level02: walkthrough done

level02/source.c

@@ -7,7 +7,7 @@ int main(void)
 	char buff[96];
 	int v5;
 	char password[48];
-	char s[96]; // buffer located at the 28th element on the stack
+	char s[96];
 	int v8;
 	int len;
 	FILE *stream;

level02/walkthrough

@@ -0,0 +1,18 @@
+# Level02
+
+Using ghidra, we can decompile the code and see that it reads the password through a file stream and stores it in a buffer.
+Then, there are 2 calls to `fgets()`, the first one being used as the format string to `printf()` later on.
+We can use this to print whatever we want (e.g dump the stack, change variables).
+Our goal here will be to change the address of the second buffer (`buff` in the code) to the GOT value of `exit()`. This will then allow us to write whatever we want at this address when the second `fgets()` will be called (here, the address of the `system()` call).
+
+To do so, we will first dump the stack to know where the buffer is located. 
+Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 8th position in the stack.
+Now that we know where our buffer is located on the stack, let's exploit printf.
+
+By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, the GOT address of `exit()`).
+To do this, we just need to print 4196997 (the address of the `system()` call) using `printf()`'s padding feature. But since it will be executed at the call to `printf()`, we first need to modify the value of `buff` (the buffer at the 8th position on the stack) in the 2nd `fgets()`.
+All we have to do is put the GOT address of the `exit()` instruction in `buff`.
+
+Here is the command:
+`(python -c 'print("%4196997p" + "%8$n" + "\n" + "\x28\x12\x60")'; cat) | ./level02
+`