level09

2026-01-19 18:34:11 +01:00 · 2026-01-19 18:34:11 +01:00 · 0dc6576ed1
commit 0dc6576ed1
parent 890a4c0d5e
5 changed files with 120 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,7 @@
        buildInputs = with pkgs; [
          qemu_kvm
          gnumake
+          python3
        ];
      };
    }
--- a/levels/09/README.md
+++ b/levels/09/README.md
@ -0,0 +1,105 @@
+# Level 09
+
+## how to login
+
+username: level09
+
+password: 25749xKZ8L7DkSCwJkT9dyv6f
+
+## Goal
+
+run `getflag` as user `flag09`
+
+## Actually doing something
+
+```bash
+level09@SnowCrash:~$ ll
+total 24
+dr-x------ 1 level09 level09  140 Mar  5  2016 ./
+d--x--x--x 1 root    users    340 Aug 30  2015 ../
+-r-x------ 1 level09 level09  220 Apr  3  2012 .bash_logout*
+-r-x------ 1 level09 level09 3518 Aug 30  2015 .bashrc*
+-rwsr-sr-x 1 flag09  level09 7640 Mar  5  2016 level09*
+-r-x------ 1 level09 level09  675 Apr  3  2012 .profile*
+----r--r-- 1 flag09  level09   26 Mar  5  2016 token
+```
+
+seems we need to do the same as last level 
+lets have fun hehe
+
+```bash
+level09@SnowCrash:~$ ./level09 
+You need to provied only one arg.
+level09@SnowCrash:~$ ./level09 AAA
+ABC
+level09@SnowCrash:~$ ./level09 AAAAAAAAA
+ABCDEFGHI
+```
+
+What happens if I give it a REALLY LONG argument ?
+
+```bash
+level09@SnowCrash:~$ ./level09 $(python -c "print('A' * 1000)")
+ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+
+
+123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+
+
+123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+
+
+123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<7E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+```
+
+Alright lets open this bad boy under Ghidra
+
+Woops after reading the code, it seems that it specifically tells you to not reverse it.
+
+Looking a the files a bit closer, we can actually read the token file...
+
+```bash
+level09@SnowCrash:~$ ll token
+----r--r-- 1 flag09  level09   26 Mar  5  2016 token
+level09@SnowCrash:~$ cat token
+f4kmm6p|=pnDBDu{
+```
+
+trying to directly use this as the password doesnt work, but when looking at the output of the binary, it seems that the does weird stuff to the input, lets try to run it through.
+
+
+```bash
+level09@SnowCrash:~$ ./level09 `cat token`
+f5mpq;vE{{TSW
+level09@SnowCrash:~$ su -c getflag flag09
+Password: 
+su: Authentication failure
+```
+
+Doesnt work.
+
+Then lets try to reverse the effect of the binary ?
+
+It looks like it does something like this:
+> for every character in input
+>    output (character+idx) % 255
+
+let do a script that does:
+> for every character in input
+>    output (character-idx) % 255
+
+we run it and we get
+```bash
+❯ ./levels/09/script.py <files/token
+f3iji1ju5yuevaus41q1afiuq
+```
+lets try this one
+
+```bash
+level09@SnowCrash:~$ su -c getflag flag09
+Password: 
+Check flag.Here is your token : s5cAJpM8ev6XHw998pRWG728z
+```
+
+Perfect !
+
--- a/levels/09/flag
+++ b/levels/09/flag
@ -0,0 +1 @@
+s5cAJpM8ev6XHw998pRWG728z
--- a/levels/09/passwd
+++ b/levels/09/passwd
@ -0,0 +1 @@
+25749xKZ8L7DkSCwJkT9dyv6f
--- a/levels/09/script.py
+++ b/levels/09/script.py
@ -0,0 +1,12 @@
+#!/usr/bin/env python
+import sys
+
+buf = sys.stdin.buffer.read()
+buf = buf.strip(b'\n')
+
+for i, b in enumerate(buf):
+    b = b - i
+    if b < 0:
+        b = 255 + b
+    sys.stdout.buffer.write(b.to_bytes())
+print()