level05: done (exploit modified to a better shellcode)

level07: walkthrough done level08: done level09: done
2025-05-15 14:00:44 +02:00
parent 4a88b55e23
commit a3ea938eb1
12 changed files with 74 additions and 29 deletions
--- a/level08/walkthrough
+++ b/level08/walkthrough
@ -0,0 +1,16 @@
+# Level08
+
+Using ghidra, we can decompile the code and see that it does a backup of a file that we passed as a parameter (roughly).
+However, there are a few protections.
+First, the program `open()` our argument file (here, we want `/home/users/level09/.pass`.
+Since the binary has the permission for user `level09`, we can `open()` this file.
+The string `"./backups"` is concatenated to the filepath we pass as a parameter. It will then `open(..., OCREAT ...)` the file that we passed in `av[1]` and write the contents of the original file to this newly created file.
+However, since the path will have `"./backups"` at the beginning and we want to get the content of `/home/users/level09/.pass`, we need to recreate this file tree in the `/tmp` directory.
+
+Here is the process:
+```
+level08@OverRide:/tmp$ mkdir -p backups/home/users/level09  
+level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
+level08@OverRide:/tmp$ cat backups/home/users/level09/.pass 
+fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
+```