# Level 0X ## how to login username: level0X password: g1qKMiRpXf53AWhDaU7FEkczr ## Goal run `getflag` as user `flagXX` ## Actually doing something ```bash level13@SnowCrash:~$ ll total 20 dr-x------ 1 level13 level13 120 Mar 5 2016 ./ d--x--x--x 1 root users 340 Aug 30 2015 ../ -r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout* -r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc* -rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13* -r-x------ 1 level13 level13 675 Apr 3 2012 .profile* level13@SnowCrash:~$ file level13 level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped ``` A real binary ! ```c int main(int argc, const char **argv, const char **envp) { __uid_t uid; // eax char *tok; // eax if ( getuid() != 4242 ) { uid = getuid(); printf("UID %d started us but we we expect %d\n", v3, 4242); exit(1); } tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I"); return printf("your token is %s\n", tok); } char *__cdecl ft_des(char *s) { unsigned int i; // [esp+2Ch] [ebp-1Ch] int n; // [esp+30h] [ebp-18h] int j; // [esp+34h] [ebp-14h] int k; // [esp+38h] [ebp-10h] char *str; // [esp+3Ch] [ebp-Ch] str = strdup(s); n = 0; for ( i = 0; strlen(str) > i; ++i ) { if ( n == 6 ) n = 0; if ( (i & 1) != 0 ) { for ( j = 0; *(char *)(n + 134514368) > j; ++j ) { if ( ++str[i] == 127 ) str[i] = 32; } } else { for ( k = 0; *(char *)(n + 134514368) > k; ++k ) { if ( --str[i] == 31 ) str[i] = 126; } } ++n; } return str; } ``` This looks complicated, when running the executable we get thrown in the UID mismatch branch. Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily ```bash level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched 90c90 < 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t --- > 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched level13@SnowCrash:/tmp/l13$ chmod +x level13.patched level13@SnowCrash:/tmp/l13$ ./level13.patched your token is 2A31L79asukciNyi8uppkEuSx ``` this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=` meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242