This commit is contained in:
Maieul BOYER 2026-01-19 20:56:09 +01:00
parent 146ce99dd2
commit a0fc2bc263
Signed by: maix
SSH key fingerprint: SHA256:iqCzqFFF5KjRixmDExqbAltCIj9ndlBWIGJf3t9Ln9g
3 changed files with 50 additions and 0 deletions

48
levels/14/README.md Normal file
View file

@ -0,0 +1,48 @@
# Level 14
## how to login
username: level14
password: 2A31L79asukciNyi8uppkEuSx
## Goal
run `getflag` as user `flag14`
## Actually doing something
there is nothing -> let have fun with `getflag` binary
```bash
user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch
206c206
< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c ....$N....&....\
---
> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c ....$N....&....\
EOF
user14@SnowCrash:/tmp/gf$ # apply the patch
user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
```
after applying this patch, we need to perform the level06 trick again so we have the correct UID
This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
after this is done we have the flag
```bash
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
```
let check it
```bash
level14@SnowCrash:/tmp/gf$ su flag14
Password:
Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
flag14@SnowCrash:~$ getflag
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
```

1
levels/14/flag Normal file
View file

@ -0,0 +1 @@
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ

1
levels/14/passwd Normal file
View file

@ -0,0 +1 @@
2A31L79asukciNyi8uppkEuSx