Aussie exploit challenges for noob to leet

Powered by SC Magazine
 

Learn to beat Linux non-executable memory, ASLR, and stack smashing protection.

Linux security boffin Andrew Griffiths has launched series of educational hacking challenges that hone skills in privilege escalation, vulnerability analysis, exploit development, debugging and reverse engineering.

Griffiths is a veteran designer of capture the flag competitions: he ran the recent comp at Melbourne’s Ruxcon event, and popular OverTheWire Linux exploit challenges Vortex, Drifter and Blacksun.

He said the free exploit-exercises virtual machine challenges were developed bit by bit over the last few months.

The Nebula virtual machine was run at Ruxcon and designed to suit a wide infosec pallete.

“There were a variety of challenges available for people, from basic Linux commands, world readable files, shell tricks, scripting language vulnerabilities, password cracking, reconstructing a tcpdump packet capture, and basic reverse engineering / experimenting with program input / output,” Griffiths said.

Protostar, the second machine, had 19 levels and was a “very basic” introduction to memory corruption in Linux.

Griffiths said it covered stack and heap overflows, format string vulnerabilities, and basic program analysis and modification of program execution without modern protection mechanisms like non-executable memory or Address Space Layout Randomisation (ASLR).

But the recently added virtual machine dubbed Fusion stepped up the game. Through 28 levels it examined the player’s ability to exploit and bypass modern Linux protection mechanisms including non-executable memory, ASLR, position independent executables, stack smashing protection, and heap allocator improvements.

Those who succeeded would have a better understanding of exploit prevention, cryptographic weaknesses and heap implementations.

Blacksun, part of OvertheWire formerly known as PullThePlug, was also designed for advanced exploitation against hardened hosts and environments. Those challenges were being moved to a new site and only Vortex was yet playable in a beta form.

Copyright © SC Magazine, Australia


Aussie exploit challenges for noob to leet
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1801

Vote
Do you support the abolition of the Office of the Information Commissioner?