snow-crash

History

Raphael fefcf8fcd1 docs(lvl13): adding the readme		2026-01-28 02:49:20 +01:00
..
README.md	docs(lvl13): adding the readme	2026-01-28 02:49:20 +01:00

README.md

Lors de l'arriver sur le level13 je remarque le fichier level13

ls -l level13
-rwsr-sr-x 1 flag13 level13 7303 Aug 30  2015 level13

Et je remarque egallement que c'est du C

ltrace ./level13
__libc_start_main(0x804858c, 1, 0xbffff7f4, 0x80485f0, 0x8048660 <unfinished ...>
getuid()                                                                  = 2013
getuid()                                                                  = 2013
printf("UID %d started us but we we expe"..., 2013UID 2013 started us but we we expect 4242
)                       = 42
exit(1 <unfinished ...>
+++ exited (status 1) +++

en le lancant (plus proprement), il attente l'UID 4242

level13@SnowCrash:~$ ./level13
UID 2013 started us but we we expect 4242

Voici le code de la fonction main

0804858c <main>:
 804858c:	55                   	push   ebp
 804858d:	89 e5                	mov    ebp,esp
 804858f:	83 e4 f0             	and    esp,0xfffffff0
 8048592:	83 ec 10             	sub    esp,0x10
 8048595:	e8 e6 fd ff ff       	call   8048380 <getuid@plt>
 804859a:	3d 92 10 00 00       	cmp    eax,0x1092
 804859f:	74 2a                	je     80485cb <main+0x3f>
 80485a1:	e8 da fd ff ff       	call   8048380 <getuid@plt>
 80485a6:	ba c8 86 04 08       	mov    edx,0x80486c8
 80485ab:	c7 44 24 08 92 10 00 	mov    DWORD PTR [esp+0x8],0x1092
 80485b2:	00
 80485b3:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
 80485b7:	89 14 24             	mov    DWORD PTR [esp],edx
 80485ba:	e8 a1 fd ff ff       	call   8048360 <printf@plt>
 80485bf:	c7 04 24 01 00 00 00 	mov    DWORD PTR [esp],0x1
 80485c6:	e8 d5 fd ff ff       	call   80483a0 <exit@plt>
 80485cb:	c7 04 24 ef 86 04 08 	mov    DWORD PTR [esp],0x80486ef
 80485d2:	e8 9d fe ff ff       	call   8048474 <ft_des>
 80485d7:	ba 09 87 04 08       	mov    edx,0x8048709
 80485dc:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
 80485e0:	89 14 24             	mov    DWORD PTR [esp],edx
 80485e3:	e8 78 fd ff ff       	call   8048360 <printf@plt>
 80485e8:	c9                   	leave
 80485e9:	c3                   	ret
 80485ea:	90                   	nop
 80485eb:	90                   	nop
 80485ec:	90                   	nop
 80485ed:	90                   	nop
 80485ee:	90                   	nop
 80485ef:	90                   	nop

Notamment cette ligne (7) qui vas nous interesser

804859a:    cmp    eax,0x1092

0x1092 = 0d4242 il suffit de changer la valeur de notre uid lors de la comparaison (a l'aide de gdb)

(gdb) b main
Breakpoint 1 at 0x804858f
(gdb) b *0x804859a
Breakpoint 2 at 0x804859a
(gdb) r
Starting program: /home/user/level13/level13

Breakpoint 1, 0x0804858f in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.

Breakpoint 2, 0x0804859a in main ()
(gdb) set $eax=0x1092
(gdb) c
Continuing.
your token is 2A31L79asukciNyi8uppkEuSx
[Inferior 1 (process 2288) exited with code 050]