Exploit Solution - Fusion (level04) 🚩

“From timing leaks to shell access: a complete walkthrough of Fusion’s hardest web challenge.”

This repository contains a fully‑automated, step‑by‑step solution for the Fusion ➜ level04 challenge provided by Exploit Education. Our python3 scripts reproduce every phase — from bypassing the HTTP Basic authentication to leaking the stack canary and, finally, constructing a Return‑Oriented‑Programming (ROP) chain that spawns a root shell despite modern mitigations (PIE, NX Stack/Heap, ASLR, Fortify Source).

🔑 Key Features

• ⚔️ Timing‑Attack Password Cracker – Recovers the 16‑byte dynamic password byte‑by‑byte using a precise latency side‑channel.
• 🛡️ Stack‑Canary Leak – Brute‑forces the 3 random bytes of the stack canary in ≤ 768 requests.
• 🔍 Libc Auto‑Detection – Finds the exact libc version with libc‑database and extracts gadget offsets via radare2.
• 🔗 One‑Shot ROP Builder – Crafts a reliable payload that executes system("/bin/bash") while bypassing all the Stack protections.

🛠️ Installation

1️⃣ Prepare the Fusion VM

# From your host machine, download the iso file in https://exploit.education/downloads/
# (checksum b89abcdda58edf68465f36b4f7a94fe34f0050f1)
# Create a new VM (VirtualBox/VMware) and attach the ISO.
# Set the network mode to *Host‑Only Adapter* so the guest is reachable.

Default guest credentials

user	password
fusion	godmode

The level04 service listens on http://<IP_FUSION>:20004 inside the VM. Other Credentials: root/godmode

2️⃣ Clone this Repository

git clone https://github.com/Endless077/Fusion_CTF.git
cd Fusion_CTF

3️⃣ Set‑up the Local Environment

python3 -m venv venv
source venv/bin/activate

pip install pwntools          # pwntools
sudo apt install radare2      # Debian/Ubuntu package

# (Optional, but recommended)
git clone https://github.com/niklasb/libc-database.git
cd libc-database
./get Ubuntu

4️⃣ Quick Start

# 1 - Find the VM’s IP inside the guest
ip addr show | grep 'inet '

# 2 - Crack the HTTP password
python3 brute_force.py

# 3 - Smash the stack to get information leakage
python3 stack_smashing.py

# 4 - Leak the stack canary
python3 capture_canary.py

# 5 - Get the EIP address
python3 stack_eip_overwrite.py

# 6 - Identify libc & build the final payload
bash libc-database-exploit.sh <libc_base> <__fortify_fail_offset>
python3 rop_chain_attack.py

# 7 - Profit!
$ id

Note: all scripts must be configured with the appropriate global variable values.
Note: you can test scripts and connection with test_connection.py, just modify the payload.

---

📂 Repository Structure

Fusion_CTF/
├── LICENSE
├── README.md
├── exploit/
│   ├── libc-database/*
│   ├── libc-database-exploit.sh
│   ├──libc-database-src.url
│   └── libc-database.url
└── source/
    ├── brute_force.py
    ├── capture_canary.py
    ├── rop_chain_attack.py
    ├── stack_eip_overwrite.py
    ├── stack_smashing.py
    ├── test_connection.py
    ├── report/
    │   └── mitigations/*
    │   └── crash_dump.log
    └── server/
        └── level04.c
        └── notes.md
        └── notes.txt

🙏 Acknowledgements

Tool / Resource	Role in this project
Exploit Education – Fusion	The vulnerable target environment.
libc‑database	Automatic libc identification.
pwntools	Networking, pattern generation, interactive shell.
radare2	Disassembly and symbol extraction.

💾 License

This project is licensed under the GNU General Public License v3.0.

GNU General Public License v3.0

🖐 Authors

Contributors:

• Fulvio Serao
• Raffaella Spagnuolo

Project Manager:

• Antonio Garofalo

🔔 Support

For support, email antonio.garofalo125@gmail.com or contact the project contributors.

📝 Documentation

See the documentation project here.