starnakin/42_override
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level06: done (uwu)

Browse Source
This commit is contained in:
0x35c
2025-05-10 15:31:59 +02:00
parent 0d0573136e
commit 7873f038b3
4 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
level06/flag Normal file
View File

@ -0,0 +1 @@
GbcPDRgsFK77LNnnuh7QyFYA2942Gp8yKj9KrWD8

53
level06/ressources/exploit.c Normal file
View File

@ -0,0 +1,53 @@
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ptrace.h>
bool auth(char *s, int serial)
{
int key;
int len;
s[strcspn(s, "\n")] = 0;
len = strnlen(s, 32);
if (len <= 5)
return 1;
if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) {
puts("\x1B[32m.---------------------------.");
puts("\x1B[31m| !! TAMPERING DETECTED !! |");
puts("\x1B[32m'---------------------------'");
return 1;
}
key = (s[3] ^ 4919) + 6221293;
for (int i = 0; i < len; ++i) {
if (s[i] <= 31)
return 1;
key += (key ^ (unsigned int)s[i]) % 1337;
}
// Here is the exploit
printf("key: %d\n", key);
return serial != key;
}
int main(void)
{
int serial;
char s[28];
puts("***********************************");
puts("*\t\tlevel06\t\t *");
puts("***********************************");
printf("-> Enter Login: ");
fgets(s, 32, stdin);
puts("***********************************");
puts("***** NEW ACCOUNT DETECTED ********");
puts("***********************************");
printf("-> Enter Serial: ");
scanf("%d", &serial);
if (auth(s, serial))
return 1;
puts("Authenticated!");
system("/bin/sh");
return 0;
}

51
level06/source.c Normal file
View File

@ -0,0 +1,51 @@
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ptrace.h>
bool auth(char *s, int serial)
{
int key;
int len;
s[strcspn(s, "\n")] = 0;
len = strnlen(s, 32);
if (len <= 5)
return 1;
if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) {
puts("\x1B[32m.---------------------------.");
puts("\x1B[31m| !! TAMPERING DETECTED !! |");
puts("\x1B[32m'---------------------------'");
return 1;
}
key = (s[3] ^ 4919) + 6221293;
for (int i = 0; i < len; ++i) {
if (s[i] <= 31)
return 1;
key += (key ^ (unsigned int)s[i]) % 1337;
}
return serial != key;
}
int main(void)
{
int serial;
char s[28];
puts("***********************************");
puts("*\t\tlevel06\t\t *");
puts("***********************************");
printf("-> Enter Login: ");
fgets(s, 32, stdin);
puts("***********************************");
puts("***** NEW ACCOUNT DETECTED ********");
puts("***********************************");
printf("-> Enter Serial: ");
scanf("%d", &serial);
if (auth(s, serial))
return 1;
puts("Authenticated!");
system("/bin/sh");
return 0;
}

5
level06/walkthrough Normal file
View File

@ -0,0 +1,5 @@
# Level06
Using ghidra, we can decompile the code and see that it opens a shell if 2 values match, depending on a string (login that we can input).
To reverse engineer the value we need to obtain, we slightly changed the copy of the source code to put a print of the value modified by the program.
We then just have to input that same value in the program and that's it :D.