diff --git a/level06/flag b/level06/flag new file mode 100644 index 0000000..14f1943 --- /dev/null +++ b/level06/flag @@ -0,0 +1 @@ +GbcPDRgsFK77LNnnuh7QyFYA2942Gp8yKj9KrWD8 diff --git a/level06/ressources/exploit.c b/level06/ressources/exploit.c new file mode 100644 index 0000000..0cb7e7b --- /dev/null +++ b/level06/ressources/exploit.c @@ -0,0 +1,53 @@ +#include +#include +#include +#include +#include + +bool auth(char *s, int serial) +{ + int key; + int len; + + s[strcspn(s, "\n")] = 0; + len = strnlen(s, 32); + if (len <= 5) + return 1; + if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) { + puts("\x1B[32m.---------------------------."); + puts("\x1B[31m| !! TAMPERING DETECTED !! |"); + puts("\x1B[32m'---------------------------'"); + return 1; + } + key = (s[3] ^ 4919) + 6221293; + for (int i = 0; i < len; ++i) { + if (s[i] <= 31) + return 1; + key += (key ^ (unsigned int)s[i]) % 1337; + } + // Here is the exploit + printf("key: %d\n", key); + return serial != key; +} + +int main(void) +{ + int serial; + char s[28]; + + puts("***********************************"); + puts("*\t\tlevel06\t\t *"); + puts("***********************************"); + printf("-> Enter Login: "); + fgets(s, 32, stdin); + puts("***********************************"); + puts("***** NEW ACCOUNT DETECTED ********"); + puts("***********************************"); + printf("-> Enter Serial: "); + scanf("%d", &serial); + if (auth(s, serial)) + return 1; + puts("Authenticated!"); + system("/bin/sh"); + return 0; +} diff --git a/level06/source.c b/level06/source.c new file mode 100644 index 0000000..b1bf318 --- /dev/null +++ b/level06/source.c @@ -0,0 +1,51 @@ +#include +#include +#include +#include +#include + +bool auth(char *s, int serial) +{ + int key; + int len; + + s[strcspn(s, "\n")] = 0; + len = strnlen(s, 32); + if (len <= 5) + return 1; + if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) { + puts("\x1B[32m.---------------------------."); + puts("\x1B[31m| !! TAMPERING DETECTED !! |"); + puts("\x1B[32m'---------------------------'"); + return 1; + } + key = (s[3] ^ 4919) + 6221293; + for (int i = 0; i < len; ++i) { + if (s[i] <= 31) + return 1; + key += (key ^ (unsigned int)s[i]) % 1337; + } + return serial != key; +} + +int main(void) +{ + int serial; + char s[28]; + + puts("***********************************"); + puts("*\t\tlevel06\t\t *"); + puts("***********************************"); + printf("-> Enter Login: "); + fgets(s, 32, stdin); + puts("***********************************"); + puts("***** NEW ACCOUNT DETECTED ********"); + puts("***********************************"); + printf("-> Enter Serial: "); + scanf("%d", &serial); + if (auth(s, serial)) + return 1; + puts("Authenticated!"); + system("/bin/sh"); + return 0; +} diff --git a/level06/walkthrough b/level06/walkthrough new file mode 100644 index 0000000..345813a --- /dev/null +++ b/level06/walkthrough @@ -0,0 +1,5 @@ +# Level06 + +Using ghidra, we can decompile the code and see that it opens a shell if 2 values match, depending on a string (login that we can input). +To reverse engineer the value we need to obtain, we slightly changed the copy of the source code to put a print of the value modified by the program. +We then just have to input that same value in the program and that's it :D.