Exploit Exercises — Protostar — Final Levels

Peter Kacherginsky
25 min readJun 8, 2014

Exploit Exercises — Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. The final portion of the wargame combines Stack, Format String, Heap, and Network exploitation techniques into three excellent challenges to help solidify knowledge gained from previous exercises.

Just like in previous writeups, my goal is not to simply present you with a solution, but to share the reasoning, challenges, and failures I have encountered while solving these exercises. In order to make the learning experience as complete as possible, I have also tried to concentrate on the assembled versions of the binaries instead of the provided source code. The reasoning for this is that we are exploiting compiled binaries which often contain interesting quirks obfuscated by the source code.

Spoiler Warning: I would highly recommend you to go over the exercises yourself and come back to this article to find possibly different solutions or in case you get stuck.

Final 0

The first level offers a refresher on basic stack overflow vulnerabilities with an added element of network based exploitation.


Let’s attempt to connect and interact with the service first:

$ nc localhost 2995
No such user AAAA

Looking for the error message in the main() function, it appears no such user is displayed for any username:

<main+65>:   call   0x804975a <get_username>
<main+70>: mov DWORD PTR [esp+0x1c],eax
<main+74>: mov eax,0x8049c7b ; "No such user %s\n"
<main+79>: mov edx,DWORD PTR [esp+0x1c]
<main+83>: mov DWORD PTR [esp+0x4],edx
<main+87>: mov DWORD PTR [esp],eax
<main+90>: call 0x8048bac <printf@plt>

Let’s explore what happens in the get_username() function:

<get_username+10>:   mov    DWORD PTR [esp+0x8],0x200 
; buffer size (512)
<get_username+18>: mov DWORD PTR [esp+0x4],0x0
; value to set
<get_username+26>: lea eax,[ebp-0x210]
; buffer
<get_username+32>: mov DWORD PTR [esp],eax
<get_username+35>: call 0x8048aec <memset@plt>
; zero out the buffer
Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net