SecuVPS was another pwning challenge (though it was marked as misc).
You had a website where you could download a patched ssh client including the sources and luckily they even told you the original source repo of the code they used. That made finding the diff easy: git clone the original repo, replace the code with the patched files and take a look at git diff. There were two changes:
- a function in the packet handling that checks for packet type 94 and gives you an arbitrary write
- the banner was changed to include two info leaks, a pointer from the binary and a pointer from the stack
Since we don't want to reimplement the ssh protocol, let's reuse the ssh code that we got. Compile your own sshd, run it with in verbose mode and connect against it with the vulnerable ssh binary. You'll see some messages abuot key exchange packets and one that prints "no match: $BANNER". So we can find these messages in the source and put our exploit code there. I.e. where it says "no match" we parse the info leak and in the key exchange code we send our type 94 exploit packets. The exploit is then pretty straight forward since we know the stack and binary and the binary has system in its PLT. Just overwrite the stack return address with pop rdi + system@plt and execute arbitrary commands. Now deploy this in the cloud somewhere (you had to listen on port 22), and trigger the exploit from their website, which will make their ssh client try to connect to you.