diff --git a/level14/README.md b/level14/README.md new file mode 100644 index 0000000..9c98293 --- /dev/null +++ b/level14/README.md @@ -0,0 +1,79 @@ +Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes: + +(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau) + +En regardant le code ca ressemble a une foret de if else if + +En passant par le main j'obtiens ce message +```asm +(gdb) b main +Breakpoint 1 at 0x804894a +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0x0804894a in main () +(gdb) c +Continuing. +You should not reverse this +[Inferior 1 (process 2506) exited with code 01] +``` + +c'est ptrace qui nous empeche de faire ce que nous souhaitons +```asm + 8048989: e8 b2 fb ff ff call 8048540 + 804898e: 85 c0 test eax,eax +``` + +J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique) +```asm +gdb /bin/getflag +(gdb) b ptrace +Breakpoint 1 at 0x8048540 +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function ptrace, +which has no line number information. +0x0804898e in main () +(gdb) set $eax=0 +(gdb) n +Single stepping until exit from function main, +which has no line number information. +Check flag.Here is your token : +Nope there is no token here for you sorry. Try again :) +``` + +Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14) +```asm +gdb /bin/getflag +(gdb) b ptrace +Breakpoint 1 at 0x8048540 +(gdb) b getuid +Breakpoint 2 at 0x80484b0 +(gdb) r +Starting program: /bin/getflag + +Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function ptrace, +which has no line number information. +0x0804898e in main () +(gdb) set $eax=0 +(gdb) n +Single stepping until exit from function main, +which has no line number information. + +Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6 +(gdb) n +Single stepping until exit from function getuid, +which has no line number information. +0x08048b02 in main () +(gdb) set $eax=0xBC6 +(gdb) n +Single stepping until exit from function main, +which has no line number information. +Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ + +```