From 146ce99dd263fe62c8bfe36d47f27acf2915d4d0 Mon Sep 17 00:00:00 2001 From: Maieul BOYER Date: Mon, 19 Jan 2026 20:17:38 +0100 Subject: [PATCH] level13 --- levels/13/README.md | 100 ++++++++++++++++++++++++++++++++++++++++++++ levels/13/flag | 1 + levels/13/passwd | 1 + 3 files changed, 102 insertions(+) create mode 100644 levels/13/README.md create mode 100644 levels/13/flag create mode 100644 levels/13/passwd diff --git a/levels/13/README.md b/levels/13/README.md new file mode 100644 index 0000000..3bcc43f --- /dev/null +++ b/levels/13/README.md @@ -0,0 +1,100 @@ +# Level 0X + +## how to login + +username: level0X + +password: g1qKMiRpXf53AWhDaU7FEkczr + +## Goal + +run `getflag` as user `flagXX` + +## Actually doing something + +```bash +level13@SnowCrash:~$ ll +total 20 +dr-x------ 1 level13 level13 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13* +-r-x------ 1 level13 level13 675 Apr 3 2012 .profile* +level13@SnowCrash:~$ file level13 +level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped +``` + +A real binary ! + +```c +int main(int argc, const char **argv, const char **envp) +{ + __uid_t uid; // eax + char *tok; // eax + + if ( getuid() != 4242 ) + { + uid = getuid(); + printf("UID %d started us but we we expect %d\n", v3, 4242); + exit(1); + } + tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I"); + return printf("your token is %s\n", tok); +} + +char *__cdecl ft_des(char *s) +{ + unsigned int i; // [esp+2Ch] [ebp-1Ch] + int n; // [esp+30h] [ebp-18h] + int j; // [esp+34h] [ebp-14h] + int k; // [esp+38h] [ebp-10h] + char *str; // [esp+3Ch] [ebp-Ch] + + str = strdup(s); + n = 0; + for ( i = 0; strlen(str) > i; ++i ) + { + if ( n == 6 ) + n = 0; + if ( (i & 1) != 0 ) + { + for ( j = 0; *(char *)(n + 134514368) > j; ++j ) + { + if ( ++str[i] == 127 ) + str[i] = 32; + } + } + else + { + for ( k = 0; *(char *)(n + 134514368) > k; ++k ) + { + if ( --str[i] == 31 ) + str[i] = 126; + } + } + ++n; + } + return str; +} +``` + +This looks complicated, when running the executable we get thrown in the UID mismatch branch. + +Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily + +```bash +level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig +level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched +90c90 +< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t +--- +> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t +level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched +level13@SnowCrash:/tmp/l13$ chmod +x level13.patched +level13@SnowCrash:/tmp/l13$ ./level13.patched +your token is 2A31L79asukciNyi8uppkEuSx +``` + +this simple change make the `je` opcode that does the check for the uid into an `jne` aka an `!=` +meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242 diff --git a/levels/13/flag b/levels/13/flag new file mode 100644 index 0000000..58c7d7f --- /dev/null +++ b/levels/13/flag @@ -0,0 +1 @@ +2A31L79asukciNyi8uppkEuSx diff --git a/levels/13/passwd b/levels/13/passwd new file mode 100644 index 0000000..29e9492 --- /dev/null +++ b/levels/13/passwd @@ -0,0 +1 @@ +g1qKMiRpXf53AWhDaU7FEkczr