| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 0X
how to login
username: level0X
password: g1qKMiRpXf53AWhDaU7FEkczr
Goal
run getflag as user flagXX
Actually doing something
level13@SnowCrash:~$ ll
total 20
dr-x------ 1 level13 level13 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level13 level13 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level13 level13 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13*
-r-x------ 1 level13 level13 675 Apr 3 2012 .profile*
level13@SnowCrash:~$ file level13
level13: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xde91cfbf70ca6632d7e4122f8210985dea778605, not stripped
A real binary !
int main(int argc, const char **argv, const char **envp)
{
__uid_t uid; // eax
char *tok; // eax
if ( getuid() != 4242 )
{
uid = getuid();
printf("UID %d started us but we we expect %d\n", v3, 4242);
exit(1);
}
tok = ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I");
return printf("your token is %s\n", tok);
}
char *__cdecl ft_des(char *s)
{
unsigned int i; // [esp+2Ch] [ebp-1Ch]
int n; // [esp+30h] [ebp-18h]
int j; // [esp+34h] [ebp-14h]
int k; // [esp+38h] [ebp-10h]
char *str; // [esp+3Ch] [ebp-Ch]
str = strdup(s);
n = 0;
for ( i = 0; strlen(str) > i; ++i )
{
if ( n == 6 )
n = 0;
if ( (i & 1) != 0 )
{
for ( j = 0; *(char *)(n + 134514368) > j; ++j )
{
if ( ++str[i] == 127 )
str[i] = 32;
}
}
else
{
for ( k = 0; *(char *)(n + 134514368) > k; ++k )
{
if ( --str[i] == 31 )
str[i] = 126;
}
}
++n;
}
return str;
}
This looks complicated, when running the executable we get thrown in the UID mismatch branch.
Either we reverse the ft_des (compile it on our own and runnit), or I want to try to patch the binary such that it wants to NOT have the given uid it should be possible easily
level13@SnowCrash:/tmp/l13$ xxd level13 >level13.xxd.orig
level13@SnowCrash:/tmp/l13$ diff level13.xxd.orig level13.xxd.patched
90c90
< 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0074 ..........=....t
---
> 0000590: e4f0 83ec 10e8 e6fd ffff 3d92 1000 0075 ..........=....t
level13@SnowCrash:/tmp/l13$ xxd -r level13.xxd.patched >level13.patched
level13@SnowCrash:/tmp/l13$ chmod +x level13.patched
level13@SnowCrash:/tmp/l13$ ./level13.patched
your token is 2A31L79asukciNyi8uppkEuSx
this simple change make the je opcode that does the check for the uid into an jne aka an !=
meaning that we fail ONLY if we have an uid of 4242 instead of failing if we have an uid that isnt 4242