100 lines
2.7 KiB
Markdown
100 lines
2.7 KiB
Markdown
# Level 0X
|
|
|
|
## how to login
|
|
|
|
username: level0X
|
|
|
|
password: g1qKMiRpXf53AWhDaU7FEkczr
|
|
|
|
## Goal
|
|
|
|
run `getflag` as user `flagXX`
|
|
|
|
## Actually doing something
|
|
|
|
```bash
|
|
level13@SnowCrash:~$ ll
|
|
total 20
|
|
dr-x------ 1 level13 level13 120 Mar 5 2016 ./
|
|
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
|
-r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout*
|
|
-r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc*
|
|
-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13*
|
|
-r-x------ 1 level13 level13 675 Apr 3 2012 .profile*
|
|
level13@SnowCrash:~$ file level13
|
|
level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped
|
|
```
|
|
|
|
A real binary !
|
|
|
|
```c
|
|
int main(int argc, const char **argv, const char **envp)
|
|
{
|
|
__uid_t uid; // eax
|
|
char *tok; // eax
|
|
|
|
if ( getuid() != 4242 )
|
|
{
|
|
uid = getuid();
|
|
printf("UID %d started us but we we expect %d\n", v3, 4242);
|
|
exit(1);
|
|
}
|
|
tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I");
|
|
return printf("your token is %s\n", tok);
|
|
}
|
|
|
|
char *__cdecl ft_des(char *s)
|
|
{
|
|
unsigned int i; // [esp+2Ch] [ebp-1Ch]
|
|
int n; // [esp+30h] [ebp-18h]
|
|
int j; // [esp+34h] [ebp-14h]
|
|
int k; // [esp+38h] [ebp-10h]
|
|
char *str; // [esp+3Ch] [ebp-Ch]
|
|
|
|
str = strdup(s);
|
|
n = 0;
|
|
for ( i = 0; strlen(str) > i; ++i )
|
|
{
|
|
if ( n == 6 )
|
|
n = 0;
|
|
if ( (i & 1) != 0 )
|
|
{
|
|
for ( j = 0; *(char *)(n + 134514368) > j; ++j )
|
|
{
|
|
if ( ++str[i] == 127 )
|
|
str[i] = 32;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
for ( k = 0; *(char *)(n + 134514368) > k; ++k )
|
|
{
|
|
if ( --str[i] == 31 )
|
|
str[i] = 126;
|
|
}
|
|
}
|
|
++n;
|
|
}
|
|
return str;
|
|
}
|
|
```
|
|
|
|
This looks complicated, when running the executable we get thrown in the UID mismatch branch.
|
|
|
|
Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily
|
|
|
|
```bash
|
|
level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig
|
|
level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched
|
|
90c90
|
|
< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t
|
|
---
|
|
> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t
|
|
level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched
|
|
level13@SnowCrash:/tmp/l13$ chmod +x level13.patched
|
|
level13@SnowCrash:/tmp/l13$ ./level13.patched
|
|
your token is 2A31L79asukciNyi8uppkEuSx
|
|
```
|
|
|
|
this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=`
|
|
meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242
|