From a0fc2bc263cf340e440d6b72ba1cf891bf30787b Mon Sep 17 00:00:00 2001
From: Maieul BOYER <maieul.dev@familleboyer.net>
Date: Mon, 19 Jan 2026 20:56:09 +0100
Subject: [PATCH] 14

---
 levels/14/README.md | 48 +++++++++++++++++++++++++++++++++++++++++++++
 levels/14/flag      |  1 +
 levels/14/passwd    |  1 +
 3 files changed, 50 insertions(+)
 create mode 100644 levels/14/README.md
 create mode 100644 levels/14/flag
 create mode 100644 levels/14/passwd

diff --git a/levels/14/README.md b/levels/14/README.md
new file mode 100644
index 0000000..de69a0c
--- /dev/null
+++ b/levels/14/README.md
@@ -0,0 +1,48 @@
+# Level 14
+
+## how to login
+
+username: level14
+
+password: 2A31L79asukciNyi8uppkEuSx
+
+## Goal
+
+run `getflag` as user `flag14`
+
+## Actually doing something
+
+there is nothing -> let have fun with `getflag` binary
+
+```bash
+user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
+user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
+user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch 
+206c206
+< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c  ....$N....&....\
+---
+> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c  ....$N....&....\
+EOF
+user14@SnowCrash:/tmp/gf$ # apply the patch
+user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
+```
+
+after applying this patch, we need to perform the level06 trick again so we have the correct UID
+
+This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
+
+after this is done we have the flag
+
+```bash
+7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
+```
+
+let check it
+
+```bash
+level14@SnowCrash:/tmp/gf$ su flag14
+Password: 
+Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
+flag14@SnowCrash:~$ getflag
+Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
+```
diff --git a/levels/14/flag b/levels/14/flag
new file mode 100644
index 0000000..e8aa4cf
--- /dev/null
+++ b/levels/14/flag
@@ -0,0 +1 @@
+7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
diff --git a/levels/14/passwd b/levels/14/passwd
new file mode 100644
index 0000000..58c7d7f
--- /dev/null
+++ b/levels/14/passwd
@@ -0,0 +1 @@
+2A31L79asukciNyi8uppkEuSx