rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snow-crash/level14
History
Raphael 2cfe814f51
feat(lvl14): adding the flag
2026-01-28 03:33:34 +01:00
..
flag feat(lvl14): adding the flag 2026-01-28 03:33:34 +01:00
README.md docs(level14): adding the readme 2026-01-28 03:33:22 +01:00

README.md

Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag 👀

(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau)

En regardant le code ca ressemble a une foret de if else if

En passant par le main j'obtiens ce message

(gdb) b main
Breakpoint 1 at 0x804894a
(gdb) r
Starting program: /bin/getflag

Breakpoint 1, 0x0804894a in main ()
(gdb) c
Continuing.
You should not reverse this
[Inferior 1 (process 2506) exited with code 01]

c'est ptrace qui nous empeche de faire ce que nous souhaitons

 8048989:	e8 b2 fb ff ff       	call   8048540 <ptrace@plt>
 804898e:	85 c0                	test   eax,eax

J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique)

gdb /bin/getflag
(gdb) b ptrace
Breakpoint 1 at 0x8048540
(gdb) r
Starting program: /bin/getflag

Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function ptrace,
which has no line number information.
0x0804898e in main ()
(gdb) set $eax=0
(gdb) n
Single stepping until exit from function main,
which has no line number information.
Check flag.Here is your token :
Nope there is no token here for you sorry. Try again :)

Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14)

gdb /bin/getflag
(gdb) b ptrace
Breakpoint 1 at 0x8048540
(gdb) b getuid
Breakpoint 2 at 0x80484b0
(gdb) r
Starting program: /bin/getflag

Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function ptrace,
which has no line number information.
0x0804898e in main ()
(gdb) set $eax=0
(gdb) n
Single stepping until exit from function main,
which has no line number information.

Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6
(gdb) n
Single stepping until exit from function getuid,
which has no line number information.
0x08048b02 in main ()
(gdb) set $eax=0xBC6
(gdb) n
Single stepping until exit from function main,
which has no line number information.
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ