Commit 93b616c

@@ -1,17 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
 About
 Source code
 There is a vulnerability in the below program that allows arbitrary programs to

@@ -1,225 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
 About
 Source code
 The setuid binary at /home/flag10/flag10 binary will upload any file given,

@@ -1,307 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
-About
-Source code
-The setuid binary at /home/flag10/flag10 binary will upload any file given,
-as long as it meets the requirements of the access() system call.
-To do this level, log in as the level10 account with the password
-level10. Files for this level can be found in /home/flag10.
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <string.h>
-
-int main(int argc, char **argv)
-{
-  char *file;
-  char *host;
-
-  if(argc < 3) {
-      printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
-      exit(1);
-  }
-
-  file = argv[1];
-  host = argv[2];
-
-  if(access(argv[1], R_OK) == 0) {
-      int fd;
-      int ffd;
-      int rc;
-      struct sockaddr_in sin;
-      char buffer[4096];
-
-      printf("Connecting to %s:18211 .. ", host); fflush(stdout);
-
-      fd = socket(AF_INET, SOCK_STREAM, 0);
-
-      memset(&sin, 0, sizeof(struct sockaddr_in));
-      sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = inet_addr(host);
-      sin.sin_port = htons(18211);
-
-      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
-          printf("Unable to connect to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-
-#define HITHERE ".oO Oo.\n"
-      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
-          printf("Unable to write banner to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-#undef HITHERE
-
-      printf("Connected!\nSending file .. "); fflush(stdout);
-
-      ffd = open(file, O_RDONLY);
-      if(ffd == -1) {
-          printf("Damn. Unable to open file\n");
-          exit(EXIT_FAILURE);
-      }
-
-      rc = read(ffd, buffer, sizeof(buffer));
-      if(rc == -1) {
-          printf("Unable to read from file: %s\n", strerror(errno));
-          exit(EXIT_FAILURE);
-      }
-
-      write(fd, buffer, rc);
-
-      printf("wrote file!\n");
-
-  } else {
-      printf("You don't have access to %s\n", file);
-  }
-}
-
-----------------------------------------------
-
 About
 Source code
 The /home/flag11/flag11 binary processes standard input and executes a

@@ -1,419 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
-About
-Source code
-The setuid binary at /home/flag10/flag10 binary will upload any file given,
-as long as it meets the requirements of the access() system call.
-To do this level, log in as the level10 account with the password
-level10. Files for this level can be found in /home/flag10.
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <string.h>
-
-int main(int argc, char **argv)
-{
-  char *file;
-  char *host;
-
-  if(argc < 3) {
-      printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
-      exit(1);
-  }
-
-  file = argv[1];
-  host = argv[2];
-
-  if(access(argv[1], R_OK) == 0) {
-      int fd;
-      int ffd;
-      int rc;
-      struct sockaddr_in sin;
-      char buffer[4096];
-
-      printf("Connecting to %s:18211 .. ", host); fflush(stdout);
-
-      fd = socket(AF_INET, SOCK_STREAM, 0);
-
-      memset(&sin, 0, sizeof(struct sockaddr_in));
-      sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = inet_addr(host);
-      sin.sin_port = htons(18211);
-
-      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
-          printf("Unable to connect to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-
-#define HITHERE ".oO Oo.\n"
-      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
-          printf("Unable to write banner to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-#undef HITHERE
-
-      printf("Connected!\nSending file .. "); fflush(stdout);
-
-      ffd = open(file, O_RDONLY);
-      if(ffd == -1) {
-          printf("Damn. Unable to open file\n");
-          exit(EXIT_FAILURE);
-      }
-
-      rc = read(ffd, buffer, sizeof(buffer));
-      if(rc == -1) {
-          printf("Unable to read from file: %s\n", strerror(errno));
-          exit(EXIT_FAILURE);
-      }
-
-      write(fd, buffer, rc);
-
-      printf("wrote file!\n");
-
-  } else {
-      printf("You don't have access to %s\n", file);
-  }
-}
-
-----------------------------------------------
-
-About
-Source code
-The /home/flag11/flag11 binary processes standard input and executes a
-shell command.
-There are two ways of completing this level, you may wish to do both :-)
-To do this level, log in as the level11 account with the password
-level11. Files for this level can be found in /home/flag11.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <sys/mman.h>
-
-/*
- * Return a random, non predictable file, and return the file descriptor for it.
- */
-
-int getrand(char **path)
-{
-  char *tmp;
-  int pid;
-  int fd;
-
-  srandom(time(NULL));
-
-  tmp = getenv("TEMP");
-  pid = getpid();
-  
-  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
-      'A' + (random() % 26), '0' + (random() % 10),
-      'a' + (random() % 26), 'A' + (random() % 26),
-      '0' + (random() % 10), 'a' + (random() % 26));
-
-  fd = open(*path, O_CREAT|O_RDWR, 0600);
-  unlink(*path);
-  return fd;
-}
-
-void process(char *buffer, int length)
-{
-  unsigned int key;
-  int i;
-
-  key = length & 0xff;
-
-  for(i = 0; i < length; i++) {
-      buffer[i] ^= key;
-      key -= buffer[i];
-  }
-
-  system(buffer);
-}
-
-#define CL "Content-Length: "
-
-int main(int argc, char **argv)
-{
-  char line[256];
-  char buf[1024];
-  char *mem;
-  int length;
-  int fd;
-  char *path;
-
-  if(fgets(line, sizeof(line), stdin) == NULL) {
-      errx(1, "reading from stdin");
-  }
-
-  if(strncmp(line, CL, strlen(CL)) != 0) {
-      errx(1, "invalid header");
-  }
-
-  length = atoi(line + strlen(CL));
-  
-  if(length < sizeof(buf)) {
-      if(fread(buf, length, 1, stdin) != length) {
-          err(1, "fread length");
-      }
-      process(buf, length);
-  } else {
-      int blue = length;
-      int pink;
-
-      fd = getrand(&path);
-
-      while(blue > 0) {
-          printf("blue = %d, length = %d, ", blue, length);
-
-          pink = fread(buf, 1, sizeof(buf), stdin);
-          printf("pink = %d\n", pink);
-
-          if(pink <= 0) {
-              err(1, "fread fail(blue = %d, length = %d)", blue, length);
-          }
-          write(fd, buf, pink);
-
-          blue -= pink;
-      }    
-
-      mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-      if(mem == MAP_FAILED) {
-          err(1, "mmap");
-      }
-      process(mem, length);
-  }
-
-}
-
-----------------------------------------------
-
 About
 Source code
 There is a backdoor process listening on port 50001.

@@ -1,460 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
-About
-Source code
-The setuid binary at /home/flag10/flag10 binary will upload any file given,
-as long as it meets the requirements of the access() system call.
-To do this level, log in as the level10 account with the password
-level10. Files for this level can be found in /home/flag10.
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <string.h>
-
-int main(int argc, char **argv)
-{
-  char *file;
-  char *host;
-
-  if(argc < 3) {
-      printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
-      exit(1);
-  }
-
-  file = argv[1];
-  host = argv[2];
-
-  if(access(argv[1], R_OK) == 0) {
-      int fd;
-      int ffd;
-      int rc;
-      struct sockaddr_in sin;
-      char buffer[4096];
-
-      printf("Connecting to %s:18211 .. ", host); fflush(stdout);
-
-      fd = socket(AF_INET, SOCK_STREAM, 0);
-
-      memset(&sin, 0, sizeof(struct sockaddr_in));
-      sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = inet_addr(host);
-      sin.sin_port = htons(18211);
-
-      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
-          printf("Unable to connect to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-
-#define HITHERE ".oO Oo.\n"
-      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
-          printf("Unable to write banner to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-#undef HITHERE
-
-      printf("Connected!\nSending file .. "); fflush(stdout);
-
-      ffd = open(file, O_RDONLY);
-      if(ffd == -1) {
-          printf("Damn. Unable to open file\n");
-          exit(EXIT_FAILURE);
-      }
-
-      rc = read(ffd, buffer, sizeof(buffer));
-      if(rc == -1) {
-          printf("Unable to read from file: %s\n", strerror(errno));
-          exit(EXIT_FAILURE);
-      }
-
-      write(fd, buffer, rc);
-
-      printf("wrote file!\n");
-
-  } else {
-      printf("You don't have access to %s\n", file);
-  }
-}
-
-----------------------------------------------
-
-About
-Source code
-The /home/flag11/flag11 binary processes standard input and executes a
-shell command.
-There are two ways of completing this level, you may wish to do both :-)
-To do this level, log in as the level11 account with the password
-level11. Files for this level can be found in /home/flag11.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <sys/mman.h>
-
-/*
- * Return a random, non predictable file, and return the file descriptor for it.
- */
-
-int getrand(char **path)
-{
-  char *tmp;
-  int pid;
-  int fd;
-
-  srandom(time(NULL));
-
-  tmp = getenv("TEMP");
-  pid = getpid();
-  
-  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
-      'A' + (random() % 26), '0' + (random() % 10),
-      'a' + (random() % 26), 'A' + (random() % 26),
-      '0' + (random() % 10), 'a' + (random() % 26));
-
-  fd = open(*path, O_CREAT|O_RDWR, 0600);
-  unlink(*path);
-  return fd;
-}
-
-void process(char *buffer, int length)
-{
-  unsigned int key;
-  int i;
-
-  key = length & 0xff;
-
-  for(i = 0; i < length; i++) {
-      buffer[i] ^= key;
-      key -= buffer[i];
-  }
-
-  system(buffer);
-}
-
-#define CL "Content-Length: "
-
-int main(int argc, char **argv)
-{
-  char line[256];
-  char buf[1024];
-  char *mem;
-  int length;
-  int fd;
-  char *path;
-
-  if(fgets(line, sizeof(line), stdin) == NULL) {
-      errx(1, "reading from stdin");
-  }
-
-  if(strncmp(line, CL, strlen(CL)) != 0) {
-      errx(1, "invalid header");
-  }
-
-  length = atoi(line + strlen(CL));
-  
-  if(length < sizeof(buf)) {
-      if(fread(buf, length, 1, stdin) != length) {
-          err(1, "fread length");
-      }
-      process(buf, length);
-  } else {
-      int blue = length;
-      int pink;
-
-      fd = getrand(&path);
-
-      while(blue > 0) {
-          printf("blue = %d, length = %d, ", blue, length);
-
-          pink = fread(buf, 1, sizeof(buf), stdin);
-          printf("pink = %d\n", pink);
-
-          if(pink <= 0) {
-              err(1, "fread fail(blue = %d, length = %d)", blue, length);
-          }
-          write(fd, buf, pink);
-
-          blue -= pink;
-      }    
-
-      mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-      if(mem == MAP_FAILED) {
-          err(1, "mmap");
-      }
-      process(mem, length);
-  }
-
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a backdoor process listening on port 50001.
-To do this level, log in as the level12 account with the password
-level12. Files for this level can be found in /home/flag12.
-local socket = require("socket")
-local server = assert(socket.bind("127.0.0.1", 50001))
-
-function hash(password)
-  prog = io.popen("echo "..password.." | sha1sum", "r")
-  data = prog:read("*all")
-  prog:close()
-
-  data = string.sub(data, 1, 40)
-
-  return data
-end
-
-
-while 1 do
-  local client = server:accept()
-  client:send("Password: ")
-  client:settimeout(60)
-  local line, err = client:receive()
-  if not err then
-      print("trying " .. line) -- log from where ;\
-      local h = hash(line)
-
-      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
-          client:send("Better luck next time\n");
-      else
-          client:send("Congrats, your token is 413**CARRIER LOST**\n")
-      end
-
-  end
-
-  client:close()
-end
-
-----------------------------------------------
-
 About
 Source code
 There is a security check that prevents the program from continuing execution

@@ -1,493 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
-About
-Source code
-The setuid binary at /home/flag10/flag10 binary will upload any file given,
-as long as it meets the requirements of the access() system call.
-To do this level, log in as the level10 account with the password
-level10. Files for this level can be found in /home/flag10.
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <string.h>
-
-int main(int argc, char **argv)
-{
-  char *file;
-  char *host;
-
-  if(argc < 3) {
-      printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
-      exit(1);
-  }
-
-  file = argv[1];
-  host = argv[2];
-
-  if(access(argv[1], R_OK) == 0) {
-      int fd;
-      int ffd;
-      int rc;
-      struct sockaddr_in sin;
-      char buffer[4096];
-
-      printf("Connecting to %s:18211 .. ", host); fflush(stdout);
-
-      fd = socket(AF_INET, SOCK_STREAM, 0);
-
-      memset(&sin, 0, sizeof(struct sockaddr_in));
-      sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = inet_addr(host);
-      sin.sin_port = htons(18211);
-
-      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
-          printf("Unable to connect to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-
-#define HITHERE ".oO Oo.\n"
-      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
-          printf("Unable to write banner to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-#undef HITHERE
-
-      printf("Connected!\nSending file .. "); fflush(stdout);
-
-      ffd = open(file, O_RDONLY);
-      if(ffd == -1) {
-          printf("Damn. Unable to open file\n");
-          exit(EXIT_FAILURE);
-      }
-
-      rc = read(ffd, buffer, sizeof(buffer));
-      if(rc == -1) {
-          printf("Unable to read from file: %s\n", strerror(errno));
-          exit(EXIT_FAILURE);
-      }
-
-      write(fd, buffer, rc);
-
-      printf("wrote file!\n");
-
-  } else {
-      printf("You don't have access to %s\n", file);
-  }
-}
-
-----------------------------------------------
-
-About
-Source code
-The /home/flag11/flag11 binary processes standard input and executes a
-shell command.
-There are two ways of completing this level, you may wish to do both :-)
-To do this level, log in as the level11 account with the password
-level11. Files for this level can be found in /home/flag11.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <sys/mman.h>
-
-/*
- * Return a random, non predictable file, and return the file descriptor for it.
- */
-
-int getrand(char **path)
-{
-  char *tmp;
-  int pid;
-  int fd;
-
-  srandom(time(NULL));
-
-  tmp = getenv("TEMP");
-  pid = getpid();
-  
-  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
-      'A' + (random() % 26), '0' + (random() % 10),
-      'a' + (random() % 26), 'A' + (random() % 26),
-      '0' + (random() % 10), 'a' + (random() % 26));
-
-  fd = open(*path, O_CREAT|O_RDWR, 0600);
-  unlink(*path);
-  return fd;
-}
-
-void process(char *buffer, int length)
-{
-  unsigned int key;
-  int i;
-
-  key = length & 0xff;
-
-  for(i = 0; i < length; i++) {
-      buffer[i] ^= key;
-      key -= buffer[i];
-  }
-
-  system(buffer);
-}
-
-#define CL "Content-Length: "
-
-int main(int argc, char **argv)
-{
-  char line[256];
-  char buf[1024];
-  char *mem;
-  int length;
-  int fd;
-  char *path;
-
-  if(fgets(line, sizeof(line), stdin) == NULL) {
-      errx(1, "reading from stdin");
-  }
-
-  if(strncmp(line, CL, strlen(CL)) != 0) {
-      errx(1, "invalid header");
-  }
-
-  length = atoi(line + strlen(CL));
-  
-  if(length < sizeof(buf)) {
-      if(fread(buf, length, 1, stdin) != length) {
-          err(1, "fread length");
-      }
-      process(buf, length);
-  } else {
-      int blue = length;
-      int pink;
-
-      fd = getrand(&path);
-
-      while(blue > 0) {
-          printf("blue = %d, length = %d, ", blue, length);
-
-          pink = fread(buf, 1, sizeof(buf), stdin);
-          printf("pink = %d\n", pink);
-
-          if(pink <= 0) {
-              err(1, "fread fail(blue = %d, length = %d)", blue, length);
-          }
-          write(fd, buf, pink);
-
-          blue -= pink;
-      }    
-
-      mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-      if(mem == MAP_FAILED) {
-          err(1, "mmap");
-      }
-      process(mem, length);
-  }
-
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a backdoor process listening on port 50001.
-To do this level, log in as the level12 account with the password
-level12. Files for this level can be found in /home/flag12.
-local socket = require("socket")
-local server = assert(socket.bind("127.0.0.1", 50001))
-
-function hash(password)
-  prog = io.popen("echo "..password.." | sha1sum", "r")
-  data = prog:read("*all")
-  prog:close()
-
-  data = string.sub(data, 1, 40)
-
-  return data
-end
-
-
-while 1 do
-  local client = server:accept()
-  client:send("Password: ")
-  client:settimeout(60)
-  local line, err = client:receive()
-  if not err then
-      print("trying " .. line) -- log from where ;\
-      local h = hash(line)
-
-      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
-          client:send("Better luck next time\n");
-      else
-          client:send("Congrats, your token is 413**CARRIER LOST**\n")
-      end
-
-  end
-
-  client:close()
-end
-
-----------------------------------------------
-
-About
-Source code
-There is a security check that prevents the program from continuing execution
-if the user invoking it does not match a specific user id.
-To do this level, log in as the level13 account with the password
-level13. Files for this level can be found in /home/flag13.
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-
-#define FAKEUID 1000
-
-int main(int argc, char **argv, char **envp)
-{
-  int c;
-  char token[256];
-
-  if(getuid() != FAKEUID) {
-      printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID);
-      printf("The system administrators will be notified of this violation\n");
-      exit(EXIT_FAILURE);
-  }
-
-  // snip, sorry :)
-
-  printf("your token is %s\n", token);
-  
-}
-
-----------------------------------------------
-
 About
 Source code
 This program resides in /home/flag14/flag14. It encrypts input and writes

@@ -1,504 +1,6 @@
 
 ----------------------------------------------
 
-About
-Source code
-This level requires you to find a Set User ID program that will run as the
-“flag00” account. You could also find this by carefully looking in top level
-directories in / for suspicious looking directories.
-Alternatively, look at the find man page.
-To access this level, log in as level00 with the password of level00.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs to
-be executed, can you find it?
-To do this level, log in as the level01 account with the password
-level01. Files for this level can be found in /home/flag01.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  gid_t gid;
-  uid_t uid;
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  system("/usr/bin/env echo and now what?");
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a vulnerability in the below program that allows arbitrary programs
-to be executed, can you find it?
-To do this level, log in as the level02 account with the password
-level02. Files for this level can be found in /home/flag02.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char *buffer;
-
-  gid_t gid;
-  uid_t uid;
-
-  gid = getegid();
-  uid = geteuid();
-
-  setresgid(gid, gid, gid);
-  setresuid(uid, uid, uid);
-
-  buffer = NULL;
-
-  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
-  printf("about to call system(\"%s\")\n", buffer);
-  
-  system(buffer);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the home directory of flag03 and take note of the files there.
-There is a crontab that is called every couple of minutes.
-To do this level, log in as the level03 account with the password
-level03. Files for this level can be found in /home/flag03.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-This level requires you to read the token file, but the code restricts the
-files that can be read. Find a way to bypass it :)
-To do this level, log in as the level04 account with the password
-level04. Files for this level can be found in /home/flag04.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv, char **envp)
-{
-  char buf[1024];
-  int fd, rc;
-
-  if(argc == 1) {
-      printf("%s [file to read]\n", argv[0]);
-      exit(EXIT_FAILURE);
-  }
-
-  if(strstr(argv[1], "token") != NULL) {
-      printf("You may not access '%s'\n", argv[1]);
-      exit(EXIT_FAILURE);
-  }
-
-  fd = open(argv[1], O_RDONLY);
-  if(fd == -1) {
-      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
-  }
-
-  rc = read(fd, buf, sizeof(buf));
-  
-  if(rc == -1) {
-      err(EXIT_FAILURE, "Unable to read fd %d", fd);
-  }
-
-  write(1, buf, rc);
-}
-
-----------------------------------------------
-
-About
-Source code
-Check the flag05 home directory. You are looking for weak directory
-permissions
-To do this level, log in as the level05 account with the password
-level05. Files for this level can be found in /home/flag05.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-The flag06 account credentials came from a legacy unix system.
-To do this level, log in as the level06 account with the password
-level06. Files for this level can be found in /home/flag06.
-There is no source code available for this level
-
-----------------------------------------------
-
-Source code
-The flag07 user was writing their very first perl program that allowed them
-to ping hosts to see if they were reachable from the web server.
-To do this level, log in as the level07 account with the password
-level07. Files for this level can be found in /home/flag07.
-#!/usr/bin/perl
-
-use CGI qw{param};
-
-print "Content-type: text/html\n\n";
-
-sub ping {
-  $host = $_[0];
-
-  print("<html><head><title>Ping results</title></head><body><pre>");
-
-  @output = `ping -c 3 $host 2>&1`;
-  foreach $line (@output) { print "$line"; }
-
-  print("</pre></body></html>");
-  
-}
-
-# check if Host set. if not, display normal page, etc
-
-ping(param("Host"));
-
-----------------------------------------------
-
-About
-Source code
-World readable files strike again. Check what that user was up to, and use it
-to log into flag08 account.
-To do this level, log in as the level08 account with the password
-level08. Files for this level can be found in /home/flag08.
-There is no source code available for this level
-
-----------------------------------------------
-
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
-<?php
-
-function spam($email)
-{
-  $email = preg_replace("/\./", " dot ", $email);
-  $email = preg_replace("/@/", " AT ", $email);
-  
-  return $email;
-}
-
-function markup($filename, $use_me)
-{
-  $contents = file_get_contents($filename);
-
-  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
-  $contents = preg_replace("/\[/", "<", $contents);
-  $contents = preg_replace("/\]/", ">", $contents);
-
-  return $contents;
-}
-
-$output = markup($argv[1], $argv[2]);
-
-print $output;
-
-?>
-
-----------------------------------------------
-
-About
-Source code
-The setuid binary at /home/flag10/flag10 binary will upload any file given,
-as long as it meets the requirements of the access() system call.
-To do this level, log in as the level10 account with the password
-level10. Files for this level can be found in /home/flag10.
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <string.h>
-
-int main(int argc, char **argv)
-{
-  char *file;
-  char *host;
-
-  if(argc < 3) {
-      printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
-      exit(1);
-  }
-
-  file = argv[1];
-  host = argv[2];
-
-  if(access(argv[1], R_OK) == 0) {
-      int fd;
-      int ffd;
-      int rc;
-      struct sockaddr_in sin;
-      char buffer[4096];
-
-      printf("Connecting to %s:18211 .. ", host); fflush(stdout);
-
-      fd = socket(AF_INET, SOCK_STREAM, 0);
-
-      memset(&sin, 0, sizeof(struct sockaddr_in));
-      sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = inet_addr(host);
-      sin.sin_port = htons(18211);
-
-      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
-          printf("Unable to connect to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-
-#define HITHERE ".oO Oo.\n"
-      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
-          printf("Unable to write banner to host %s\n", host);
-          exit(EXIT_FAILURE);
-      }
-#undef HITHERE
-
-      printf("Connected!\nSending file .. "); fflush(stdout);
-
-      ffd = open(file, O_RDONLY);
-      if(ffd == -1) {
-          printf("Damn. Unable to open file\n");
-          exit(EXIT_FAILURE);
-      }
-
-      rc = read(ffd, buffer, sizeof(buffer));
-      if(rc == -1) {
-          printf("Unable to read from file: %s\n", strerror(errno));
-          exit(EXIT_FAILURE);
-      }
-
-      write(fd, buffer, rc);
-
-      printf("wrote file!\n");
-
-  } else {
-      printf("You don't have access to %s\n", file);
-  }
-}
-
-----------------------------------------------
-
-About
-Source code
-The /home/flag11/flag11 binary processes standard input and executes a
-shell command.
-There are two ways of completing this level, you may wish to do both :-)
-To do this level, log in as the level11 account with the password
-level11. Files for this level can be found in /home/flag11.
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <sys/mman.h>
-
-/*
- * Return a random, non predictable file, and return the file descriptor for it.
- */
-
-int getrand(char **path)
-{
-  char *tmp;
-  int pid;
-  int fd;
-
-  srandom(time(NULL));
-
-  tmp = getenv("TEMP");
-  pid = getpid();
-  
-  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid,
-      'A' + (random() % 26), '0' + (random() % 10),
-      'a' + (random() % 26), 'A' + (random() % 26),
-      '0' + (random() % 10), 'a' + (random() % 26));
-
-  fd = open(*path, O_CREAT|O_RDWR, 0600);
-  unlink(*path);
-  return fd;
-}
-
-void process(char *buffer, int length)
-{
-  unsigned int key;
-  int i;
-
-  key = length & 0xff;
-
-  for(i = 0; i < length; i++) {
-      buffer[i] ^= key;
-      key -= buffer[i];
-  }
-
-  system(buffer);
-}
-
-#define CL "Content-Length: "
-
-int main(int argc, char **argv)
-{
-  char line[256];
-  char buf[1024];
-  char *mem;
-  int length;
-  int fd;
-  char *path;
-
-  if(fgets(line, sizeof(line), stdin) == NULL) {
-      errx(1, "reading from stdin");
-  }
-
-  if(strncmp(line, CL, strlen(CL)) != 0) {
-      errx(1, "invalid header");
-  }
-
-  length = atoi(line + strlen(CL));
-  
-  if(length < sizeof(buf)) {
-      if(fread(buf, length, 1, stdin) != length) {
-          err(1, "fread length");
-      }
-      process(buf, length);
-  } else {
-      int blue = length;
-      int pink;
-
-      fd = getrand(&path);
-
-      while(blue > 0) {
-          printf("blue = %d, length = %d, ", blue, length);
-
-          pink = fread(buf, 1, sizeof(buf), stdin);
-          printf("pink = %d\n", pink);
-
-          if(pink <= 0) {
-              err(1, "fread fail(blue = %d, length = %d)", blue, length);
-          }
-          write(fd, buf, pink);
-
-          blue -= pink;
-      }    
-
-      mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-      if(mem == MAP_FAILED) {
-          err(1, "mmap");
-      }
-      process(mem, length);
-  }
-
-}
-
-----------------------------------------------
-
-About
-Source code
-There is a backdoor process listening on port 50001.
-To do this level, log in as the level12 account with the password
-level12. Files for this level can be found in /home/flag12.
-local socket = require("socket")
-local server = assert(socket.bind("127.0.0.1", 50001))
-
-function hash(password)
-  prog = io.popen("echo "..password.." | sha1sum", "r")
-  data = prog:read("*all")
-  prog:close()
-
-  data = string.sub(data, 1, 40)
-
-  return data
-end
-
-
-while 1 do
-  local client = server:accept()
-  client:send("Password: ")
-  client:settimeout(60)
-  local line, err = client:receive()
-  if not err then
-      print("trying " .. line) -- log from where ;\
-      local h = hash(line)
-
-      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
-          client:send("Better luck next time\n");
-      else
-          client:send("Congrats, your token is 413**CARRIER LOST**\n")
-      end
-
-  end
-
-  client:close()
-end
-
-----------------------------------------------
-
-About
-Source code
-There is a security check that prevents the program from continuing execution
-if the user invoking it does not match a specific user id.
-To do this level, log in as the level13 account with the password
-level13. Files for this level can be found in /home/flag13.
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-
-#define FAKEUID 1000
-
-int main(int argc, char **argv, char **envp)
-{
-  int c;
-  char token[256];
-
-  if(getuid() != FAKEUID) {
-      printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID);
-      printf("The system administrators will be notified of this violation\n");
-      exit(EXIT_FAILURE);
-  }
-
-  // snip, sorry :)
-
-  printf("your token is %s\n", token);
-  
-}
-
-----------------------------------------------
-
-About
-Source code
-This program resides in /home/flag14/flag14. It encrypts input and writes
-it to standard output.  An encrypted token file is also in that home directory,
-decrypt it :)
-To do this level, log in as the level14 account with the password
-level14. Files for this level can be found in /home/flag14.
-There is no source code available for this level
-
-----------------------------------------------
-
 About
 Source code
 strace the binary at /home/flag15/flag15 and see if you spot anything out