“From timing leaks to shell access: a complete walkthrough of Fusion’s hardest web challenge.”
This repository contains a fully‑automated, step‑by‑step solution for the Fusion ➜ level04 challenge provided by Exploit Education. Our python3 scripts reproduce every phase — from bypassing the HTTP Basic authentication to leaking the stack canary and, finally, constructing a Return‑Oriented‑Programming (ROP) chain that spawns a root shell despite modern mitigations (PIE, NX Stack/Heap, ASLR, Fortify Source).
- ⚔️ Timing‑Attack Password Cracker – Recovers the 16‑byte dynamic password byte‑by‑byte using a precise latency side‑channel.
- 🛡️ Stack‑Canary Leak – Brute‑forces the 3 random bytes of the stack canary in ≤ 768 requests.
- 🔍 Libc Auto‑Detection – Finds the exact
libcversion with libc‑database and extracts gadget offsets via radare2. - 🔗 One‑Shot ROP Builder – Crafts a reliable payload that executes
system("/bin/bash")while bypassing all the Stack protections.
# From your host machine, download the iso file in https://exploit.education/downloads/ # (checksum b89abcdda58edf68465f36b4f7a94fe34f0050f1) # Create a new VM (VirtualBox/VMware) and attach the ISO. # Set the network mode to *Host‑Only Adapter* so the guest is reachable.Default guest credentials
user password fusion godmode
The level04 service listens on http://<IP_FUSION>:20004 inside the VM. Other Credentials: root/godmode
git clone https://github.com/Endless077/Fusion_CTF.git cd Fusion_CTFpython3 -m venv venv source venv/bin/activate pip install pwntools # pwntools sudo apt install radare2 # Debian/Ubuntu package # (Optional, but recommended) git clone https://github.com/niklasb/libc-database.git cd libc-database ./get Ubuntu# 1 - Find the VM’s IP inside the guest ip addr show | grep 'inet ' # 2 - Crack the HTTP password python3 brute_force.py # 3 - Smash the stack to get information leakage python3 stack_smashing.py # 4 - Leak the stack canary python3 capture_canary.py # 5 - Get the EIP address python3 stack_eip_overwrite.py # 6 - Identify libc & build the final payload bash libc-database-exploit.sh <libc_base> <__fortify_fail_offset> python3 rop_chain_attack.py # 7 - Profit! $ id Note: all scripts must be configured with the appropriate global variable values. Note: you can test scripts and connection with test_connection.py, just modify the payload.Fusion_CTF/ ├── LICENSE ├── README.md ├── exploit/ │ ├── libc-database/* │ ├── libc-database-exploit.sh │ ├──libc-database-src.url │ └── libc-database.url └── source/ ├── brute_force.py ├── capture_canary.py ├── rop_chain_attack.py ├── stack_eip_overwrite.py ├── stack_smashing.py ├── test_connection.py ├── report/ │ └── mitigations/* │ └── crash_dump.log └── server/ └── level04.c └── notes.md └── notes.txt | Tool / Resource | Role in this project |
|---|---|
| Exploit Education – Fusion | The vulnerable target environment. |
| libc‑database | Automatic libc identification. |
| pwntools | Networking, pattern generation, interactive shell. |
| radare2 | Disassembly and symbol extraction. |
This project is licensed under the GNU General Public License v3.0.
GNU General Public License v3.0
Contributors:
Project Manager:
For support, email antonio.garofalo125@gmail.com or contact the project contributors.
See the documentation project here.