 | 1.
14 |
15 | Commands you may need to solve this level
16 | -----------------------------------------
17 | [ssh](https://manpages.ubuntu.com/manpages/noble/man1/ssh.1.html)
18 |
19 | Helpful Reading Material
20 | ------------------------
21 | - [Secure Shell (SSH) on Wikipedia][]
22 | - [How to use SSH with a non-standard port on It's FOSS][]
23 | - [How to use SSH with ssh-keys on wikiHow][]
24 |
25 | [Level 1]: /wargames/bandit/bandit1.html
26 | [Secure Shell (SSH) on Wikipedia]: https://en.wikipedia.org/wiki/Secure_Shell
27 | [How to use SSH with a non-standard port on It's FOSS]: https://itsfoss.com/ssh-to-port/
28 | [How to use SSH with ssh-keys on wikiHow]: https://www.wikihow.com/Use-SSH
29 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 OverTheWire.org
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 2
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a file called **-**
9 | located in the home directory
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
14 | ,
15 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
16 | ,
17 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
18 | ,
19 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
20 | ,
21 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
22 | ,
23 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
24 |
25 | Helpful Reading Material
26 | ------------------------
27 | - [Google Search for "dashed filename"][]
28 | - [Advanced Bash-scripting Guide - Chapter 3 - Special Characters][]
29 |
30 | [Google Search for "dashed filename"]: https://www.google.com/search?q=dashed+filename
31 | [Advanced Bash-scripting Guide - Chapter 3 - Special Characters]: https://linux.die.net/abs-guide/special-chars.html
32 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex6.rawwrapper.c:
--------------------------------------------------------------------------------
1 | #ifndef _GNU_SOURCE
2 | #define _GNU_SOURCE
3 | #endif
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | #define DROPUID 1009
11 | #define DROPGID 1009
12 |
13 | // rawwrapper, aton 2004
14 |
15 | int main(int argc, char *argv[])
16 | {
17 | int rfd;
18 | char *argv0, *argv1;
19 |
20 | if (argc<2)
21 | {
22 | printf("usage: rawwrapper \n");
23 | printf("argv[1] will be the raw socket\n");
24 | exit(EXIT_FAILURE);
25 | }
26 |
27 | //open raw socket
28 | if ((rfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP))<0)
29 | {
30 | perror("socket");
31 | return EXIT_FAILURE;
32 | }
33 |
34 | //drop priviledges
35 | setresgid(DROPGID, DROPGID, DROPGID);
36 | setresuid(DROPUID, DROPUID, DROPUID);
37 |
38 | argv0=malloc(strlen(argv[0])+1);
39 | strcpy(argv0, argv[0]);
40 | argv1=malloc(strlen(argv[1])+1);
41 | strcpy(argv1, argv[1]);
42 |
43 | // fill in new argv
44 | argv[0]=argv1;
45 | sprintf(argv[1], "%d", rfd);
46 |
47 | //execute the client program
48 | execve(argv[0], argv, NULL);
49 | return EXIT_SUCCESS;
50 | }
51 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | level: 4
5 | ---
6 | level4 is an installation of Apache and PHP with an introduced heap
7 | vulnerability.
8 |
9 | The introduced vulnerability is as follows:
10 |
11 | {% include showFile.html path="blacksun4.function.c" %}
12 |
13 | Thanks to orix for the introduced code snippet
14 |
15 | The document root is in /levels/level4/htdocs, you'll need to put your
16 | php code there and call it via the webserver on port 55555.
17 |
18 | **Note:** that if you're executing a shell, it can't be /bin/sh or
19 | /bin/bash, oh, and the apache process can't access the /etc/pass
20 | directory :P
21 |
22 | ### Binary information
23 |
24 | | Stack smashing protection (SSP): | Enabled |
25 | | Postition Independent Executable (PIE): | Enabled |
26 | | Address space layout randomisation (ASLR): | Enabled |
27 | | Non-executable pages: | None / disabled |
28 | |--------------------------------------------:+:----------------|
29 | | Location: | 127.0.0.1:55555 |
30 |
31 | {% include showFile.html path="blacksun4.basic_functions.c" %}
32 |
33 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | level: 0
5 | ---
6 | Level0 is a remote format string intended to get you started with
7 | blacksun. It is a remote format string bug with you being able to see
8 | the reply, with address space randomisation enabled. You'll need to use
9 | the direct parameter access method to analyse the stack and to
10 | manipulate it.
11 |
12 | Once getting access to a shell, read /etc/motd for more information
13 |
14 | ### Binary information
15 |
16 | | Stack smashing protection (SSP): | Enabled |
17 | | Postition Independent Executable (PIE): | Enabled |
18 | | Address space layout randomisation (ASLR): | Enabled |
19 | | Non-executable pages: | None / disabled |
20 | |--------------------------------------------:+:------------------------------------------------|
21 | | Location: | Connect to blacksun.overthewire.org on port 79 |
22 |
23 | Alternatively, there is a debug version on port 78 if you need help
24 | understanding what you're seeing
25 |
26 | {% include showFile.html path="blacksun0.c" %}
27 |
--------------------------------------------------------------------------------
/wargames/bandit/bandit15.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 15
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level can be retrieved by submitting the
9 | password of the current level to **port 30000 on localhost**.
10 |
11 | Commands you may need to solve this level
12 | -----------------------------------------
13 | ssh, telnet, nc, openssl, s\_client, nmap
14 |
15 | Helpful Reading Material
16 | ------------------------
17 | - [How the Internet works in 5 minutes (YouTube)][] (Not completely
18 | accurate, but good enough for beginners)
19 | - [IP Addresses][]
20 | - [IP Address on Wikipedia][]
21 | - [Localhost on Wikipedia][]
22 | - [Ports][]
23 | - [Port (computer networking) on Wikipedia][]
24 |
25 | [How the Internet works in 5 minutes (YouTube)]: https://www.youtube.com/watch?v=7_LPdttKXPc
26 | [IP Addresses]: https://computer.howstuffworks.com/web-server5.htm
27 | [IP Address on Wikipedia]: https://en.wikipedia.org/wiki/IP_address
28 | [Localhost on Wikipedia]: https://en.wikipedia.org/wiki/Localhost
29 | [Ports]: https://computer.howstuffworks.com/web-server8.htm
30 | [Port (computer networking) on Wikipedia]: https://en.wikipedia.org/wiki/Port_(computer_networking)
31 |
--------------------------------------------------------------------------------
/js/wechall.js:
--------------------------------------------------------------------------------
1 | function displayWechallBox(data) {
2 | console.log("Displaying box "+data);
3 | // create a div, draggable, with form inside
4 | var $div = $('').appendTo('#content');
5 | $div.attr('id', 'wechallform');
6 |
7 | $("#wechallform").hide();
8 | $("#wechallform").html(
9 | ""
14 | );
15 | $("#wechallform").draggable({zIndex: 2500});
16 | $("#wechallform").show();
17 | }
18 |
19 |
20 | $(document).ready(function() {
21 | $.ajax({
22 | dataType: "json",
23 | url: "/js/wechall-data.json",
24 | success: function(data) {
25 | console.log("[wechall] JSON data loaded");
26 | if(window.location.pathname in data) {
27 | console.log("[wechall] JSON contains data for this page, rendering...");
28 | displayWechallBox(data[window.location.pathname]);
29 | }
30 | }
31 | });
32 | });
33 |
34 |
--------------------------------------------------------------------------------
/js/updatedmarkers-logic.js:
--------------------------------------------------------------------------------
1 | function getSeenTimestamp(link) {
2 | return window.localStorage["seen-"+link];
3 | }
4 |
5 | function setSeenTimestamp(link, value) {
6 | window.localStorage["seen-"+link] = value;
7 | }
8 |
9 |
10 | function shouldDisplay(updatedts, lastseents) {
11 | if(updatedts == undefined) return false;
12 | if(lastseents == undefined) return true;
13 | return updatedts > lastseents;
14 | }
15 |
16 |
17 | function renderUpdatedMarkers() {
18 | $(".updatedmarker").each(function(idx, marker) {
19 | var markerdata = $(marker).data();
20 | var markerlink = markerdata["link"];
21 | var updatedts = updatedmarkers[markerlink];
22 | var seents = getSeenTimestamp(markerlink);
23 |
24 | if(shouldDisplay(updatedts, seents)) {
25 | $(marker).addClass("updatedmarker-active");
26 | }
27 |
28 | });
29 |
30 | // go over every entry in the updatedmarkers dict and
31 | // check whether we are currently on that page.
32 | // If we are, update the seen timestamp
33 | var currentpage = window.location.pathname;
34 | for(var key in updatedmarkers) {
35 | if(currentpage == key) {
36 | setSeenTimestamp(currentpage, updatedmarkers[key]);
37 | }
38 | }
39 | };
40 |
41 | renderUpdatedMarkers();
42 |
43 |
--------------------------------------------------------------------------------
/wargames/manpage/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: manpage
4 | title: Manpage
5 | ---
6 |
7 | Manpage
8 | =======
9 |
10 | ### Can you RTFM?
11 |
12 | Manpage is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on manpage.intruded.net. **Big
14 | thanks to adc, morla and reth** for their help in resurrecting this
15 | game!
16 |
17 | What follows below is the original description of manpage, copied from
18 | intruded.net:
19 |
20 | Summary:
21 | Difficulty: x/10
22 | Levels: 7
23 | Platform: Linux/x86
24 |
25 | Author:
26 | adc
27 |
28 | Special Thanks:
29 |
30 | Description:
31 | This game is about breaking some common linux c-programming misconceptions. A good
32 | tactic when beginning to audit code for the first time is to read the manpages for pitfalls and
33 | unusual behavior. Many of these levels were inspired by the famous work of Ilja.
34 |
35 | Manpage's levels are called **manpage0, manpage1, ... etc.** and can be
36 | accessed on **manpage.labs.overthewire.org** through SSH on port 2224.
37 |
38 | To login to the first level use:
39 |
40 | Username: manpage0
41 | Password: manpage0
42 |
43 | Data for the levels can be found in **/manpage/**.
44 |
--------------------------------------------------------------------------------
/information/chat.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: Contact via chat
5 | ---
6 |
7 | Need help?
8 | ==========
9 |
10 | It's normal to get stuck on a level from time to time, don't despair!
11 | Before reaching out for help, make sure you have read the level's description and hints carefully.
12 | If you are still stuck, you can ask for help in the chatrooms, but remember to follow the [rules].
13 |
14 | You might want to read this [article] before asking for help.
15 |
16 | Discord
17 | -------
18 |
19 | You can find our Discord server at
20 |
21 | Channels:
22 | #wargames (for talk related to the games)
23 | #social (for general talk)
24 |
25 | Please be aware of our rules! When you first connect, you will be reminded of them.
26 |
27 | IRC
28 | ---
29 |
30 | If you don't know [how to use IRC][], use google to find out.
31 |
32 | Encrypted IRC:
33 | Host: ircs.overthewire.org
34 | Port: 6697 (with SSL)
35 |
36 | Non-encrypted IRC:
37 | Host: irc.overthewire.org
38 | Port: 6667
39 |
40 | The channels used on IRC are the same as on Discord.
41 |
42 | [how to use IRC]: https://en.wikipedia.org/wiki/Wikipedia:IRC/Tutorial
43 | [article]: http://catb.org/~esr/faqs/smart-questions.html
44 | [rules]: /rules
--------------------------------------------------------------------------------
/wargames/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listgames: true
4 | title: Wargames
5 | ---
6 |
7 | Wargames
8 | ========
9 |
10 | The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
11 | To find out more about a certain wargame, just visit its page linked from the menu on the left.
12 |
13 | If you have a problem, a question or a suggestion, you can [join us via chat][contactus].
14 |
15 | Suggested order to play the games in
16 | ------------------------------------
17 |
18 | 1. Bandit - Unix/Linux basics
19 | 2. Pick one:
20 | * Natas - web security
21 | * Krypton - cryptography
22 | * Leviathan - reverse engineering
23 | 3. Narnia - Start into binary exploitation (and reverse engineering)
24 | 4. Behemoth - binary exploitation (and reverse engineering)
25 | 5. Utumno - binary exploitation (and reverse engineering)
26 | 6. Maze - binary exploitation (and reverse engineering)
27 | 7. ...
28 |
29 | Each shell game has its own SSH port
30 | ------------------------------------
31 |
32 | Information about how to connect to each game using SSH, is provided in the top left corner of the page.
33 | Keep in mind that every game uses a different SSH port.
34 |
35 | [contactus]: /information/chat.html
36 |
--------------------------------------------------------------------------------
/wargames/maze/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: maze
4 | title: Maze
5 | ---
6 |
7 | Maze
8 | ====
9 |
10 | ### Can you find the way out?
11 |
12 | Maze is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on maze.intruded.net. **Big thanks
14 | to adc, morla and reth** for their help in resurrecting this game!
15 |
16 | What follows below is the original description of maze, copied from
17 | intruded.net:
18 |
19 | Summary:
20 | Difficulty: 5/10
21 | Levels: 9
22 | Platform: Linux/x86
23 |
24 | Author:
25 | beng and capsyl
26 |
27 | Special Thanks:
28 | je for doing the primary beta-testing.
29 | kuba for beta-testing and ideas.
30 | psi for level9
31 |
32 | Description:
33 | You'll need knowledge of exploitation-techniques, programming (of course) and reverse-
34 | engineering. We've tried to make the levels tricky and some of them strange, so get ready
35 | to use gdb.
36 |
37 | Maze's levels are called **maze0, maze1, ... etc.** and can be accessed
38 | on **maze.labs.overthewire.org** through SSH on port 2225.
39 |
40 | To login to the first level use:
41 |
42 | Username: maze0
43 | Password: maze0
44 |
45 | Data for the levels can be found in **/maze/**.
46 |
--------------------------------------------------------------------------------
/wargames/utumno/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: utumno
4 | title: Utumno
5 | ---
6 |
7 | Utumno
8 | ======
9 |
10 | ### Are you adequate?
11 |
12 | Utumno is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on utumno.intruded.net. **Big thanks
14 | to adc, morla and reth** for their help in resurrecting this game!
15 |
16 | What follows below is the original description of utumno, copied from
17 | intruded.net:
18 |
19 | Summary:
20 | Difficulty: 4/10
21 | Levels: 10
22 | Platform: Linux/x86
23 |
24 | Author:
25 | Kuba and psi
26 |
27 | Special Thanks:
28 |
29 | Description:
30 | This is a regular wargame composed of 10 different levels. It's slightly harder than the
31 | previous wargames in the same genre. Actually, it's a lot harder than Leviathan and a bit
32 | harder than Behemoth so if you haven't beaten those two you will probably want to do that
33 | first.
34 |
35 | Utumno's levels are called **utumno0, utumno1, ... etc.** and can be
36 | accessed on **utumno.labs.overthewire.org** through SSH on port 2227.
37 |
38 | To login to the first level use:
39 |
40 | Username: utumno0
41 | Password: utumno0
42 |
43 | Data for the levels can be found in **/utumno/**.
44 |
--------------------------------------------------------------------------------
/wargames/natas/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: natas
4 | title: Natas
5 | ---
6 |
7 | Natas
8 | =====
9 |
10 | Natas teaches the basics of serverside web-security.
11 |
12 | Each level of natas consists of its own website located at
13 | **http://natasX.natas.labs.overthewire.org**, where X is the level
14 | number. There is **no SSH login**. To access a level, enter the username
15 | for that level (e.g. natas0 for level 0) and its password.
16 |
17 | Each level has access to the password of the next level. Your job is to
18 | somehow obtain that next password and level up. **All passwords are also
19 | stored in /etc/natas\_webpass/**. E.g. the password for natas5 is stored
20 | in the file /etc/natas\_webpass/natas5 and only readable by natas4 and
21 | natas5.
22 |
23 | Start here:
24 |
25 | Username: natas0
26 | Password: natas0
27 | URL: http://natas0.natas.labs.overthewire.org
28 |
29 |
30 | Tools you may find useful to solve this wargame
31 | -----------------------------------------------
32 |
33 | A webbrowser, curl, ZAP proxy
34 |
35 |
36 |
37 | developed in association with
38 | the NESSoS FP7 project
39 |
40 |
41 |
--------------------------------------------------------------------------------
/wargames/drifter/rc4.c:
--------------------------------------------------------------------------------
1 |
2 | #include "rc4.h"
3 |
4 | void prepare_key(unsigned char *key_data_ptr, int key_data_len, rc4_key *key)
5 | {
6 | int i;
7 | unsigned char t;
8 | unsigned char swapByte;
9 | unsigned char index1;
10 | unsigned char index2;
11 | unsigned char* state;
12 | short counter;
13 |
14 | state = &key->state[0];
15 | for(counter = 0; counter < 256; counter++)
16 | state[counter] = counter;
17 | key->x = 0;
18 | key->y = 0;
19 | index1 = 0;
20 | index2 = 0;
21 | for(counter = 0; counter < 256; counter++)
22 | {
23 | index2 = (key_data_ptr[index1] + state[counter] + index2) % 256;
24 | swap_byte(&state[counter], &state[index2]);
25 | index1 = (index1 + 1) % key_data_len;
26 | }
27 | }
28 |
29 | void rc4(unsigned char *buffer_ptr, int buffer_len, rc4_key *key)
30 | {
31 | unsigned char t;
32 | unsigned char x;
33 | unsigned char y;
34 | unsigned char* state;
35 | unsigned char xorIndex;
36 | short counter;
37 |
38 | x = key->x;
39 | y = key->y;
40 | state = &key->state[0];
41 | for(counter = 0; counter < buffer_len; counter++)
42 | {
43 | x = (x + 1) % 256;
44 | y = (state[x] + y) % 256;
45 | swap_byte(&state[x], &state[y]);
46 | xorIndex = (state[x] + state[y]) % 256;
47 | buffer_ptr[counter] ^= state[xorIndex];
48 | }
49 | key->x = x;
50 | key->y = y;
51 | }
52 |
53 |
--------------------------------------------------------------------------------
/wargames/behemoth/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: behemoth
4 | title: Behemoth
5 | ---
6 |
7 | Behemoth
8 | ========
9 |
10 | ### Don't let behemoth get the better of you.
11 |
12 | Behemoth is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on behemoth.intruded.net. **Big
14 | thanks to adc, morla and reth** for their help in resurrecting this
15 | game!
16 |
17 | What follows below is the original description of behemoth, copied from
18 | intruded.net:
19 |
20 | Summary:
21 | Difficulty: 3/10
22 | Levels: 9
23 | Platform: Linux/x86
24 |
25 | Author:
26 | Anders Tonfeldt
27 |
28 | Special Thanks:
29 |
30 | Description:
31 | This wargame deals with a lot of regular vulnerabilities found commonly 'out
32 | in the wild'. While the game makes no attempts at emulating a real environment
33 | it will teach you how to exploit several of the most common coding mistakes
34 | including buffer overflows, race conditions and privilege escalation.
35 |
36 | Behemoth's levels are called **behemoth0, behemoth1, ... etc.** and can
37 | be accessed on **behemoth.labs.overthewire.org** through SSH on port 2221.
38 |
39 | To login to the first level use:
40 |
41 | Username: behemoth0
42 | Password: behemoth0
43 |
44 | Data for the levels can be found in **/behemoth/**.
45 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex9.rawwrapper.c:
--------------------------------------------------------------------------------
1 | #ifndef _GNU_SOURCE
2 | #define _GNU_SOURCE
3 | #endif
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 |
11 | #define DROPUID 1009
12 | #define DROPGID 1009
13 |
14 | // rawwrapper, aton 2004
15 |
16 | int main(int argc, char *argv[])
17 | {
18 | int rfd;
19 | char *argv0, *argv1;
20 |
21 | if (argc<2)
22 | {
23 | printf("usage: rawwrapper \n");
24 | printf("argv[1] will be the raw socket\n");
25 | exit(EXIT_FAILURE);
26 | }
27 |
28 | //open raw socket
29 | if ((rfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP))<0)
30 | {
31 | perror("socket");
32 | return EXIT_FAILURE;
33 | }
34 |
35 | //drop priviledges
36 | setresgid(DROPGID, DROPGID, DROPGID);
37 | setresuid(DROPUID, DROPUID, DROPUID);
38 |
39 | argv0=malloc(strlen(argv[0])+1);
40 | strcpy(argv0, argv[0]);
41 | argv1=malloc(strlen(argv[1])+1);
42 | strcpy(argv1, argv[1]);
43 |
44 | // fill in new argv
45 | argv[0]=argv1;
46 | sprintf(argv[1], "%d", rfd);
47 |
48 | //execute the client program
49 | execve(argv[0], argv, NULL);
50 | return EXIT_SUCCESS;
51 | }
52 |
--------------------------------------------------------------------------------
/patreon/patrons.json:
--------------------------------------------------------------------------------
1 | {"\"Fancy\" Support Level": [{"name": "Fionnbharr Davies"}, {"name": "Max G"}, {"name": "H"}, {"name": "hpmv"}, {"name": "Christopher Greene"}, {"name": "AdamM"}, {"name": "mari0d"}, {"name": "Matt Lewin"}, {"name": "kripthor"}, {"name": "The Tarquin"}, {"name": "Eric the Red"}, {"name": "Emelie Widegren"}, {"name": "Rob Verseijden"}, {"name": "Kitten Kat"}, {"name": "wasamasa"}, {"name": "Eric Hogue"}, {"name": "King Buttrang"}, {"name": "Eric"}, {"name": "Thomas Lynch"}, {"name": "Jesse Martinez"}, {"name": "Crunchy"}], "\"Angel\" Support Level": [{"name": "Intercept Security", "url": "https://intercept.sh/", "logo": "/img/patreon/interceptsecurity.png", "text": "Intercept Security is a security company with a single goal: bringing simplicity to Security. We build Fast Intercept \u2013 a security automation product that helps bring the technology to organizations what would otherwise not be able to afford or support such a solution. We also provide consulting services and engineering to help teams lower their costs, improve their security posture, and reduce mean time to resolution (MTTR) of security incident response. We love (Love-love) overthewire as a training tool and its spirit in the community as a whole and are happy to support.\n\nVisit our website and take advantage of the free Community IP Threatlist we offer from our global honeypot network, or reach out and see if we can't make a connection. We're always looking to make new friends. :)"}]}
--------------------------------------------------------------------------------
/wargames/bandit/bandit1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: bandit
4 | level: 1
5 | ---
6 | Level Goal
7 | ----------
8 | The password for the next level is stored in a file called
9 | **readme** located in the home directory. Use this password to log
10 | into bandit1 using SSH. Whenever you find a password for a level,
11 | use SSH (on port 2220) to log into that level and continue the game.
12 |
13 | Commands you may need to solve this level
14 | -----------------------------------------
15 | [ls](https://manpages.ubuntu.com/manpages/noble/man1/ls.1.html)
16 | ,
17 | [cd](https://manpages.ubuntu.com/manpages/noble/man1/cd.1posix.html)
18 | ,
19 | [cat](https://manpages.ubuntu.com/manpages/noble/man1/cat.1.html)
20 | ,
21 | [file](https://manpages.ubuntu.com/manpages/noble/man1/file.1.html)
22 | ,
23 | [du](https://manpages.ubuntu.com/manpages/noble/man1/du.1.html)
24 | ,
25 | [find](https://manpages.ubuntu.com/manpages/noble/man1/find.1.html)
26 |
27 | **TIP:** Create a file for notes and passwords on your local machine!
28 |
29 | Passwords for levels are *not* saved automatically.
30 | If you do not save them yourself, you will need to start over from bandit0.
31 |
32 | Passwords also occasionally change. It is recommended to take notes on how to solve each challenge.
33 | As levels get more challenging, detailed notes are useful to return to where you left off, reference for later problems, or help others after you've completed the challenge.
34 |
--------------------------------------------------------------------------------
/_includes/games.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
Online
4 | {% include menu_item.html link="/wargames/bandit" name="Bandit" %}
5 | {% include menu_item.html link="/wargames/natas" name="Natas" %}
6 | {% include menu_item.html link="/wargames/leviathan" name="Leviathan" %}
7 | {% include menu_item.html link="/wargames/krypton" name="Krypton" %}
8 | {% include menu_item.html link="/wargames/narnia" name="Narnia" %}
9 | {% include menu_item.html link="/wargames/behemoth" name="Behemoth" %}
10 | {% include menu_item.html link="/wargames/utumno" name="Utumno" %}
11 | {% include menu_item.html link="/wargames/maze" name="Maze" %}
12 | {% include menu_item.html link="/wargames/vortex" name="Vortex" %}
13 | {% include menu_item.html link="/wargames/manpage" name="Manpage" %}
14 | {% include menu_item.html link="/wargames/drifter" name="Drifter" %}
15 | {% include menu_item.html link="/wargames/formulaone" name="FormulaOne" %}
16 |
17 |
18 |
19 |
Offline
20 | {% include menu_item.html link="/wargames/semtex" name="Semtex" %}
21 |
22 |
23 |
24 |
Released
25 | {% include menu_item.html link="/wargames/hes2010" name="HES2010" %}
26 | {% include menu_item.html link="/wargames/abraxas" name="Abraxas" %}
27 | {% include menu_item.html link="/wargames/monxla" name="Monxla" %}
28 | {% include menu_item.html link="/wargames/kishi" name="Kishi" %}
29 |
30 |
31 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | level: 2
5 | ---
6 | Level2 is a test application from a [pop3 library][] that's pretty
7 | buggy. The idea is to write a pop3 server to trigger a vulnerability
8 | (pick any you like :p) in the code and get a shell.
9 |
10 | **Notes**
11 |
12 | - -fpic -fPIC was added to the compile options to remote DT\_TEXTREL's
13 | :p
14 | - If you're feeling generous, perhaps drop the author a note about any
15 | bugs you find so that future versions of the library can be fixed.
16 | - ASLR remote fun!
17 |
18 | Binary information
19 |
20 | ### Binary information
21 |
22 | | Stack smashing protection (SSP): | Disabled |
23 | | Postition Independent Executable (PIE): | Disabled |
24 | | Address space layout randomisation (ASLR): | Enabled |
25 | | Non-executable pages: | None / disabled |
26 | |--------------------------------------------:+:------------------------------------------------------------------------|
27 | | Code Location: | /levels/2/libspopc-0.7, using poptest1.c, and associated library code |
28 | |---------------------------------------------+-------------------------------------------------------------------------|
29 | | Location: | /levels/level2 |
30 |
31 | [pop3 library]: http://brouits.free.fr/libspopc/
32 |
--------------------------------------------------------------------------------
/wargames/semtex/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: semtex
4 | title: Semtex
5 | ---
6 |
7 | Semtex
8 | ======
9 |
10 | {% include beginNote.html title="2022-08-16 - semtex offline" %}
11 | Semtex is offline.
12 | {% include endNote.html %}
13 |
14 | Wargame?
15 | --------
16 | This network is a legal environment where you can learn
17 | coding/hacking techniques without destroying anything. You have to
18 | solve Semtex 0 to get a username/password for login. Once logged in,
19 | you have to make your way from one level to the next, each one
20 | containing a small security hole/feature that has been installed for
21 | you. Your mission is to find out how to exploit the weakness and to
22 | cause interesting behavior :)
23 |
24 | Rules?
25 | ------
26 | Well you can do anything you want on this box, code, hack, learn,
27 | ... its all there for gaining knowledge. Please refrain from DOS
28 | attacks of any kind, it ruins the fun of you and of others. As long
29 | as you behave, everything is possible.
30 |
31 | Contribute?
32 | -----------
33 | This wargame is from the community for the community. If you want to
34 | contribute, send a level plus exploit to aton at packetdropped dot
35 | org.
36 |
37 | **Network programming, reverse engineering, buffer overflows and
38 | combinatorial analysis.**
39 |
40 | **Contact : [aton at packetdropped dot org][]**
41 |
42 | [contact us via chat]: /information/chat.html
43 | [aton at packetdropped dot org]: mailto:aton@packetdropped.org
44 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex7.c:
--------------------------------------------------------------------------------
1 | /*
2 | * multivitamin.c 2006 by aton@packetdropped.org
3 | *
4 | * rules: no patching.
5 | * compile: gcc multivitamin.c -o multivitamin -lgmp
6 | *
7 | * -> multiplication is simple, and so is division...?
8 | */
9 |
10 |
11 | #define _GNU_SOURCE
12 | #include
13 | #include
14 | #include
15 | #include
16 |
17 | #define ADDVALUE 27137
18 |
19 | int main(int argc, char *argv[])
20 | {
21 | mpz_t longjohn, mul, cmpval;
22 | char userstr[512+1];
23 | int n=0;
24 |
25 | mpz_init(longjohn);
26 | mpz_set_ui(longjohn, 1);
27 | mpz_init(mul);
28 | mpz_init(cmpval);
29 | mpz_set_str(cmpval, "insert-here-the-password-hash-from-your-home-directory-on-semtex-7", 10);
30 |
31 | if (argc<2)
32 | {
33 | printf("%s \n", argv[0]);
34 | return -1;
35 | }
36 |
37 | strncpy(userstr, argv[1], 512);
38 |
39 | for (n=0;n
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 |
14 | void alrm(int signo)
15 | {
16 | printf("Operation timed out\n");
17 | exit(EXIT_SUCCESS);
18 | }
19 | int main()
20 | {
21 | int fd, i, j,word;
22 | int seed,guess;
23 | unsigned int rr[31];
24 |
25 | fd = open("/dev/urandom", O_RDONLY);
26 | if(fd < 0) {
27 | perror("/dev/urandom");
28 | exit(EXIT_FAILURE);
29 | }
30 | alarm(60);
31 | signal(SIGALRM, alrm);
32 |
33 | for(j=0;j<20;j++)
34 | {
35 |
36 | if(read(fd, &seed, sizeof(unsigned int)) != sizeof(unsigned int)) {
37 | perror("read /dev/urandom");
38 | exit(EXIT_FAILURE);
39 | }
40 |
41 | srand(seed);
42 |
43 | for(i = 0; i < 29; i++) {
44 | printf(" %d",rand());
45 | if((i%5)==4)printf("\n");
46 | }
47 | printf("\n");
48 | fflush(stdout);
49 | scanf("%d",&guess);
50 | if(guess!=seed) exit(EXIT_FAILURE);
51 | }
52 |
53 | setresgid(getegid(), getegid(), getegid());
54 | setresuid(geteuid(),geteuid(), geteuid());
55 | execlp("/bin/sh", "sh", NULL);
56 |
57 | return 0;
58 | }
59 |
--------------------------------------------------------------------------------
/css/patreon.css:
--------------------------------------------------------------------------------
1 | .patreon-tier {
2 | margin: 10px;
3 | padding: 10px;
4 | padding-left: 50px;
5 | }
6 |
7 | .patreon-tier h1 {
8 | position: relative;
9 | left: -25px;
10 | top: -10px;
11 | }
12 |
13 | /* ---------- */
14 |
15 | .patreon-tier-fancy span {
16 | display: inline-block;
17 |
18 | border-radius: 5px;
19 | margin: 3px;
20 | padding: 8px;
21 |
22 | border: 1px solid #ff8040;
23 | background-color: #ffc080;
24 | color: black;
25 | font-weight: bold;
26 | }
27 |
28 | /* ---------- */
29 |
30 | .patreon-tier-angel .patron-angel {
31 | border-radius: 5px;
32 | margin: 3px;
33 | padding: 8px;
34 |
35 | border: 1px solid #ff8040;
36 | background-color: #ffc080;
37 | color: black;
38 | }
39 |
40 | .patreon-tier-angel .patron-angel .logo {
41 | width: 100px;
42 | min-height: 100px;
43 | float: left;
44 | display: flex;
45 | }
46 |
47 | .patreon-tier-angel .patron-angel .logo img {
48 | max-width: 100px;
49 | margin: auto;
50 | flex: 1;
51 | }
52 |
53 | .patreon-tier-angel .patron-angel .content {
54 | position: relative;
55 | min-height: 100px;
56 | left: 10px;
57 | padding: 8px;
58 | }
59 |
60 | .patreon-tier-angel .patron-angel a {
61 | color: #000 !important;
62 | }
63 |
64 | .patreon-tier-angel .patron-angel a:hover {
65 | color: #333 !important;
66 | }
67 |
68 | .patreon-tier-angel .patron-angel a:active {
69 | color: #666 !important;
70 | }
71 |
72 | .patreon-tier-angel .patron-angel .content .name {
73 | font-size: 20pt;
74 | font-weight: bold;
75 | }
76 |
77 | .patreon-tier-angel .patron-angel .content .text {
78 | white-space: pre-wrap;
79 | }
80 |
--------------------------------------------------------------------------------
/wargames/narnia/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: narnia
4 | title: Narnia
5 | ---
6 |
7 | Narnia
8 | ======
9 |
10 | ### We all have to start somewhere.
11 |
12 | Narnia is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on narnia.intruded.net. **Big thanks
14 | to adc, morla and reth** for their help in resurrecting this game!
15 |
16 | What follows below is the original description of narnia, copied from
17 | intruded.net:
18 |
19 | Summary:
20 | Difficulty: 2/10
21 | Levels: 10
22 | Platform: Linux/x86
23 |
24 | Author:
25 | nite
26 |
27 | Special Thanks:
28 | lx_jakal for pointing out a bug that made a level easier =)
29 |
30 | Description:
31 | This wargame is for the ones that want to learn basic exploitation. You can see the most
32 | common bugs in this game and we've tried to make them easy to exploit. You'll get the
33 | source code of each level to make it easier for you to spot the vuln and abuse it. The
34 | difficulty of the game is somewhere between Leviathan and Behemoth, but some of the
35 | levels could be quite tricky.
36 |
37 | Narnia's levels are called **narnia0, narnia1, ... etc.** and can be
38 | accessed on **narnia.labs.overthewire.org** through SSH on port 2226.
39 |
40 | To login to the first level use:
41 |
42 | Username: narnia0
43 | Password: narnia0
44 |
45 | Data for the levels can be found in **/narnia/**.
46 |
47 | Tools you may find useful to solve this wargame
48 | -----------------------------------------------
49 |
50 | objdump, ghidra, pwntools, gcc, gdb
51 |
--------------------------------------------------------------------------------
/wargames/kishi/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listgames: true
4 | title: [RELEASED] Kishi (HES2013 and NSC2013)
5 | ---
6 |
7 | [RELEASED] Kishi (HES2013 and NSC2013)
8 | ======================================
9 |
10 | This wargame was introduced at the [Hackito Ergo Sum (HES)][HES] 2013 and [No Such Con (NSC)][NSC] 2013 conferences in Paris and is centered around
11 | the **fictictious North-Korean cyberops training facility Kishi**
12 |
13 | As of December 2014, the Kishi game has been released to the public and can be
14 | downloaded through [Vagrant] for VirtualBox by typing:
15 |
16 | vagrant init StevenVanAcker/kishi
17 | vagrant up
18 |
19 | Kishi listens on ports 22, 80 and 2222, which are forwarded from the VM host
20 | through ports 6622, 6680 and 3322 respectively.
21 | Kishi uses several LXC containers internally, you can access them from the host
22 | VM through
23 |
24 | virsh -c lxc://
25 |
26 | The SSH server running on port 2222 can be used to login to kishi itself with
27 | username/password vagrant/vagrant. All containers run an SSH server with an
28 | admin account with username/password otw/otw. These admin accounts are not
29 | part of the game and should only be used for setting up or debugging. Change
30 | their passwords if you connect the VM to a public network.
31 |
32 | To start the game, visit Kishi's web server on port 80 (or port 6680 of the
33 | host).
34 |
35 | [HES]: http://hackitoergosum.org/
36 | [NSC]: http://nosuchcon.org
37 | [Kishi]: http://kishi.labs.overthewire.org
38 | [Vagrant]: https://www.vagrantup.com/
39 | [vagrantcloud]: https://atlas.hashicorp.com/StevenVanAcker/boxes/kishi
40 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 4
5 | ---
6 | Level Info
7 | ----------
8 | Good job!
9 |
10 | You more than likely used some form of FA and some common sense to
11 | solve that one.
12 |
13 | So far we have worked with simple substitution ciphers. They have
14 | also been 'monoalphabetic', meaning using a fixed key, and giving a
15 | one to one mapping of plaintext (P) to ciphertext (C). Another type
16 | of substitution cipher is referred to as 'polyalphabetic', where one
17 | character of P may map to many, or all, possible ciphertext
18 | characters.
19 |
20 | An example of a polyalphabetic cipher is called a Vigenère Cipher. It
21 | works like this:
22 |
23 | If we use the key(K) 'GOLD', and P = PROCEED MEETING AS AGREED, then
24 | "add" P to K, we get C. When adding, if we exceed 25, then we roll
25 | to 0 (modulo 26).
26 |
27 | P P R O C E E D M E E T I N G A S A G R E E D\
28 | K G O L D G O L D G O L D G O L D G O L D G O\
29 |
30 | becomes:
31 |
32 | P 15 17 14 2 4 4 3 12 4 4 19 8 13 6 0 18 0 6 17 4 4 3\
33 | K 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14\
34 | C 21 5 25 5 10 18 14 15 10 18 4 11 19 20 11 21 6 20 2 8 10 17\
35 |
36 | So, we get a ciphertext of:
37 |
38 | VFZFK SOPKS ELTUL VGUCH KR
39 |
40 | This level is a Vigenère Cipher. You have intercepted two longer,
41 | english language messages (American English). You also have a key piece of information.
42 | You know the key length!
43 |
44 | For this exercise, the key length is 6. The password to level five
45 | is in the usual place, encrypted with the 6 letter key.
46 |
47 | Have fun!
48 |
49 |
50 |
--------------------------------------------------------------------------------
/wargames/leviathan/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: leviathan
4 | title: Leviathan
5 | ---
6 |
7 | Leviathan
8 | =========
9 |
10 | ### Dare you face the lord of the oceans?
11 |
12 | Leviathan is a wargame that has been rescued from the demise of
13 | **intruded.net**, previously hosted on leviathan.intruded.net. **Big
14 | thanks to adc, morla and reth** for their help in resurrecting this
15 | game!
16 |
17 | What follows below is the original description of leviathan, copied from
18 | intruded.net:
19 |
20 | Summary:
21 | Difficulty: 1/10
22 | Levels: 8
23 | Platform: Linux/x86
24 |
25 | Author:
26 | Anders Tonfeldt
27 |
28 | Special Thanks:
29 | We would like to thank AstroMonk for coming up with a replacement idea for the last level,
30 | deadfood for finding a leveljump and Coi for finding a non-planned vulnerability.
31 |
32 | Description:
33 | This wargame doesn't require any knowledge about programming - just a bit of common
34 | sense and some knowledge about basic *nix commands. We had no idea that it'd be this
35 | hard to make an interesting wargame that wouldn't require programming abilities from
36 | the players. Hopefully we made an interesting challenge for the new ones.
37 |
38 | Leviathan's levels are called **leviathan0, leviathan1, ... etc.** and
39 | can be accessed on **leviathan.labs.overthewire.org** through SSH on port 2223.
40 |
41 | To login to the first level use:
42 |
43 | Username: leviathan0
44 | Password: leviathan0
45 |
46 | Data for the levels can be found in **the homedirectories**. You can look
47 | at **/etc/leviathan_pass** for the various level passwords.
48 |
49 | Tools you may find useful to solve this wargame
50 | -----------------------------------------------
51 |
52 | strings, hexdump, objdump, ghidra
53 |
--------------------------------------------------------------------------------
/games.json:
--------------------------------------------------------------------------------
1 | {
2 | "vortex": {
3 | "host": "vortex.labs.overthewire.org",
4 | "port": 2228,
5 | "lastlevel": 26,
6 | "specialNumbering": true
7 | },
8 | "semtex": {
9 | "lastlevel": 12,
10 | "host": "semtex.labs.overthewire.org",
11 | "port": 2229
12 | },
13 | "krypton": {
14 | "host": "krypton.labs.overthewire.org",
15 | "port": 2231,
16 | "lastlevel": 6,
17 | "specialNumbering": true
18 | },
19 | "bandit": {
20 | "lastlevel": 34,
21 | "host": "bandit.labs.overthewire.org",
22 | "port": 2220
23 | },
24 | "leviathan": {
25 | "lastlevel": 7,
26 | "host": "leviathan.labs.overthewire.org",
27 | "port": 2223
28 | },
29 | "narnia": {
30 | "lastlevel": 9,
31 | "host": "narnia.labs.overthewire.org",
32 | "port": 2226
33 | },
34 | "behemoth": {
35 | "lastlevel": 8,
36 | "host": "behemoth.labs.overthewire.org",
37 | "port": 2221
38 | },
39 | "utumno": {
40 | "lastlevel": 8,
41 | "host": "utumno.labs.overthewire.org",
42 | "port": 2227
43 | },
44 | "maze": {
45 | "lastlevel": 9,
46 | "host": "maze.labs.overthewire.org",
47 | "port": 2225
48 | },
49 | "manpage": {
50 | "lastlevel": 7,
51 | "host": "manpage.labs.overthewire.org",
52 | "port": 2224
53 | },
54 | "natas": {
55 | "lastlevel": 34
56 | },
57 | "blacksun": {
58 | "lastlevel": 4
59 | },
60 | "drifter": {
61 | "lastlevel": 15,
62 | "host": "drifter.labs.overthewire.org",
63 | "port": 2230
64 | },
65 | "formulaone": {
66 | "lastlevel": 6,
67 | "host": "formulaone.labs.overthewire.org",
68 | "port": 2232
69 | }
70 | }
--------------------------------------------------------------------------------
/_includes/patreonlist.md:
--------------------------------------------------------------------------------
1 | {% raw %}
2 |
3 |
4 |
5 |
6 |
"Angel" Support Level
7 |
8 |
9 |
10 |
"Fancy" Support Level
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
31 |
32 |
35 |
36 |
37 |
65 |
66 | {% endraw %}
67 |
--------------------------------------------------------------------------------
/information/userdata.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: User data
5 | ---
6 |
7 | User data
8 | =========
9 |
10 | As described [before], all ssh-based games on OverTheWire run in [Docker] containers,
11 | which means that the containers are destroyed when you log out from SSH.
12 |
13 | You are free to store data anywhere you like, such as /tmp or even the home directories.
14 | Keep in mind that all of these directories will be wiped when you log out, which can get annoying
15 | if you just created that superfancy exploit and your SSH connection unexpectedly disconnects.
16 |
17 | That is why we are offering persistent storage on the shell-games.
18 | To make use of persistent storage, put the following in your SSH config:
19 |
20 |
21 |
22 | Assuming you are using the correct operating system and shell, edit your
23 | ~/.bashrc file and add:
24 |
25 | {% include otwuserdir.html %}
26 |
27 | You may need to logout and login again for these changes to take
28 | effect. To test whether the environment variables are registered,
29 | type "echo $OTWUSERDIR", which should show that environment
30 | variable.
31 |
32 |
33 | Next, edit ~/.ssh/config (or create it if it doesn't exist) and
34 | add:
35 |
39 | This configures your SSH client to transmit the environment variable
40 | to your remote session, so it can be used there.
41 |
42 |
43 |
44 |
45 | Upon the next login to one of the games, your persistent user directory will be created.
46 | Don't lose the name of the directory, because you will not be able to recover it easily.
47 | Also, be careful about sharing the name of your directory. Anyone with that knowledge can read and modify your files in there.
48 |
49 |
50 | Also see the help page about [SSH and infrastructure].
51 |
52 | [Docker]: https://www.docker.com/
53 | [before]: sshinfra.html
54 | [SSH and infrastructure]: sshinfra.html
55 |
--------------------------------------------------------------------------------
/wargames/hes2010/instructions.txt:
--------------------------------------------------------------------------------
1 | --- OverTheWire's HES2010 wargame, released January 2012 ---
2 |
3 | 1. Introduction
4 |
5 | This wargame revolves around a company called Dirty-Underwear.com which buys and sells dirty
6 | underwear. Your job, very simply, is to break into the server and beat all levels.
7 | Hint: the credentials for the first level can be found by going through the local
8 | website. Think like Google!
9 |
10 | 2. How to play ?
11 |
12 | First, download the diskimage because it is intended to run locally.
13 | Import the diskimage into your favorite virtualization software. The game is based on Ubuntu,
14 | so any virtual hardware supported by Ubuntu should be fine in your virtualization environment.
15 |
16 | When booted, the VM configures its network interface with:
17 | IP 192.168.66.66/24
18 | gateway 192.168.66.254
19 | DNS server 8.8.8.8 (Google)
20 | There is no need to give access to the internet to get this VM working.
21 |
22 | You can use SSH to login to the VM. For maintenance reasons, there is an account 'otw' with
23 | password 'otw' with sudo rights to get a root account. This maintenance account is not part of
24 | the wargame and should not be used when playing the wargame fairly.
25 |
26 | 3. Contact information
27 |
28 | For information regarding this wargame, find us at http://www.overthewire.org or through
29 | IRC on irc.overthewire.org, channel #social
30 | The OverTheWire community offers more wargames and resources for you to explore.
31 |
32 | 4. History of this wargame
33 |
34 | This wargame was reachable on hes2010.labs.overthewire.org.
35 | With the release of this diskimage, the DNS record has been updated to
36 | point to 192.168.66.66, which is the local IP address of this offline version of the game.
37 |
38 | Originally, this wargame was created for the Hackito Ergo Sum 2010 conference in Paris,
39 | which was held in April of 2010. Afterwards, the wargame was opened up to any player.
40 |
41 | 5. References
42 |
43 | http://www.overthewire.org/
44 | http://hackitoergosum.org/
45 |
--------------------------------------------------------------------------------
/wargames/vortex/vortex18.c:
--------------------------------------------------------------------------------
1 | /*
2 | * vortex18 challenge
3 | *
4 | * written by Tim Newsham
5 | * contributions by Joshua J. Drake
6 | */
7 |
8 |
9 | #include
10 |
11 | #define RANDLEN 16
12 | #define BUFLEN 20
13 |
14 | #define TERMINATE1 'n'
15 | #define TERMINATE2 's'
16 | #define TERMINATE3 '$'
17 | #define TERMINATE4 'S'
18 |
19 | void
20 | seedrand(char *seed)
21 | {
22 | char buf[RANDLEN];
23 | int fd, i;
24 |
25 | /* read in a seed */
26 | fd = open("/dev/urandom", 0);
27 | if(fd == -1)
28 | exit(1);
29 | if(read(fd, buf, sizeof buf) != sizeof buf)
30 | exit(2);
31 | close(fd);
32 |
33 | /* make sure it doesnt use the terminator */
34 | for(i = 0; i < RANDLEN - 1; i++) {
35 | if(buf[i] == TERMINATE1
36 | || buf[i] == TERMINATE2
37 | || buf[i] == TERMINATE3
38 | || buf[i] == TERMINATE4
39 | || buf[i] == '\0')
40 | buf[i] = ' ';
41 | }
42 | buf[i] = 0;
43 |
44 | /* return it */
45 | strcpy(seed, buf);
46 | }
47 |
48 | int
49 | guess(char *seed)
50 | {
51 | char buf[BUFLEN];
52 | int i;
53 |
54 | for(i = 0; i < BUFLEN - 1; i++) {
55 | if(read(0, buf + i, 1) != 1)
56 | exit(1);
57 | if(buf[i] == TERMINATE1
58 | || buf[i] == TERMINATE2
59 | || buf[i] == TERMINATE3
60 | || buf[i] == TERMINATE4)
61 | break;
62 | }
63 | buf[i] = 0;
64 |
65 | if(strcmp(buf, seed) == 0)
66 | return 1;
67 | printf(buf);
68 | printf("\n");
69 | fflush(stdout);
70 | return 0;
71 | }
72 |
73 | int
74 | main(int argc, char **argv)
75 | {
76 | char seed[RANDLEN];
77 | int i;
78 |
79 | seedrand(seed);
80 | for(i = 0; i < 10; i++) {
81 | if(guess(seed)) {
82 | i = geteuid();
83 | setresuid(i, i, i);
84 | write(1, "YAY!\n", 5);
85 | execlp("/bin/sh", "sh", 0);
86 | exit(0);
87 | }
88 | }
89 |
90 | printf("sorry.\n");
91 | return 0;
92 | }
93 |
--------------------------------------------------------------------------------
/information/wechall.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: WeChall Scoreboard
5 | ---
6 |
7 | WeChall Scoreboard
8 | ==================
9 |
10 | OverTheWire makes use of a scoreboard provided by [WeChall][] to allow
11 | players to track their own progress and promote some healthy competition
12 | between players. To make use of this scoreboard for OverTheWire games,
13 | you need to follow these steps:
14 |
15 | 1. First, go to [WeChall][] and register for an account.
16 | 2. Next, log in and retrieve your WeChall token and username. Your
17 | WeChall username is what you registered with, while your WeChall
18 | token can be found on the WeChall website under ["Account" ->
19 | "WarBoxes"][warboxlink]. The token looks something like
20 | "EDD76-1FC9F-7388B-DC6EB-E3F71-FC4CB".
21 | 3. Next, assuming you are using the correct operating system, edit your
22 | ~/.bashrc file and add:
23 |
24 | export WECHALLUSER="YourUserName"
25 | export WECHALLTOKEN="YOUR-WECHALL-TOKEN-HERE"
26 |
27 | For `fish` users, you may run:
28 |
29 | set -Ux WECHALLUSER "YourUserName"
30 |
31 | You may need to logout and login again for these changes to take
32 | effect. To test whether the environment variables are registered,
33 | type "echo $WECHALLUSER", which should show that environment
34 | variable.
35 |
36 | 4. Next, edit ~/.ssh/config (or create it if it doesn't exist) and
37 | add:
38 |
39 | Host *.labs.overthewire.org
40 | SendEnv WECHALLTOKEN
41 | SendEnv WECHALLUSER
42 |
43 | This configures your SSH client to transmit both username and token
44 | to your remote session, so it can be used there.
45 |
46 | 5. Finally, you are able to easily register which levels you have
47 | beaten on OverTheWire by logging in through SSH the normal way, and
48 | invoking the "wechall" command. This command will use your WeChall
49 | username and WeChall token to register the level you have beaten
50 | with WeChall.
51 |
52 | [WeChall]: https://www.wechall.net
53 | [warboxlink]: https://www.wechall.net/warboxes
54 |
--------------------------------------------------------------------------------
/wargames/blacksun/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: blacksun
4 | ---
5 | {% include beginNote.html title="2012-04-17 - blacksun is temporarily down" %}
6 | The blacksun wargame is temporarily down because we have lost the backup
7 | (shame on us). We are currently collecting the levels from third parties
8 | to bring the game back.
9 | {% include endNote.html %}
10 |
11 | ### About
12 |
13 | Blacksun is a PullThePlug / OverTheWire wargame that is meant to help
14 | people learn more advanced exploitation techniques against hardened
15 | hosts and environments. It is implemented by PaX patches, and the
16 | Hardened Gentoo project. **It is a work in process** If you have any
17 | questions you can contact [andrewg][] via email.
18 |
19 | Blacksun is not an exploit novice's game / toolset, as it assumes a
20 | bunch of previous knowledge, such as programming, format string
21 | exploitation, heap exploitation, shellcoding, and out of the box
22 | thinking, amongst other things. However, PullThePlug / OverTheWire does
23 | have another wargame that's a lot easier, but still quite challenging
24 | available [here][].
25 |
26 | **Also, it is not meant to discredit any of the work that has been done
27 | towards PaX (hi pipacs!), as it is quite awesome. Perhaps even it will
28 | lead to better defensive, and maybe better offensive techniques. And
29 | most likely greater understanding with the issues involved.**
30 |
31 | ### Aims
32 |
33 | Blacksun is aimed towards demonstrating and helping people better
34 | understand:
35 |
36 | - Address space randomisation
37 | - Non executable memory and things that affect it
38 | - Stack smashing prevention
39 | - Information leaks
40 | - Code auditing and identifying code paths and vulnerable constructs
41 | - Being able to construct the exploitation environment
42 | - Binary auditing, and differencing
43 | - Access control list systems
44 |
45 | ### Reading material
46 |
47 | A list of suggested reading material can be found [here][readingmaterial]
48 |
49 | [andrewg]: mailto:andrewg@felinemenace.org
50 | [here]: /wargames/vortex/
51 | [readingmaterial]: reading_material.html
52 |
--------------------------------------------------------------------------------
/wargames/krypton/krypton2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: krypton
4 | level: 2
5 | ---
6 | Level Info
7 | ----------
8 | ROT13 is a simple substitution cipher.
9 |
10 | Substitution ciphers are a simple replacement algorithm. In this
11 | example of a substitution cipher, we will explore a 'monoalphebetic'
12 | cipher. Monoalphebetic means, literally, "one alphabet" and you will
13 | see why.
14 |
15 | This level contains an old form of cipher called a 'Caesar Cipher'.
16 | A Caesar cipher shifts the alphabet by a set number. For example:
17 |
18 | plain: a b c d e f g h i j k ...
19 | cipher: G H I J K L M N O P Q ...
20 |
21 | In this example, the letter 'a' in plaintext is replaced by a 'G' in
22 | the ciphertext so, for example, the plaintext 'bad' becomes 'HGJ' in
23 | ciphertext.
24 |
25 | The password for level 3 is in the file krypton3. It is in 5 letter
26 | group ciphertext. It is encrypted with a Caesar Cipher. Without any
27 | further information, this cipher text may be difficult to break. You
28 | do not have direct access to the key, however you do have access to
29 | a program that will encrypt anything you wish to give it using the
30 | key. If you think logically, this is completely easy.
31 |
32 | One shot can solve it!
33 |
34 | Have fun.
35 |
36 | Additional Information:
37 |
38 | The `encrypt` binary will look for the keyfile in your current working
39 | directory. Therefore, it might be best to create a working direcory in /tmp
40 | and in there a link to the keyfile. As the `encrypt` binary runs setuid
41 | `krypton3`, you also need to give `krypton3` access to your working directory.
42 |
43 | Here is an example:
44 |
45 | krypton2@melinda:~$ mktemp -d
46 | /tmp/tmp.Wf2OnCpCDQ
47 | krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ
48 | krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ln -s /krypton/krypton2/keyfile.dat
49 | krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
50 | keyfile.dat
51 | krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ chmod 777 .
52 | krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue
53 | krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
54 | ciphertext keyfile.dat
55 |
56 |
--------------------------------------------------------------------------------
/wargames/blacksun/blacksun0.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | void query(char *username);
10 |
11 |
12 | int main()
13 | {
14 | int y0; // special marker, you can use this for when you're doing exploition analysis to find where main is on the stack etc.
15 | int cont;
16 | char username[256];
17 | char blah[20];
18 |
19 | //setvbuf(stdin, NULL, _IONBF, 0);
20 | //setvbuf(stdout, NULL, _IONBF, 0);
21 |
22 | #ifdef DEBUG
23 | y0 = open("/proc/self/maps", O_RDONLY);
24 |
25 | while((cont = read(y0, username, sizeof(username))) > 0) {
26 | write(1, username, cont);
27 | }
28 | close(y0);
29 | #endif
30 |
31 | printf("--> Blacksun level 0\r\n");
32 | printf("by Andrew Griffiths (andrewg@felinemenace.org)\r\n");
33 | printf("/-------------------------------------------------\\ \r\n");
34 | printf("|Use netcat as opposed to telnet -- telnet sends |\r\n");
35 | printf("|certain control charachers and will fuck up your |\r\n");
36 | printf("|connection. This won't be a problem if you're |\r\n");
37 | printf("|coding the program to connect. |\r\n");
38 | printf("\\-------------------------------------------------/\r\n\r\n");
39 |
40 | memset(username, 0, sizeof(username));
41 | cont = 1;
42 |
43 | while(cont) {
44 | printf("Enter request number: ");
45 | fflush(stdout);
46 | fgets(blah, sizeof(blah)-1, stdin);
47 | y0 = atoi(blah);
48 |
49 | #ifdef DEBUG
50 | printf("blah: %p\n", blah);
51 | printf("username: %p\n", username);
52 | printf("y0: %p\n", &y0);
53 | #endif
54 |
55 | cont = (y0 != 0);
56 |
57 | printf("Enter the username you'd like to query: ");
58 | fflush(stdout);
59 | gets(username);
60 |
61 | username[strlen(username)] = 0;
62 |
63 |
64 | query(username);
65 |
66 | }
67 |
68 | return 0;
69 | }
70 |
71 |
72 | void query(char *username)
73 | {
74 | struct passwd *pw;
75 | char response[4096];
76 |
77 | pw = getpwnam(username);
78 |
79 | if(pw) {
80 | sprintf(response, "Username: %s, uid: %d, gid: %d, gecos: %s, dir: %s, shell: %s\n\n", pw->pw_name, pw->pw_uid, pw->pw_gid, pw->pw_gecos, pw->pw_dir, pw->pw_shell);
81 | } else {
82 | sprintf(response, "%s does not exist on this system, according to getpwnam().\n\n", username);
83 | }
84 |
85 | #ifdef DEBUG
86 | printf("response: %p\n", response);
87 | #endif
88 |
89 | printf(response);
90 | }
91 |
92 |
--------------------------------------------------------------------------------
/rules/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Rules
4 | ---
5 |
6 | Rules
7 | =====
8 |
9 | The goal of the OverTheWire games is to provide educational resources to people willing to learn
10 | topics on cybersecurity. The OverTheWire community hosts these resources free of charge for players
11 | to use and learn from. However, usage of these resources comes with a few simple rules.
12 |
13 | In general
14 | ----------
15 | 1. **Treat everyone with respect**. We will not tolerate any form of harassment or discrimination.
16 | 2. **We do not allow unsolicited spam or self-promotion** in the chatrooms or private messages.
17 | 3. **Do not spoil the game** for others in the chatrooms. If you need help, specify the game and
18 | level and someone will help you in private messages. Do not rely on Discord's `/spoiler`
19 | functionality as the chatrooms are connected to IRC where this functionality is not available.
20 | 4. Do not use easy to guess file or directory names and **clean up after yourself**. If you have
21 | created files or directories, please remove them when you are done.
22 |
23 | For educators and content-creators
24 | ----------------------------------
25 | 1. **Do not publish credentials** to any of the games. We understand the need to create writeups,
26 | walkthroughs, and tutorials, but do not publish any credentials.
27 | 2. If you are profiting from the content you create and you are able to afford it,
28 | **please [consider donating][]** a portion of your earnings to the OverTheWire community.
29 | We are a community of volunteers which relies on donations to keep the lights on.
30 | 3. Please **give credit where credit is due**. If you are using content from the OverTheWire games,
31 | please mention the OverTheWire community and provide a link to our website.
32 |
33 |
34 |
35 |
36 |
37 |
38 | ✓
39 | Thank you for accepting the rules. Have fun playing the games!
40 |
41 |
42 |
59 |
60 |
61 |
62 | [consider donating]: /information/donate.html
63 |
--------------------------------------------------------------------------------
/js/wechall-data.json:
--------------------------------------------------------------------------------
1 | {
2 | "/wargames/natas/natas0.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 1 },
3 | "/wargames/natas/natas1.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 2 },
4 | "/wargames/natas/natas2.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 3 },
5 | "/wargames/natas/natas3.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 4 },
6 | "/wargames/natas/natas4.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 5 },
7 | "/wargames/natas/natas5.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 6 },
8 | "/wargames/natas/natas6.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 7 },
9 | "/wargames/natas/natas7.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 8 },
10 | "/wargames/natas/natas8.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 15 },
11 | "/wargames/natas/natas9.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 14 },
12 | "/wargames/natas/natas10.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 13 },
13 | "/wargames/natas/natas11.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 12 },
14 | "/wargames/natas/natas12.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 11 },
15 | "/wargames/natas/natas13.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 10 },
16 | "/wargames/natas/natas14.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 9 },
17 | "/wargames/natas/natas15.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 16 },
18 | "/wargames/natas/natas16.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 17 },
19 | "/wargames/natas/natas17.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 18 },
20 | "/wargames/natas/natas18.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 137 },
21 | "/wargames/natas/natas19.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 138 },
22 | "/wargames/natas/natas20.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 139 },
23 | "/wargames/natas/natas21.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 140 },
24 | "/wargames/natas/natas22.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 141 },
25 | "/wargames/natas/natas23.html": { "form": "https://www.wechall.net/10-levels-on-Natas.html", "wfid": 142 }
26 | }
27 |
--------------------------------------------------------------------------------
/wargames/monxla/instructions.txt:
--------------------------------------------------------------------------------
1 | --- OverTheWire's Monxla wargame, released November 2012 ---
2 |
3 | 1. Introduction
4 |
5 | The story around this wargame is centered around the fictitious Russian
6 | crime family Nasenko. You play the role of agent Hipnkewl who received
7 | the following letter:
8 |
9 | Hello agent Hipnkewl,
10 |
11 | As head of the cybercrime-fighting unit of the best three-letter agency
12 | in the world, I welcome you to the team.
13 |
14 | To demonstrate your skills to the rest of team, we have prepared your
15 | first assignment.
16 |
17 | The russian Nasenko family has decided to become a crime family. Being
18 | hip and trendy, they have figured out that an online presence is a must
19 | in today's world. They have set up a server where they are testing and
20 | developing the best and latest cybercrime tools. What they don't know,
21 | is that we have already infiltrated their business and have a mole
22 | inside their organisation.
23 |
24 | Your job is to locate the information hidden by the mole and use it to
25 | take down the Nasenko server. Details about the location of this server
26 | will be transmitted once the mission is a go.
27 |
28 | God speed, make us proud!
29 |
30 | Signed,
31 | Director A.F.
32 |
33 | 2. How to play ?
34 |
35 | First, download the wargame live CD because it is intended to run locally.
36 | Create a new virtual machine and boot from the live CD The game is based on Ubuntu,
37 | so any virtual hardware supported by Ubuntu should be fine in your virtualization environment.
38 |
39 | Once booted, you can use SSH to login to monxla. For maintenance reasons, there is an account
40 | 'otw' with password 'otw' with sudo rights to get a root account. This maintenance account is
41 | not part of the wargame and should not be used when playing the wargame fairly.
42 |
43 | Monxla's network settings are configured through DHCP. Log in as user otw and use sudo to
44 | find out monxla's assigned IP address to start the game. Alternatively, you may wish to
45 | configure your local DHCP server so that monxla receives a fixed IP address.
46 |
47 | To start the game, visit monxla with your webbrowser. Hint: how big is the page you are looking at?
48 |
49 | 3. Contact information
50 |
51 | For information regarding this wargame, find us at http://www.overthewire.org or through
52 | IRC on irc.overthewire.org, channel #social
53 | The OverTheWire community offers more wargames and resources for you to explore.
54 |
55 | 4. History of this wargame
56 |
57 | This wargame was reachable on monxla.labs.overthewire.org.
58 |
59 | Originally, this wargame was created for the Hackito Ergo Sum 2012 conference in Paris,
60 | which was held from April 12th to April 14th 2012. Afterwards, the wargame was opened up
61 | to any player.
62 |
63 | 5. References
64 |
65 | http://www.overthewire.org/
66 |
--------------------------------------------------------------------------------
/wargames/abraxas/instructions.txt:
--------------------------------------------------------------------------------
1 | --- OverTheWire's Abraxas wargame, released September 2011 ---
2 |
3 | 1. Introduction
4 |
5 | The story around this wargame revolves around a secret agent called Agent 7a69.
6 | This agent was recruited to steal a prototype from the factory of a company called
7 | Dildo's From Space (DFS). The task, codenamed Job 331, was to be an undercover
8 | operation and Agent 7a69 was to act alone. After several months, Agent 7a69
9 | disappeared under mysterious circumstances. All he left was his journal on Job 331.
10 |
11 | You are a newly-appointed talented secret agent recruited to continue Agent 7a69's
12 | mission. Your mission is the same. It is best that you start with Agent 7a69's logbook
13 | which is located at http://agent7a69.blogspot.com/. God speed!
14 |
15 | Note: a full copy of the logbook can also be found in /BackgroundStory.pdf of this diskimage.
16 |
17 | 2. How to play ?
18 |
19 | First, download the diskimage because it is intended to run locally.
20 | Import the diskimage into your favorite virtualization software. The game is based on Ubuntu,
21 | so any virtual hardware supported by Ubuntu should be fine in your virtualization environment.
22 |
23 | When booted, abraxas configures its network interface with:
24 | IP 192.168.66.66/24
25 | gateway 192.168.66.254
26 | DNS server 8.8.8.8 (Google)
27 | There is no need to give access to the internet to get abraxas working.
28 |
29 | You can use SSH to login to abraxas. For maintenance reasons, there is an account 'otw' with
30 | password 'otw' with sudo rights to get a root account. This maintenance account is not part of
31 | the wargame and should not be used when playing the wargame fairly.
32 |
33 | Once the game is running, find the logbook mentioned earlier and read it. Instructions on how
34 | to start playing are in there.
35 |
36 | 3. Contact information
37 |
38 | For information regarding this wargame, find us at http://www.overthewire.org or through
39 | IRC on irc.overthewire.org, channel #social
40 | The OverTheWire community offers more wargames and resources for you to explore.
41 |
42 | 4. History of this wargame
43 |
44 | This wargame was reachable on abraxas.labs.overthewire.org and
45 | abraxas.dildosfromspace.com, which both resolved to the same IP address.
46 | With the release of this diskimage, both DNS records have been updated to
47 | point to 192.168.66.66, which is the local IP address of this offline version of the game.
48 | The dildosfromspace.com domainname might no longer exist when you read this.
49 |
50 | Originally, this wargame was created for the Hackito Ergo Sum 2011 conference in Paris,
51 | which was held from April 7th to April 9th 2011. Afterwards, the wargame was opened up
52 | to any player.
53 |
54 | 5. References
55 |
56 | http://www.overthewire.org/
57 | http://agent7a69.blogspot.com/
58 | http://hackitoergosum.org/
59 |
--------------------------------------------------------------------------------
/_layouts/default.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 | {% if page.title != nil %}
17 | OverTheWire: {{page.title}}
18 | {% else %}
19 | OverTheWire
20 | {% endif %}
21 |
22 |
23 |
24 |
";
85 |
86 | // also set the webpage title
87 | document.title += ": " + title.replace('→', '\u2192');
88 | };
89 | oReq.open("GET", "/games.json", true);
90 | oReq.send();
91 | }
92 |
93 | function checkAdBlock() {
94 | if(typeof fuckAdBlock === 'undefined') {
95 | alert("congrats on running adblock");
96 | } else {
97 | alert("not running adblock");
98 | }
99 | }
100 |
--------------------------------------------------------------------------------
/wargames/drifter/drifter0.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | gamename: drifter
4 | level: 0
5 | ---
6 | Drifter can be accessed on drifter.labs.overthewire.org via SSH on port 2230. Level 0 listens
7 | on port 1111.
8 |
9 | Level0 is an extremely trivial, encrypted, remote syscall proxy. Your
10 | aim is to read the contents of a file called "drifter0.password" to get the
11 | password for user drifter0.
12 |
13 | Upon connection, it sets up an encrypted rc4 key (based on the
14 | connecting IP address / port), read()'s in 9 integers, and then decrypts
15 | them, and handles them off to syscall(). This allows the network client
16 | to execute arbitrary syscalls in a safe way.
17 |
18 | To give you an idea of what's needed:
19 |
20 | **You'll need to**
21 |
22 | 1. If you are behind a NAT/PAT, you might want to do vortex level0, and
23 | complete this level from vortex, as otherwise your known IP address
24 | and port information changes.
25 | 2. Examine how the RC4 keys are generated, and how they are applied
26 | 3. [mmap2()][] some memory. You will get the address where the memory
27 | was allocated in the response from the server. mmap2() takes its
28 | arguments from registers, not the stack.
29 | 4. [read()][] into that allocated buffer to get the file name. The
30 | source fd that you need will be 4. (0-2 = stdin/stdout/stderr, 3
31 | will be network socket, so 4 in next in line. You will want to read
32 | in enough data for the filename "instructions"
33 | 5. Write the filename ("instructions" sans quotes) to the allocated
34 | memory location to your client socket
35 | 6. [open()][] the "instructions" file. You will get the fd it was
36 | allocated to in response
37 | 7. [read()][] from the allocated file descriptor to your allocated
38 | memory
39 | 8. [write()][] from the allocated buffer to the socket on the server
40 | (fd 4)
41 |
42 | Once all that is done, you will have the contents of the instructions
43 | file printed to your screen.
44 |
45 | Of course - this does not prevent you from using other mechanisms to
46 | access the server, such as using "shelldemo" from metasploit 2.x to
47 | examine the environment. In fact, using shelldemo is probably a good
48 | exercise as well.
49 |
50 | In order to get the values for the parameters you need, you can use
51 | cross-references of linux code on the net, for example, to look up the
52 | value for \_\_NR\_read (linux read syscall()), we can use [this][] which
53 | will lead us to [http://lxr.linux.no][]. From there we can use the
54 | search facility to find the values we need, [such as:][]
55 |
56 | \#define \_\_NR\_read 3
57 |
58 | If this level is too complicated / involved, please leave a comment.
59 | While it's complicated than adding several little endian integers
60 | together, I don't want the initial level to be overkill.
61 |
62 | The following sourcecode is located in /drifter/drifter0_src/ :
63 |
64 | {% include showFile.html path="drifter0.c" %}
65 | {% include showFile.html path="rc4.c" %}
66 | {% include showFile.html path="rc4.h" %}
67 |
68 | [mmap2()]: http://www.linuxinfor.com/english/man2/mmap2.html
69 | [read()]: http://www.linuxinfor.com/english/man2/read.html
70 | [open()]: http://www.linuxinfor.com/english/man2/open.html
71 | [write()]: http://www.linuxinfor.com/english/man2/write.html
72 | [this]: http://www.google.com.au/search?q=linux+lxr+__NR_read&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
73 | [http://lxr.linux.no]: http://lxr.linux.no
74 | [such as:]: http://lxr.linux.no/linux/include/asm-i386/unistd.h#L11
75 |
--------------------------------------------------------------------------------
/information/sshinfra.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | listinformation: true
4 | title: SSH/infrastructure
5 | ---
6 |
7 | SSH and the infrastructure
8 | ==========================
9 |
10 | All ssh-based games on OverTheWire run in [Docker] containers.
11 | When you login with SSH to one of the games, a fresh Docker container is created just for you.
12 | Noone else is logged in into your container, nor are there any files from other players lying around.
13 | We opted for this setup to provide each player with a clean environment to experiment and learn in,
14 | which is automatically cleaned up when you log out.
15 |
16 | Because of this setup, things are not as straightforward as one would think.
17 | Take SSH for example. Each SSH connection creates a new environment to work in.
18 | Most of the time, this works nicely. However, there are cases where this is a problem.
19 |
20 | Consider for instance a level where you must log in twice to the same container.
21 | Because of the way things are set up, logging in twice will give you access to different containers,
22 | each with a clean working environment and not able to affect each other. This is not what you want.
23 |
24 | Luckily, there are ways around this.
25 | One way is to use SSH with port forwarding.
26 | For instance:
27 |
28 | ssh -l bandit0 -p 2220 -L 1234:localhost:22 bandit.labs.overthewire.org
29 |
30 | With this command, you connect to the [bandit] game on port 2220 with username bandit0,
31 | and instruct your SSH client to set up port forwarding from port 1234 on your local computer,
32 | to port 22 on "localhost" as seen from the bandit container.
33 | What this means is that port 1234 on your local computer is forwarded to the SSH server inside the one bandit container
34 | that was created for you.
35 | If you connect several times to "localhost" port 1234 on your own computer, you end up each time in
36 | the same container.
37 |
38 | As long as you keep the initial SSH connection, which forwards the port, open, you will be able to login to the same container.
39 | Remember that the container will be inaccessible as soon as you close this connection!
40 |
41 | Also see the help page about persisting [User data].
42 |
43 | SSH keys
44 | --------
45 |
46 | You may experience an SSH warning about new SSH keys for the shell-based games,
47 | such as this one:
48 |
49 | The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established.
50 | ECDSA key fingerprint is SHA256:SCySwNrZFEHArEX1cAlnnaJ5gz2O8VEigY9X80nFWUU.
51 | Are you sure you want to continue connecting (yes/no)?
52 |
53 | Here is the expected output from ssh-keyscan for bandit.labs.overthewire.org. These keys are the same for all shell-based games,
54 | not just bandit. If you see another key, then you are most likely being man-in-the-middled.
55 |
56 | $ ssh-keyscan -p 2220 -T 10 bandit.labs.overthewire.org
57 |
58 | # bandit.labs.overthewire.org:2220 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
59 | [bandit.labs.overthewire.org]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDy5O/3KJT8z1aAC/hAuphG3gha/xVowSwc/066SVrSewHY4ETsCr3EdiClK+uw1OQYSBxHa6jPjEpKIeIMili5p6E4aEiiC3uYFkRCOQUN0bfYKgbHs5n1vEpua0UztLSf3AFGF2Lw2VEYd2Fuv1bPj2bYobpLTfLqjVhu8PWtQbgWBbECZBE7I7hSwvQzAnuaxJg/c2VtjD5vl3EOX6VlrnuDvYtM0q8dMrftBC9nTOzWc1RP8POVkcFdva+DETcQCeuG0rUPRZCzRpIhvxNf6BNkxeEHjkaIeedBPvDLdc9DLvdouzvw6H8EoU0pDJXsHraPWnuUEgwIAuD4auIP
60 | # bandit.labs.overthewire.org:2220 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
61 | [bandit.labs.overthewire.org]:2220 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjKNpXfKljXFVLM9p/6qZqUg8BzGs5wFFQWktFD5H9xXXcnH5yzQqtp7MpTPxBVk+1TRxmb0s5Ej3VewH5GK+E=
62 | # bandit.labs.overthewire.org:2220 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
63 | [bandit.labs.overthewire.org]:2220 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK+bRnQZW9014ZUy5kubl5hwpgb+2r6Xsyx0xP018o
64 |
65 |
66 | [Docker]: https://www.docker.com/
67 | [bandit]: /wargames/bandit
68 | [User data]: userdata.html
69 |
--------------------------------------------------------------------------------
/wargames/semtex/semtex10.c:
--------------------------------------------------------------------------------
1 | #define _GNU_SOURCE
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 |
15 |
16 | #define LISTENPORT 24019
17 | #define REALPWD "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
18 | #define OLDPWD "XXXXXXXXXXXXXXXX"
19 | #define DROPUID 1998
20 | #define DROPGID 1998
21 |
22 | struct query
23 | {
24 | unsigned char oldpass[20+1];
25 | unsigned char pass[100+1];
26 | unsigned int len;
27 | } qry;
28 |
29 | struct response
30 | {
31 | unsigned int result;
32 | unsigned char pass[100+1];
33 | } rsp;
34 |
35 | int main(int argc, char *argv[])
36 | {
37 | int listenfd, connfd;
38 | struct sockaddr_in localaddr;
39 | struct sockaddr_in remoteaddr;
40 | int sin_size;
41 | int port=LISTENPORT;
42 |
43 | setresgid(DROPGID, DROPGID, DROPGID);
44 | setresuid(DROPUID, DROPUID, DROPUID);
45 | signal(SIGPIPE, SIG_IGN);
46 | daemon(0,0);
47 |
48 | if ((listenfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
49 | {
50 | perror("socket");
51 | exit(EXIT_FAILURE);
52 | }
53 |
54 | localaddr.sin_family = AF_INET;
55 | localaddr.sin_port = htons(port);
56 | localaddr.sin_addr.s_addr = INADDR_ANY;
57 | bzero(&(localaddr.sin_zero), 8);
58 |
59 | if (bind(listenfd, (struct sockaddr *)&localaddr, sizeof(struct sockaddr)) == -1)
60 | {
61 | perror("bind");
62 | exit(EXIT_FAILURE);
63 | }
64 |
65 | if (listen(listenfd, 20) == -1)
66 | {
67 | perror("listen");
68 | exit(EXIT_FAILURE);
69 | }
70 |
71 | for (;;)
72 | {
73 | sin_size = sizeof(struct sockaddr_in);
74 | if ((connfd = accept(listenfd, (struct sockaddr *)&remoteaddr, &sin_size)) == -1)
75 | {
76 | perror("accept");
77 | continue;
78 | }
79 |
80 | // printf("connection from %s\n", inet_ntoa(remoteaddr.sin_addr));
81 |
82 | if (!fork()) //child
83 | {
84 | close(listenfd);
85 |
86 | for (;;)
87 | {
88 | memset(&qry, 0, sizeof(struct query));
89 | memset(&rsp, 0, sizeof(struct response));
90 |
91 | if (recv(connfd, &qry, sizeof(struct query), 0)!=sizeof(struct query))
92 | {
93 | perror("recv");
94 | close(connfd);
95 | exit(EXIT_FAILURE);
96 | }
97 |
98 | if (strncmp(qry.oldpass, OLDPWD, strlen(OLDPWD)))
99 | {
100 | close(connfd);
101 | exit(EXIT_FAILURE);
102 | }
103 |
104 | // validate
105 | if (!strncmp(qry.pass, REALPWD, qry.len))
106 | rsp.result=1;
107 |
108 | if (rsp.result && (qry.len==strlen(REALPWD)))
109 | strcpy(rsp.pass, REALPWD);
110 |
111 | // printf("-> result=%s\n", rsp.result?"CORRECT":"WRONG");
112 | if (send(connfd, &rsp, sizeof(struct response), 0)!=sizeof(struct response))
113 | {
114 | perror("send");
115 | close(connfd);
116 | exit(EXIT_FAILURE);
117 | }
118 | }
119 | }
120 |
121 | while(waitpid(-1,NULL,WNOHANG) > 0);
122 |
123 | close(connfd);
124 | }
125 |
126 | }
127 |
--------------------------------------------------------------------------------
19 | 
25 | 