Rainfall is a progressive binary exploitation wargame designed to teach fundamental and advanced security concepts through hands-on practice. The project consists of 10 main levels plus 4 bonus challenges, each introducing different vulnerability classes and exploitation techniques.
Running on a controlled Linux x86 environment, Rainfall provides setuid binaries that must be exploited to escalate privileges and retrieve passwords for subsequent levels. Each challenge builds upon previous concepts while introducing new attack vectors and defensive mechanisms.
- Master assembly language reading and debugging techniques
- Understand memory layout and stack/heap organization
- Identify and exploit common binary vulnerabilities
- Develop practical exploitation payloads
- Learn to bypass security mechanisms
- Build foundational skills for advanced binary exploitation
| Level | Vulnerability Type | Key Concepts |
|---|---|---|
| Level 0 | Logic bypass | Hardcoded authentication, reverse engineering basics |
| Level 1 | Stack corruption | Buffer overflow, return-to-text, gets() vulnerability |
| Level 2 | Protected stack | Heap exploitation, return address protection bypass |
| Level 3 | Format string | Arbitrary memory write, %n format specifier |
| Level 4 | Heap overflow | Buffer overflow on heap, memory corruption |
| Level 5 | Heap overflow | Direct function pointer hijacking |
| Level 6 | Heap overflow | Heap-based function pointer corruption |
| Level 7 | Heap overflow | Multi-stage heap corruption, indirect GOT hijacking |
| Level 8 | Heap positioning | Authentication logic bypass through heap manipulation |
| Level 9 | Heap positioning | vtable pointer corruption, C++ object exploitation |
| Level | Vulnerability Type | Key Concepts |
|---|---|---|
| Bonus 0 | String operations | String operation chain exploitation, precise input crafting |
| Bonus 1 | Integer overflow | Signed/unsigned conversion, arithmetic overflow, type confusion |
| Bonus 2 | Environment variable exploitation | Locale-dependent buffer overflow, environment code injection, multi-vector attack |
| Bonus 3 | Null byte injection | String truncation attack, authentication bypass, file-based exploitation |
- x86 assembly language comprehension
- GDB (GNU Debugger) proficiency
- Dynamic and static binary analysis
- Memory examination and manipulation
- Buffer overflow exploitation (stack and heap)
- Return-oriented programming (ROP) basics
- Format string vulnerabilities
- Shellcode development and injection
- Return-to-libc attacks
- Heap exploitation techniques
- Function pointer hijacking
- GOT/PLT manipulation
- Memory layout (stack, heap, .bss, .data, .text)
- Calling conventions and ABI
- Security mechanisms (ASLR, NX, stack canaries)
- Privilege escalation via setuid binaries
- Protection bypass techniques
- Oracle Linker and Libraries Guide - Understanding ELF format, dynamic linking, and PLT/GOT
- OWASP Format String Attacks - Comprehensive format string vulnerability guide
- Return-to-libc (ret2libc) - Detailed ret2libc attack methodology
- Shellcode Fundamentals - Understanding and crafting shellcode
- De Bruijn Sequences - Pattern generation for offset discovery in buffer overflows
- x86 Assembly Guide - Essential x86 assembly reference for binary exploitation
- ROP Emporium - Interactive tutorials for Return-Oriented Programming (ROP)
- pwntools Documentation - Python exploitation framework for CTF challenges
- GDB PEDA - Python Exploit Development Assistance for GDB
- ROPgadget - Tool for finding ROP gadgets in binaries
- Shellcode Database - Collection of shellcodes for various architectures
- Stack Canaries Explained - Understanding stack protection mechanisms
- ASLR and DEP Bypass Techniques - Modern protection circumvention methods
- Integer Overflow Vulnerabilities - CWE guide to integer overflow attacks
- Format String Exploitation - Academic paper on format string vulnerabilities
- "Hacking: The Art of Exploitation" by Jon Erickson - Excellent introduction to binary exploitation
- "The Shellcoder's Handbook" - Advanced exploitation techniques
- "Practical Binary Analysis" - Modern binary analysis methods
- LiveOverflow Binary Exploitation YouTube Series - Visual explanations of exploitation concepts
- Exploit Education (exploit.education) - Similar progressive challenges
- pwnable.kr - Additional practice with varied difficulty levels
- ROP Emporium - Focused ROP technique practice
- GDB Tutorial - Essential debugging skills
- pwntools Documentation - Python exploitation framework
- x86 Assembly Reference - Instruction set documentation
- Linux Syscall Table - System call reference for shellcode
- Basic C programming knowledge
- Linux command line familiarity
- Understanding of computer architecture concepts
- Patience and persistence
- Import the Rainfall ISO into your VM software
- Boot the virtual machine
- SSH into level0:
ssh level0@<IP_ADDRESS> -p 4242 - Default credentials:
level0:level0
- Analyze the binary using GDB and other tools
- Identify the vulnerability through static/dynamic analysis
- Develop an exploitation payload
- Test the exploit in a controlled environment
- Document your findings (source code, walkthrough, exploit)
- Retrieve the password for the next level
- Escalate to the next user and repeat
rainfall/
βββ README.md
βββ level0/
β βββ flag
β βββ source
β βββ walkthrough.md
βββ level1/
β βββ flag
β βββ source
β βββ walkthrough.md
βββ level2/
β βββ flag
β βββ source
β βββ walkthrough.md
[...]
βββ bonus0/
β βββ flag
β βββ source
β βββ walkthrough.md
[...]
- flag: Contains the password/flag for the level
- source: Reconstructed C source code (any language)
- walkthrough.md: Step-by-step solution process
- [zait-che]
- [fchanane]
Remember: The goal is not just to complete the challenges, but to deeply understand the concepts. Take your time, experiment, and enjoy the learning journey!
"In learning you will teach, and in teaching you will learn." - Phil Collins