48 lines
1.2 KiB
Markdown
48 lines
1.2 KiB
Markdown
# Level 14
|
|
|
|
## how to login
|
|
|
|
username: level14
|
|
|
|
password: 2A31L79asukciNyi8uppkEuSx
|
|
|
|
## Goal
|
|
|
|
run `getflag` as user `flag14`
|
|
|
|
## Actually doing something
|
|
|
|
there is nothing -> let have fun with `getflag` binary
|
|
|
|
```bash
|
|
user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
|
|
user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
|
|
user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch
|
|
206c206
|
|
< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c ....$N....&....\
|
|
---
|
|
> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c ....$N....&....\
|
|
EOF
|
|
user14@SnowCrash:/tmp/gf$ # apply the patch
|
|
user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
|
|
```
|
|
|
|
after applying this patch, we need to perform the level06 trick again so we have the correct UID
|
|
|
|
This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
|
|
|
|
after this is done we have the flag
|
|
|
|
```bash
|
|
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
|
|
```
|
|
|
|
let check it
|
|
|
|
```bash
|
|
level14@SnowCrash:/tmp/gf$ su flag14
|
|
Password:
|
|
Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
|
|
flag14@SnowCrash:~$ getflag
|
|
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
|
|
```
|