79 lines
2.3 KiB
Markdown
79 lines
2.3 KiB
Markdown
Le repertoire de level14 est vide et aucun flag restant apparent... il ne reste plus qu'a regarder directement dans getflag :eyes:
|
|
|
|
(Pour etre honnete je souhaiter faire ca pour tous les flags mais j'ai ete spoiler que c'etait le dernier niveau)
|
|
|
|
En regardant le code ca ressemble a une foret de if else if
|
|
|
|
En passant par le main j'obtiens ce message
|
|
```asm
|
|
(gdb) b main
|
|
Breakpoint 1 at 0x804894a
|
|
(gdb) r
|
|
Starting program: /bin/getflag
|
|
|
|
Breakpoint 1, 0x0804894a in main ()
|
|
(gdb) c
|
|
Continuing.
|
|
You should not reverse this
|
|
[Inferior 1 (process 2506) exited with code 01]
|
|
```
|
|
|
|
c'est ptrace qui nous empeche de faire ce que nous souhaitons
|
|
```asm
|
|
8048989: e8 b2 fb ff ff call 8048540 <ptrace@plt>
|
|
804898e: 85 c0 test eax,eax
|
|
```
|
|
|
|
J'ai donc pu le bypass il suffit d'aller a ptrace puis de mettre eax a 0 (afin qu'il pense que c'est une execution classique)
|
|
```asm
|
|
gdb /bin/getflag
|
|
(gdb) b ptrace
|
|
Breakpoint 1 at 0x8048540
|
|
(gdb) r
|
|
Starting program: /bin/getflag
|
|
|
|
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
|
|
(gdb) n
|
|
Single stepping until exit from function ptrace,
|
|
which has no line number information.
|
|
0x0804898e in main ()
|
|
(gdb) set $eax=0
|
|
(gdb) n
|
|
Single stepping until exit from function main,
|
|
which has no line number information.
|
|
Check flag.Here is your token :
|
|
Nope there is no token here for you sorry. Try again :)
|
|
```
|
|
|
|
Voici l'exploit complet avec le changement de la return value de getuid pour 3014 (soit d'apres /etc/passwd l'uid de flag14)
|
|
```asm
|
|
gdb /bin/getflag
|
|
(gdb) b ptrace
|
|
Breakpoint 1 at 0x8048540
|
|
(gdb) b getuid
|
|
Breakpoint 2 at 0x80484b0
|
|
(gdb) r
|
|
Starting program: /bin/getflag
|
|
|
|
Breakpoint 1, 0xb7f146d0 in ptrace () from /lib/i386-linux-gnu/libc.so.6
|
|
(gdb) n
|
|
Single stepping until exit from function ptrace,
|
|
which has no line number information.
|
|
0x0804898e in main ()
|
|
(gdb) set $eax=0
|
|
(gdb) n
|
|
Single stepping until exit from function main,
|
|
which has no line number information.
|
|
|
|
Breakpoint 2, 0xb7ee4cc0 in getuid () from /lib/i386-linux-gnu/libc.so.6
|
|
(gdb) n
|
|
Single stepping until exit from function getuid,
|
|
which has no line number information.
|
|
0x08048b02 in main ()
|
|
(gdb) set $eax=0xBC6
|
|
(gdb) n
|
|
Single stepping until exit from function main,
|
|
which has no line number information.
|
|
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
|
|
|
|
```
|