14

2026-01-19 20:56:09 +01:00 · 2026-01-19 20:56:09 +01:00 · a0fc2bc263
commit a0fc2bc263
parent 146ce99dd2
3 changed files with 50 additions and 0 deletions
--- a/levels/14/README.md
+++ b/levels/14/README.md
@ -0,0 +1,48 @@
+# Level 14
+
+## how to login
+
+username: level14
+
+password: 2A31L79asukciNyi8uppkEuSx
+
+## Goal
+
+run `getflag` as user `flag14`
+
+## Actually doing something
+
+there is nothing -> let have fun with `getflag` binary
+
+```bash
+user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
+user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
+user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch 
+206c206
+< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c  ....$N....&....\
+---
+> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c  ....$N....&....\
+EOF
+user14@SnowCrash:/tmp/gf$ # apply the patch
+user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
+```
+
+after applying this patch, we need to perform the level06 trick again so we have the correct UID
+
+This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
+
+after this is done we have the flag
+
+```bash
+7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
+```
+
+let check it
+
+```bash
+level14@SnowCrash:/tmp/gf$ su flag14
+Password: 
+Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
+flag14@SnowCrash:~$ getflag
+Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
+```
--- a/levels/14/flag
+++ b/levels/14/flag
@ -0,0 +1 @@
+7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
--- a/levels/14/passwd
+++ b/levels/14/passwd
@ -0,0 +1 @@
+2A31L79asukciNyi8uppkEuSx