docs(level14): adding the readme
This commit is contained in:
Raphael
parent
cab46cc093
commit
f45c37f00e
1 changed files with 79 additions and 0 deletions
79
level14/README.md
Normal file
79
level14/README.md
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes:
|
||||
|
||||
(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau)
|
||||
|
||||
En regardant le code ca ressemble a une foret de if else if
|
||||
|
||||
En passant par le main j'obtiens ce message
|
||||
```asm
|
||||
(gdb) b main
|
||||
Breakpoint 1 at 0x804894a
|
||||
(gdb) r
|
||||
Starting program: /bin/getflag
|
||||
|
||||
Breakpoint 1, 0x0804894a in main ()
|
||||
(gdb) c
|
||||
Continuing.
|
||||
You should not reverse this
|
||||
[Inferior 1 (process 2506) exited with code 01]
|
||||
```
|
||||
|
||||
c'est ptrace qui nous empeche de faire ce que nous souhaitons
|
||||
```asm
|
||||
8048989: e8 b2 fb ff ff call 8048540 <ptrace@plt>
|
||||
804898e: 85 c0 test eax,eax
|
||||
```
|
||||
|
||||
J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique)
|
||||
```asm
|
||||
gdb /bin/getflag
|
||||
(gdb) b ptrace
|
||||
Breakpoint 1 at 0x8048540
|
||||
(gdb) r
|
||||
Starting program: /bin/getflag
|
||||
|
||||
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
|
||||
(gdb) n
|
||||
Single stepping until exit from function ptrace,
|
||||
which has no line number information.
|
||||
0x0804898e in main ()
|
||||
(gdb) set $eax=0
|
||||
(gdb) n
|
||||
Single stepping until exit from function main,
|
||||
which has no line number information.
|
||||
Check flag.Here is your token :
|
||||
Nope there is no token here for you sorry. Try again :)
|
||||
```
|
||||
|
||||
Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14)
|
||||
```asm
|
||||
gdb /bin/getflag
|
||||
(gdb) b ptrace
|
||||
Breakpoint 1 at 0x8048540
|
||||
(gdb) b getuid
|
||||
Breakpoint 2 at 0x80484b0
|
||||
(gdb) r
|
||||
Starting program: /bin/getflag
|
||||
|
||||
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
|
||||
(gdb) n
|
||||
Single stepping until exit from function ptrace,
|
||||
which has no line number information.
|
||||
0x0804898e in main ()
|
||||
(gdb) set $eax=0
|
||||
(gdb) n
|
||||
Single stepping until exit from function main,
|
||||
which has no line number information.
|
||||
|
||||
Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6
|
||||
(gdb) n
|
||||
Single stepping until exit from function getuid,
|
||||
which has no line number information.
|
||||
0x08048b02 in main ()
|
||||
(gdb) set $eax=0xBC6
|
||||
(gdb) n
|
||||
Single stepping until exit from function main,
|
||||
which has no line number information.
|
||||
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
|
||||
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue