level06: done (uwu)

level06/flag

@@ -0,0 +1 @@
+GbcPDRgsFK77LNnnuh7QyFYA2942Gp8yKj9KrWD8

level06/ressources/exploit.c

@@ -0,0 +1,53 @@
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ptrace.h>
+
+bool auth(char *s, int serial)
+{
+	int key;
+	int len;
+
+	s[strcspn(s, "\n")] = 0;
+	len = strnlen(s, 32);
+	if (len <= 5)
+		return 1;
+	if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) {
+		puts("\x1B[32m.---------------------------.");
+		puts("\x1B[31m| !! TAMPERING DETECTED !!  |");
+		puts("\x1B[32m'---------------------------'");
+		return 1;
+	}
+	key = (s[3] ^ 4919) + 6221293;
+	for (int i = 0; i < len; ++i) {
+		if (s[i] <= 31)
+			return 1;
+		key += (key ^ (unsigned int)s[i]) % 1337;
+	}
+	// Here is the exploit
+	printf("key: %d\n", key);
+	return serial != key;
+}
+
+int main(void)
+{
+	int serial;
+	char s[28];
+
+	puts("***********************************");
+	puts("*\t\tlevel06\t\t  *");
+	puts("***********************************");
+	printf("-> Enter Login: ");
+	fgets(s, 32, stdin);
+	puts("***********************************");
+	puts("***** NEW ACCOUNT DETECTED ********");
+	puts("***********************************");
+	printf("-> Enter Serial: ");
+	scanf("%d", &serial);
+	if (auth(s, serial))
+		return 1;
+	puts("Authenticated!");
+	system("/bin/sh");
+	return 0;
+}

level06/source.c

@@ -0,0 +1,51 @@
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ptrace.h>
+
+bool auth(char *s, int serial)
+{
+	int key;
+	int len;
+
+	s[strcspn(s, "\n")] = 0;
+	len = strnlen(s, 32);
+	if (len <= 5)
+		return 1;
+	if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) {
+		puts("\x1B[32m.---------------------------.");
+		puts("\x1B[31m| !! TAMPERING DETECTED !!  |");
+		puts("\x1B[32m'---------------------------'");
+		return 1;
+	}
+	key = (s[3] ^ 4919) + 6221293;
+	for (int i = 0; i < len; ++i) {
+		if (s[i] <= 31)
+			return 1;
+		key += (key ^ (unsigned int)s[i]) % 1337;
+	}
+	return serial != key;
+}
+
+int main(void)
+{
+	int serial;
+	char s[28];
+
+	puts("***********************************");
+	puts("*\t\tlevel06\t\t  *");
+	puts("***********************************");
+	printf("-> Enter Login: ");
+	fgets(s, 32, stdin);
+	puts("***********************************");
+	puts("***** NEW ACCOUNT DETECTED ********");
+	puts("***********************************");
+	printf("-> Enter Serial: ");
+	scanf("%d", &serial);
+	if (auth(s, serial))
+		return 1;
+	puts("Authenticated!");
+	system("/bin/sh");
+	return 0;
+}

level06/walkthrough

@@ -0,0 +1,5 @@
+# Level06
+
+Using ghidra, we can decompile the code and see that it opens a shell if 2 values match, depending on a string (login that we can input).
+To reverse engineer the value we need to obtain, we slightly changed the copy of the source code to put a print of the value modified by the program.
+We then just have to input that same value in the program and that's it :D.