level13

2026-01-19 20:17:38 +01:00 · 2026-01-19 20:17:38 +01:00 · 146ce99dd2
commit 146ce99dd2
parent 25ddaf020d
3 changed files with 102 additions and 0 deletions
--- a/levels/13/README.md
+++ b/levels/13/README.md
@ -0,0 +1,100 @@
+# Level 0X
+
+## how to login
+
+username: level0X
+
+password: g1qKMiRpXf53AWhDaU7FEkczr
+
+## Goal
+
+run `getflag` as user `flagXX`
+
+## Actually doing something
+
+```bash
+level13@SnowCrash:~$ ll
+total 20
+dr-x------ 1 level13 level13  120 Mar  5  2016 ./
+d--x--x--x 1 root    users    340 Aug 30  2015 ../
+-r-x------ 1 level13 level13  220 Apr  3  2012 .bash_logout*
+-r-x------ 1 level13 level13 3518 Aug 30  2015 .bashrc*
+-rwsr-sr-x 1 flag13  level13 7303 Aug 30  2015 level13*
+-r-x------ 1 level13 level13  675 Apr  3  2012 .profile*
+level13@SnowCrash:~$ file level13 
+level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped
+```
+
+A real binary !
+
+```c
+int main(int argc, const char **argv, const char **envp)
+{
+  __uid_t uid; // eax
+  char *tok; // eax
+
+  if ( getuid() != 4242 )
+  {
+    uid = getuid();
+    printf("UID %d started us but we we expect %d\n", v3, 4242);
+    exit(1);
+  }
+  tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I");
+  return printf("your token is %s\n", tok);
+}
+
+char *__cdecl ft_des(char *s)
+{
+  unsigned int i; // [esp+2Ch] [ebp-1Ch]
+  int n; // [esp+30h] [ebp-18h]
+  int j; // [esp+34h] [ebp-14h]
+  int k; // [esp+38h] [ebp-10h]
+  char *str; // [esp+3Ch] [ebp-Ch]
+
+  str = strdup(s);
+  n = 0;
+  for ( i = 0; strlen(str) > i; ++i )
+  {
+    if ( n == 6 )
+      n = 0;
+    if ( (i & 1) != 0 )
+    {
+      for ( j = 0; *(char *)(n + 134514368) > j; ++j )
+      {
+        if ( ++str[i] == 127 )
+          str[i] = 32;
+      }
+    }
+    else
+    {
+      for ( k = 0; *(char *)(n + 134514368) > k; ++k )
+      {
+        if ( --str[i] == 31 )
+          str[i] = 126;
+      }
+    }
+    ++n;
+  }
+  return str;
+}
+```
+
+This looks complicated, when running the executable we get thrown in the UID mismatch branch.
+
+Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily
+
+```bash
+level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig
+level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched
+90c90
+< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074  ..........=....t
+---
+> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075  ..........=....t
+level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched
+level13@SnowCrash:/tmp/l13$ chmod +x level13.patched
+level13@SnowCrash:/tmp/l13$ ./level13.patched
+your token is 2A31L79asukciNyi8uppkEuSx
+```
+
+this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=`
+meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242
--- a/levels/13/flag
+++ b/levels/13/flag
@ -0,0 +1 @@
+2A31L79asukciNyi8uppkEuSx
--- a/levels/13/passwd
+++ b/levels/13/passwd
@ -0,0 +1 @@
+g1qKMiRpXf53AWhDaU7FEkczr