Program Interaction
level 1
- the challenge checks for a specific parent process : bash
hacker@program-interaction~level1:/$ /bin/bash
hacker@program-interaction~level1:/$ /challenge/embryoio_level1
level 2
- the challenge checks for a specific parent process : bash
- the challenge will check for a hardcoded password over stdin : ohlxdzwk
hacker@program-interaction~level2:/$ /bin/bash
hacker@program-interaction~level2:/$ /challenge/embryoio_level2
level 3
- the challenge checks for a specific parent process : bash
- the challenge will check that argv[NUM] holds value VALUE (listed to the right as NUM:VALUE) : 1:zjknqbgpym
hacker@program-interaction~level3:/$ /bin/bash
hacker@program-interaction~level3:/$ /challenge/embryoio_level3 zjknqbgpym
level 4
- the challenge checks for a specific parent process : bash
- the challenge will check that env[KEY] holds value VALUE (listed to the right as KEY:VALUE) : eoenyp:erxmsdihin
hacker@program-interaction~level4:/$ /bin/bash
hacker@program-interaction~level4:/$ export eoenyp=erxmsdihin
hacker@program-interaction~level4:/$ /challenge/embryoio_level4
level 5
- the challenge checks for a specific parent process : bash
- the challenge will check that input is redirected from a specific file path : /tmp/etgyzz
- the challenge will check for a hardcoded password over stdin : fzgfqswr
hacker@program-interaction~level5:/$ /bin/bash
hacker@program-interaction~level5:/$ echo "fzgfqswr" > /tmp/etgyzz
hacker@program-interaction~level5:/$ /challenge/embryoio_level5 < /tmp/etgyzz
level 6
- the challenge checks for a specific parent process : bash
- the challenge will check that output is redirected to a specific file path : /tmp/mriavb
hacker@program-interaction~level6:/$ /bin/bash
hacker@program-interaction~level6:/$ /challenge/embryoio_level6 > /tmp/mriavb
hacker@program-interaction~level6:/$ cat /tmp/mriavb
level 7
- the challenge checks for a specific parent process : bash
- the challenge will check that the environment is empty (except LC_CTYPE, which is impossible to get rid of in some cases)
hacker@program-interaction~level7:/$ /bin/bash
hacker@program-interaction~level7:/$ env -i /challenge/embryoio_level7
level 8
- the challenge checks for a specific parent process : shellscript
#!/bin/bash
/challenge/embroio_level8
hacker@program-interaction~level8:~$ bash embryoio8.sh
level 9
- the challenge checks for a specific parent process : shellscript
- the challenge will check for a hardcoded password over stdin : arstshwf
#!/bin/bash
/challenge/embryoio_level9
hacker@program-interaction~level9:~$ bash embryoio9.sh
level 10
- the challenge checks for a specific parent process : shellscript
- the challenge will check that argv[NUM] holds value VALUE (listed to the right as NUM:VALUE) : 1:asbiaaphyn
embryoio10.sh
#!/bin/bash
/challenge/embryoio_level10 asbiaaphyn
hacker@program-interaction~level10:~$ bash embryoio10.sh
level 11
- the challenge checks for a specific parent process : shellscript
- the challenge will check that env[KEY] holds value VALUE (listed to the right as KEY:VALUE) : xwzejc:oniobeaqfb
embryoio11.sh
#!/bin/bash
export xwzejc=oniobeaqfb
/challenge/embryoio_level11
hacker@program-interaction~level11:~$ bash embryoio11.sh
level 12
- the challenge checks for a specific parent process : shellscript
- the challenge will check that input is redirected from a specific file path : /tmp/kzgaox
- the challenge will check for a hardcoded password over stdin : bczijbap
embryoio12.sh
#!/bin/bash
echo "bczijbap" > /tmp/kzgaox
/challenge/embryoio_level12 < /tmp/kzgaox
hacker@program-interaction~level12:~$ bash embryoio12.sh
level 13
- the challenge checks for a specific parent process : shellscript
- the challenge will check that output is redirected to a specific file path : /tmp/umcqpn
embryoio13.sh
#!/bin/bash
/challenge/embryoio_level13 > /tmp/umcqpn
hacker@program-interaction~level13:~$ nano embryoio13.sh
hacker@program-interaction~level13:~$ cat /tmp/umcqpn
level 14
- the challenge checks for a specific parent process : shellscript
- the challenge will check that the environment is empty (except LC_CTYPE, which is impossible to get rid of in some cases)
embryoio14.sh
#!/bin/bash
env -i /challenge/embryoio_level14
hacker@program-interaction~level14:~$ bash embryoio14.sh
level 15
- the challenge checks for a specific parent process : ipython
hacker@program-interaction~level15:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level15"])
p.interactive()
import subprocess
p = subprocess.Popen(["/challenge/embryoio_level15"]);
p.communicate()
import subprocess
subprocess.call(["/challenge/embryoio_level15"]);
level 16
- the challenge checks for a specific parent process : ipython
- the challenge will check for a hardcoded password over stdin : dwlvbdjr
hacker@program-interaction~level15:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level16"])
p.interactive()
import subprocess
p = subprocess.Popen(["/challenge/embryoio_level15"]);
p.communicate()
import subprocess
subprocess.call(["/challenge/embryoio_level16"]);
level 17
- the challenge checks for a specific parent process : ipython
- the challenge will check that argv[NUM] holds value VALUE (listed to the right as NUM:VALUE) : 1:fkfxeulkjy
hacker@program-interaction~level17:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level17", "fkfxeulkjy"])
p.interactive()
import subprocess
p = subprocess.Popen(["/challenge/embryoio_level17", "fkfxeulkjy"]);
p.communicate()
import subprocess
subprocess.call(["/challenge/embryoio_level17", "fkfxeulkjy"]);
level 18
- the challenge checks for a specific parent process : ipython
- the challenge will check that env[KEY] holds value VALUE (listed to the right as KEY:VALUE) : cnsysl:idndqtahuc
hacker@program-interaction~level18:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level18"], env={"cnsysl":"idndqtahuc"})
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level18"], env={"cnsysl":"idndqtahuc"});
p.communicate()
import subprocess
subprocess.call(["/challenge/embryoio_level18"], env={"cnsysl":"idndqtahuc"});
level 19
- the challenge checks for a specific parent process : ipython
- the challenge will check that input is redirected from a specific file path : /tmp/etksmq
- the challenge will check for a hardcoded password over stdin : tbbefvop
hacker@program-interaction~level19:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
import os
with open("/tmp/etksmq", 'w') as file:
file.write("tbbefvop")
fd = os.open("/tmp/etksmq", os.O_RDONLY)
p = process(["/challenge/embryoio_level19"], stdin=fd)
p.interactive()
We have to open the /tmp/etksmq file and write tbbefvop to it.
Then we open the file again in O_RDONLY mode and save it as fd file descriptor.
We then pass this fd as STDIN.
import subprocess as sp
import os
with open("/tmp/etksmq", "w") as file:
file.write("tbbefvop")
fd = os.open("/tmp/etksmq", os.O_RDONLY)
p = sp.Popen(["/challenge/embryoio_level19"], stdin=fd);
p.communicate()
import subprocess
import os
with open("/tmp/etksmq", "w") as file:
file.write("tbbefvop")
fd = os.open("/tmp/etksmq", os.O_RDONLY)
p = subprocess.call(["/challenge/embryoio_level19"], stdin=fd);
level 20
- the challenge checks for a specific parent process : ipython
- the challenge will check that output is redirected to a specific file path : /tmp/wxngwq
hacker@program-interaction~level20:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
import os
fd = os.open("/tmp/wxngwq", os.O_WRONLY | os.O_CREAT)
p = process(["/challenge/embryoio_level20"], stdout=fd)
with open("/tmp/wxngwq", "r") as file:
print(file.read())
p.interactive()
This time we open the /tmp/wxngwq with the O_WRONLY option. We also specify the O_CREAT option so that the file will be created if it doesn't already exist.
We then pass this fd file descriptor as STDOUT so the program can write to it.
Lastly we just open it file with r permissions and print the contents.
import subprocess as sp
import os
fd = os.open("/tmp/wxngwq", os.O_WRONLY | os.O_CREAT)
p = sp.Popen(["/challenge/embryoio_level20"], stdout=fd);
with open("/tmp/wxngwq", "r") as file:
print(file.read())
p.communicate()
import subprocess
import os
fd = os.open("/tmp/wxngwq", os.O_WRONLY | os.O_CREAT)
p = subprocess.call(["/challenge/embryoio_level20"], stdout=fd);
with open("/tmp/wxngwq", "r") as file:
print(file.read())
level 21
- the challenge checks for a specific parent process : ipython
- the challenge will check that the environment is empty (except LC_CTYPE, which is impossible to get rid of in some cases)
hacker@program-interaction~level21:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
WARNING: your terminal doesn't support cursor position requests (CPR).
In [1]:
from pwn import *
import os
p = process(["/challenge/embryoio_level21"], env={})
p.interactive()
The env parameter is a list. If we keep this list as blank it will we considered as empty.
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level21"], env={});
p.communicate()
import subprocess
subprocess.call(["/challenge/embryoio_level21"], env={});
level 22
- the challenge checks for a specific parent process : python
from pwn import *
p = process(["/challenge/embryoio_level22"])
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level22"]);
p.communicate()
import subprocess
p = subprocess.call(["/challenge/embryoio_level22"]);
hacker@program-interaction~level22:~$ python embryoio22.py
level 23
- the challenge checks for a specific parent process : python
- the challenge will check for a hardcoded password over stdin : ulelosql
embryoio23.py
from pwn import *
p = process(["/challenge/embryoio_level23"])
p.interactive()
embryoio23.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level23"]);
p.communicate()
embryoio23.py
import subprocess
p = subprocess.call(["/challenge/embryoio_level23"]);
hacker@program-interaction~level23:~$ python embryoio23.py
level 24
- the challenge checks for a specific parent process : python
- the challenge will check that argv[NUM] holds value VALUE (listed to the right as NUM:VALUE) : 1:ebyhyvaqeu
embryoio24.py
from pwn import *
p = process(["/challenge/embryoio_level24", "ebyhyvaqeu"])
p.interactive()
embryoio24.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level24", "ebyhyvaqeu"]);
p.communicate()
embryoio24.py
import subprocess
subprocess.call(["/challenge/embryoio_level24", "ebyhyvaqeu"]);
hacker@program-interaction~level24:~$ python embryoio24.py
level 25
- the challenge checks for a specific parent process : python
- the challenge will check that env[KEY] holds value VALUE (listed to the right as KEY:VALUE) : zxkabi:nuscpaudrt
embryoio25.py
from pwn import *
p = process(["/challenge/embryoio_level25"], env={"zxkabi":"nuscpaudrt"})
p.interactive()
embryoio25.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level25"], env={"zxkabi":"nuscpaudrt"});
p.communicate()
embryoio25.py
import subprocess
p = subprocess.call(["/challenge/embryoio_level25"], env={"zxkabi":"nuscpaudrt"});
hacker@program-interaction~level25:~$ python embryoio25.py
level 26
- the challenge checks for a specific parent process : python
- the challenge will check that input is redirected from a specific file path : /tmp/touekf
- the challenge will check for a hardcoded password over stdin : fnzkutbe
embryoio26.py
from pwn import *
import os
with open("/tmp/touekf", "w") as file:
file.write("fnzkutbe")
fd = os.open("/tmp/touekf", os.O_RDONLY)
p = process(["/challenge/embryoio_level26"], stdin=fd)
p.interactive()
embryoio26.py
import subprocess as sp
import os
with open("/tmp/touekf", "w") as file:
file.write("fnzkutbe")
fd = os.open("/tmp/touekf", os.O_RDONLY)
p = sp.Popen(["/challenge/embryoio_level26"], stdin=fd);
p.communicate()
embryoio26.py
import subprocess
import os
with open("/tmp/touekf", "w") as file:
file.write("fnzkutbe")
fd = os.open("/tmp/touekf", os.O_RDONLY)
p = subprocess.call(["/challenge/embryoio_level26"], stdin=fd);
hacker@program-interaction~level26:~$ python embryoio26.py
level 27
- the challenge checks for a specific parent process : python
- the challenge will check that output is redirected to a specific file path : /tmp/btxtnc
embryoio27.py
from pwn import *
import os
fd = os.open("/tmp/btxtnc", os.O_WRONLY | os.O_CREAT)
p = process(["/challenge/embryoio_level27"], stdout=fd)
with open("/tmp/btxtnc", "r") as file:
print(file.read())
p.interactive()
embryoio27.py
import subprocess as sp
import os
fd = os.open("/tmp/btxtnc", os.O_WRONLY | os.O_CREAT)
p = sp.Popen(["/challenge/embryoio_level27"], stdout=fd);
with open("/tmp/btxtnc", "r") as file:
print(file.read())
p.communicate()
embryoio27.py
import subprocess
import os
fd = os.open("/tmp/btxtnc", os.O_WRONLY | os.O_CREAT)
p = subprocess.call(["/challenge/embryoio_level27"], stdout=fd);
with open("/tmp/btxtnc", "r") as file:
print(file.read())
hacker@program-interaction~level27:~$ python embryoio27.py
level 28
- the challenge checks for a specific parent process : python
- the challenge will check that the environment is empty (except LC_CTYPE, which is impossible to get rid of in some cases)
embryoio28.py
from pwn import *
import os
p = process(["/challenge/embryoio_level28"], env={})
p.interactive()
embryoio28.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level28"], env={});
p.communicate()
embryoio28.py
import subprocess
p = subprocess.call(["/challenge/embryoio_level28"], env={});
hacker@program-interaction~level28:~$ python embryoio28.py
level 29
- the challenge checks for a specific parent process : binary
embryoio29.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
execve("/challenge/embryoio_level29", NULL, NULL);
exit(0);
}
int main (int argc, char argv[]) {
pid_t cpid;
if (fork() == 0) {
pwncollege();
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio29.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
switch(pid = fork()) {
case -1:
printf("Error\n");
break;
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
execl("/challenge/embryoio_level29", (char *)NULL);
}
hacker@program-interaction~level29:~$ gcc embryoio29.c -o embryoio29
embryoio29.c: In function ‘main’:
embryoio29.c:12:6: warning: implicit declaration of function ‘fork’ [-Wimplicit-function-declaration]
12 | if (fork() == 0) {
| ^~~~
embryoio29.c:13:3: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration]
13 | execve(filename, NULL, NULL);
| ^~~~~~
embryoio29.c:17:10: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
17 | cpid = wait(NULL);
| ^~~~
hacker@program-interaction~level29:~$ ./embryoio29
level 30
- the challenge checks for a specific parent process : binary
- the challenge will check for a hardcoded password over stdin : apyhlmya
embryoio30.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
execve("/challenge/embryoio_level30", NULL, NULL);
exit(0);
}
int main (int argc, char argv[]) {
pid_t cpid;
if (fork() == 0) {
pwncollege();
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio30.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
switch(pid = fork()) {
case -1:
printf("Error\n");
break;
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
execl("/challenge/embryoio_level30", (char *)NULL);
}
hacker@program-interaction~level30:~$ gcc embryoio30.c -o embryoio30
embryoio30.c: In function ‘main’:
embryoio30.c:12:6: warning: implicit declaration of function ‘fork’ [-Wimplicit-function-declaration]
12 | if (fork() == 0) {
| ^~~~
embryoio30.c:13:3: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration]
13 | execve(filename, NULL, NULL);
| ^~~~~~
embryoio30.c:17:10: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
17 | cpid = wait(NULL);
| ^~~~
hacker@program-interaction~level30:~$ ./embryoio30
level 31
- the challenge checks for a specific parent process : binary
- the challenge will check that argv[NUM] holds value VALUE (listed to the right as NUM:VALUE) : 1:chapeafvrb
embryoio31.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
execve(filename, argv, NULL);
exit(0);
}
int main (int argc, char argv[]) {
const char filename[100] = "/challenge/embryoio_level31";
pid_t cpid;
char *argv[] = {filename, "chapeafvrb", NULL};
int newfd;
dup2(0, newfd);
if (fork() == 0) {
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio31.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
switch(pid = fork()) {
case -1:
printf("Error\n");
break;
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
execl("/challenge/embryoio_level31", "chapeafvrb", (char *)NULL);
}
hacker@program-interaction~level31:~$ gcc embryoio31.c -o embryoio31
embryoio31.c: In function ‘main’:
embryoio31.c:12:21: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
12 | char *argv[] = {filename, "chapeafvrb", NULL};
| ^~~~~~~~
embryoio31.c:15:5: warning: implicit declaration of function ‘dup2’ [-Wimplicit-function-declaration]
15 | dup2(0, newfd);
| ^~~~
embryoio31.c:17:9: warning: implicit declaration of function ‘fork’ [-Wimplicit-function-declaration]
17 | if (fork() == 0) {
| ^~~~
embryoio31.c:18:6: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration]
18 | execve(filename, argv, NULL);
| ^~~~~~
embryoio31.c:22:16: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
22 | cpid = wait(NULL);
| ^~~~
hacker@program-interaction~level31:~$ ./embryoio31
level 32
- the challenge checks for a specific parent process : binary
- the challenge will check that env[KEY] holds value VALUE (listed to the right as KEY:VALUE) : mrsqev:oaxcmkzbmf
embryoio32.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
}
int main () {
const char filename[100] = "/challenge/embryoio_level32";
pid_t cpid;
char *envp[] = {"mrsqev=oaxcmkzbmf", NULL};
int newfd;
dup2(0, newfd);
if (fork() == 0) {
execve(filename, NULL, envp);
exit(0);
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio32.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
switch(pid = fork()) {
case -1:
printf("Error\n");
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
setenv("mrsqev", "oaxcmkzbmf", 1);
execl("/challenge/embryoio_level32", (char *)NULL);
}
hacker@program-interaction~level32:~$ gcc embryoio32.c -o embryoio32
embryoio32.c: In function ‘main’:
embryoio32.c:15:5: warning: implicit declaration of function ‘dup2’ [-Wimplicit-function-declaration]
15 | dup2(0, newfd);
| ^~~~
embryoio32.c:17:9: warning: implicit declaration of function ‘fork’ [-Wimplicit-function-declaration]
17 | if (fork() == 0) {
| ^~~~
embryoio32.c:18:6: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration]
18 | execve(filename, NULL, envp);
| ^~~~~~
embryoio32.c:22:16: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
22 | cpid = wait(NULL);
| ^~~~
hacker@program-interaction~level32:~$ ./embryoio32
level 33
- the challenge checks for a specific parent process : binary
- the challenge will check that input is redirected from a specific file path : /tmp/brxhzr
- the challenge will check for a hardcoded password over stdin : trimcsgm
embryoio33.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
execve("/challenge/embryoio_level33", NULL, NULL);
exit(0);
}
int main (int argc, char argv[]) {
pid_t cpid;
FILE *fptr;
fptr = fopen("/tmp/brxhzr", "w");
fprintf(fptr, "trimcsgm");
fclose(fptr);
freopen("/tmp/brxhzr", "r", stdin);
if (fork() == 0) {
pwncollege();
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio33.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
int fd;
FILE *fptr;
fptr = fopen("/tmp/brxhzr", "w");
fprintf(fptr, "trimcsgm");
fclose(fptr);
freopen("/tmp/brxhzr", "r", stdin);
switch(pid = fork()) {
case -1:
printf("Error\n");
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
execl("/challenge/embryoio_level33", (char *)NULL);
}
hacker@program-interaction~level34:~$ gcc embryoio33.c -o embryoio33
hacker@program-interaction~level34:~$ ./embryoio33
level 34
- the challenge checks for a specific parent process : binary
- the challenge will check that output is redirected to a specific file path : /tmp/cigexf
embryoio34.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
execve("/challenge/embryoio_level34", NULL, NULL);
exit(0);
}
int main (int argc, char argv[]) {
pid_t cpid;
freopen("/tmp/cigexf", "w", stdout);
if (fork() == 0) {
pwncollege();
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio34.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
int fd;
freopen("/tmp/cigexf", "w", stdout);
switch(pid = fork()) {
case -1:
printf("Error\n");
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
execl("/challenge/embryoio_level34", (char *)NULL);
}
hacker@program-interaction~level34:~$ gcc embryoio34.c -o embryoio34
hacker@program-interaction~level34:~$ ./embryoio34
hacker@program-interaction~level34:~$ cat /tmp/cigexf
level 35
- the challenge checks for a specific parent process : binary
- the challenge will check that the environment is empty (except LC_CTYPE, which is impossible to get rid of in some cases)
embryoio35.c
#include <stdio.h>
#include <stdlib.h>
void pwncollege () {
}
int main () {
const char filename[100] = "/challenge/embryoio_level35";
pid_t cpid;
char *envp[] = {"mrsqev=oaxcmkzbmf", NULL};
int newfd;
dup2(0, newfd);
if (fork() == 0) {
execve(filename, NULL, envp);
exit(0);
}
else {
cpid = wait(NULL);
}
return 0;
}
embryoio35.c
#include <stdio.h>
#include <unistd.h>
int main (int argc, char argv[]) {
int pid;
int pstat;
switch(pid = fork()) {
case -1:
printf("Error\n");
break;
case 0:
pwncollege();
}
waitpid(pid, (int *)&pstat, 0);
return 0;
}
void pwncollege () {
char *empty_env[] = { NULL };
execle("/challenge/embryoio_level35", "/challenge/embryoio_level35", (char *)NULL, empty_env);
}
hacker@program-interaction~level35:~$ gcc embryoio35.c -o embryoio35
hacker@program-interaction~level35:~$ ./embryoio35
level 36
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdout : cat
hacker@program-interaction~level36:/$ /bin/bash
hacker@program-interaction~level36:/$ /challenge/embryoio_level36 | cat
level 37
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdout : grep
hacker@program-interaction~level37:/$ /bin/bash
hacker@program-interaction~level37:/$ /challenge/embryoio_level37 | grep "pwn.college"
&nsbsp;
level 38
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdout : sed
acker@program-interaction~level38:/$ /bin/bash
hacker@program-interaction~level38:/$ /challenge/embryoio_level38 | sed 's/ / /'
level 39
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdout : rev
hacker@program-interaction~level39:/$ /bin/bash
hacker@program-interaction~level39:/$ /challenge/embryoio_level39 | rev | rev
level 40
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdin : cat
- the challenge will check for a hardcoded password over stdin : ltpwrbhw
hacker@program-interaction~level40:/$ /bin/bash
hacker@program-interaction~level40:/$ cat | /challenge/embryoio_level40
level 41
- the challenge checks for a specific parent process : bash
- the challenge checks for a specific process at the other end of stdin : rev
- the challenge will check for a hardcoded password over stdin : vnyeyriu
hacker@program-interaction~level41:/$ /bin/bash
hacker@program-interaction~level41:/$ rev | rev | /challenge/embryoio_level41
level 42
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdout : cat
embryoio42.sh
#!/bin/bash
/challenge/embryoio_level42 | cat
hacker@program-interaction~level42:~$ bash embryoio42.sh
level 43
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdout : grep
embryoio43.sh
#!/bin/sh
/challenge/embryoio_level43 | grep "pwn"
hacker@program-interaction~level43:~$ bash embryoio43.sh
level 44
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdout : sed
embryoio44.sh
#!/bin/sh
/challenge/embryoio_level44 | sed -n "/pwn/p"
hacker@program-interaction~level44:~$ bash embryoio44.sh
level 45
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdout : rev
embryoio45.sh
#!/bin/sh
/challenge/embryoio_level45 | rev | rev
hacker@program-interaction~level45:~$ bash embryoio45.sh
level 46
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdin : cat
- the challenge will check for a hardcoded password over stdin : hukyaqik
embryoio46.sh
#!/bin/bash
cat | /challenge/embryoio_level42
hacker@program-interaction~level46:~$ bash embryoio46.sh
level 47
- the challenge checks for a specific parent process : shellscript
- the challenge checks for a specific process at the other end of stdin : rev
- the challenge will check for a hardcoded password over stdin : xpiyvdor
embryoio47.sh
#!/bin/bash
rev | rev | /challenge/embryoio_level47
hacker@program-interaction~level47:~$ bash embryoio47.sh
level 48
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdout : cat
hacker@program-interaction~level48:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level48"], stdout=PIPE);
p2 = process(["/usr/bin/cat"], stdout=p.stdout);
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level48"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/cat"], stdin=p.stdout);
p2.communicate()
level 49
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdout : grep
hacker@program-interaction~level49:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level49"], stdout=PIPE);
p2 = process(["/usr/bin/grep", "pwn"], stdout=p.stdout);
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level49"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/grep", "pwn"], stdin=p.stdout);
p2.communicate()
level 50
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdout : sed
hacker@program-interaction~level50:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level50"], stdout=PIPE);
p2 = process(["/usr/bin/sed", "-n", "/pwn/p"], stdout=p.stdout);
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level50"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/sed", "-n", "/pwn/p"], stdin=p.stdout);
p2.communicate()
level 51
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdout : rev
hacker@program-interaction~level51:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/challenge/embryoio_level51"], stdout=PIPE);
p2 = process(["/usr/bin/rev"], stdout=p.stdout);
p.interactive()
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level51"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/rev"], stdin=p.stdout, stdout=sp.PIPE);
p3 = sp.Popen(["/usr/bin/rev"], stdin=p2.stdout);
p3.communicate()
level 52
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdin : cat
- the challenge will check for a hardcoded password over stdin : nlcncamf
hacker@program-interaction~level52:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/usr/bin/cat"], stdout=PIPE);
p2 = process(["/challenge/embryoio_level52"], stdout=p.stdout);
p2.interactive()
import subprocess as sp
p = sp.Popen(["/usr/bin/cat"], stdout=sp.PIPE);
p2 = sp.Popen(["/challenge/embryoio_level52"], stdin=p.stdout);
p2.communicate()
level 53
- the challenge checks for a specific parent process : ipython
- the challenge checks for a specific process at the other end of stdin : rev
- the challenge will check for a hardcoded password over stdin : piamnajl
hacker@program-interaction~level53:/$ ipython
Python 3.8.10 (default, Nov 22 2023, 10:22:35)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.12.3 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
from pwn import *
p = process(["/usr/bin/rev"], stdout=PIPE);
p2 = process(["/challenge/embryoio_level53"], stdout=p.stdout);
p2.interactive()
import subprocess as sp
p = sp.Popen(["/usr/bin/rev"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/rev"], stdin=p.stdout, stdout=sp.PIPE);
p3 = sp.Popen(["/challenge/embryoio_level53"], stdin=p2.stdout);
p3.communicate()
level 54
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdout : cat
embryoio54.py
from pwn import *
p = process(["/challenge/embryoio_level54"], stdout=PIPE);
p2 = process(["/usr/bin/cat"], stdout=p.stdout);
p.interactive()
embryoio54.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level54"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/cat"], stdin=p.stdout);
p2.communicate()
hacker@program-interaction~level54:~$ python embryoio54.py
level 55
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdout : grep
embryoio55.py
from pwn import *
p = process(["/challenge/embryoio_level55"], stdout=PIPE);
p2 = process(["/usr/bin/grep", "pwn.college"], stdout=p.stdout);
p.interactive()
embryoio55.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level55"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/grep", "pwn.college"], stdin=p.stdout);
p2.communicate()
hacker@program-interaction~level55:~$ python embryoio55.py
level 56
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdout : sed
embryoio56.py
from pwn import *
p = process(["/challenge/embryoio_level56"], stdout=PIPE);
p2 = process(["/usr/bin/sed", "-n", "/pwn/p"], stdout=p.stdout);
p.interactive()
embryoio56.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level56"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/sed", "-n", "/pwn/p"], stdin=p.stdout);
p2.communicate()
hacker@program-interaction~level56:/$ python embryoio56.py
level 57
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdout : rev
embryoio57.py
from pwn import *
p = process(["/challenge/embryoio_level57"], stdout=PIPE);
p2 = process(["/usr/bin/rev"], stdout=p.stdout);
p.interactive()
embryoio57.py
import subprocess as sp
p = sp.Popen(["/challenge/embryoio_level57"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/rev"], stdin=p.stdout, stdout=sp.PIPE);
p3 = sp.Popen(["/usr/bin/rev"], stdin=p2.stdout);
p3.communicate()
hacker@program-interaction~level57:/$ python embryoio57.py
level 58
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdin : cat
- the challenge will check for a hardcoded password over stdin : yhjdoqbb
embryoio58.py
from pwn import *
p = process(["/usr/bin/cat"], stdout=PIPE);
p2 = process(["/challenge/embryoio_level58"], stdout=p.stdout);
p2.interactive()
embryoio58.py
import subprocess as sp
p = sp.Popen(["/usr/bin/cat"], stdout=sp.PIPE);
p2 = sp.Popen(["/challenge/embryoio_level58"], stdin=p.stdout);
p2.communicate()
hacker@program-interaction~level58:/$ python embryoio58.py
level 59
- the challenge checks for a specific parent process : python
- the challenge checks for a specific process at the other end of stdin : rev
- the challenge will check for a hardcoded password over stdin : qxfrhkpq
embryoio59.py
from pwn import *
p = process(["/usr/bin/rev"], stdout=PIPE);
p2 = process(["/challenge/embryoio_level59"], stdout=p.stdout);
p2.interactive()
embryoio59.py
import subprocess as sp
p = sp.Popen(["/usr/bin/rev"], stdout=sp.PIPE);
p2 = sp.Popen(["/usr/bin/rev"], stdin=p.stdout, stdout=sp.PIPE);
p3 = sp.Popen(["/challenge/embryoio_level59"], stdin=p2.stdout);
p.communicate()
hacker@program-interaction~level59:~$ python embryoio59.py