42_override/level08/walkthrough
0x35c a3ea938eb1 level05: done (exploit modified to a better shellcode)
level07: walkthrough done
level08: done
level09: done
2025-05-15 14:00:44 +02:00

17 lines
1008 B
Plaintext

# Level08
Using ghidra, we can decompile the code and see that it does a backup of a file that we passed as a parameter (roughly).
However, there are a few protections.
First, the program `open()` our argument file (here, we want `/home/users/level09/.pass`.
Since the binary has the permission for user `level09`, we can `open()` this file.
The string `"./backups"` is concatenated to the filepath we pass as a parameter. It will then `open(..., OCREAT ...)` the file that we passed in `av[1]` and write the contents of the original file to this newly created file.
However, since the path will have `"./backups"` at the beginning and we want to get the content of `/home/users/level09/.pass`, we need to recreate this file tree in the `/tmp` directory.
Here is the process:
```
level08@OverRide:/tmp$ mkdir -p backups/home/users/level09
level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
level08@OverRide:/tmp$ cat backups/home/users/level09/.pass
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
```