| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 14
how to login
username: level14
password: 2A31L79asukciNyi8uppkEuSx
Goal
run getflag as user flag14
Actually doing something
there is nothing -> let have fun with getflag binary
user14@SnowCrash:/tmp/gf$ mkdir -p /tmp/gf && cd /tmp/gf && cp $(which getflag) getflag.orig
user14@SnowCrash:/tmp/gf$ xxd getflag.orig > getflag.xxd.orig
user14@SnowCrash:/tmp/gf$ cat <<EOF >getflag.patch
206c206
< 0000cd0: 89c3 c704 244e 9104 08e8 26f9 ffff 895c ....$N....&....\
---
> 0000cd0: 89c3 c704 2420 9204 08e8 26f9 ffff 895c ....$N....&....\
EOF
user14@SnowCrash:/tmp/gf$ # apply the patch
user14@SnowCrash:/tmp/gf$ xxd -r getflag.xxd.patched > getflag.patched
after applying this patch, we need to perform the level06 trick again so we have the correct UID
This patched modified the string pointed in the getflag binary for the UID 3006 is actually the string for the last uid
after this is done we have the flag
7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
let check it
level14@SnowCrash:/tmp/gf$ su flag14
Password:
Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
flag14@SnowCrash:~$ getflag
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ