First of all, it’s really hard for me to turn down a challenge. So when a buddy of mine sent me a link to the stripe.com CTF / war game last thursday I was pretty intrigued. Can find it here: https://stripe.com/blog/capture-the-flag It’s been a couple of years since I was able to complete a decent amount of the STS IO challenge (http://io.smashthestack.org:84/). I always seem to underestimate how addicting these things are.
After a couple of hours working on it I am now on level 4. It took me a bit to get back in the groove, having to re-learn all the gdb commands. I think the thing that is the biggest time waste for me on the first couple was not looking at the obvious. I spent a bit of time trying to jump in and look for a printf() implementation vuln or something, when all you really need to do is step back and look at the obvious. I don’t want to give anything away for those who want to join in on the addicting fun. I hope to be able to finish the rest of it this weekend. Taking a quick look at 4, I think we are looking at a buffer overflow. If you haven’t already, you should give it a try. But make sure you have a couple hours to burn.