rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(lvl14): adding the english readme

Browse source
This commit is contained in:
Raphael 2026-01-29 12:54:24 +01:00
parent 63b373efde
commit 9e3d9cd2be
No known key found for this signature in database
1 changed files with 7 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

15
rparodi/level14/README.md
View file

@ -1,10 +1,10 @@
Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes: The directory of level14 is empty and no remaining flag apparent... there is only one thing left which is to look directly into getflag :eyes:
(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau) (To be honest I wanted to do this for all the flags but I was spoiled that it was the last level)
En regardant le code ca ressemble a une foret de if else if By looking at the code it looks like a forest of if else if.
En passant par le main j'obtiens ce message By passing through the main I obtain this message.
```asm ```asm
(gdb) b main (gdb) b main
Breakpoint 1 at 0x804894a Breakpoint 1 at 0x804894a
@ -18,13 +18,13 @@ You should not reverse this
[Inferior 1 (process 2506) exited with code 01] [Inferior 1 (process 2506) exited with code 01]
``` ```
c'est ptrace qui nous empeche de faire ce que nous souhaitons It is ptrace which prevents us from doing what we want.
```asm ```asm
8048989: e8 b2 fb ff ff call 8048540 <ptrace@plt> 8048989: e8 b2 fb ff ff call 8048540 <ptrace@plt>
804898e: 85 c0 test eax,eax 804898e: 85 c0 test eax,eax
``` ```
J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique) I therefore could bypass it, it is enough to go to ptrace then to set eax to 0 (so that it thinks that it is a classic execution).
```asm ```asm
gdb /bin/getflag gdb /bin/getflag
(gdb) b ptrace (gdb) b ptrace
@ -45,7 +45,7 @@ Check flag.Here is your token :
Nope there is no token here for you sorry. Try again :) Nope there is no token here for you sorry. Try again :)
``` ```
Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14) Here is the complete exploit with the change of the return value of getuid to 3014 (that is according to /etc/passwd the uid of flag14).
```asm ```asm
gdb /bin/getflag gdb /bin/getflag
(gdb) b ptrace (gdb) b ptrace
@ -75,5 +75,4 @@ which has no line number information.
Single stepping until exit from function main, Single stepping until exit from function main,
which has no line number information. which has no line number information.
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
``` ```