# Level8

Using ghidra, we can decompile the code and see that it loops on a `fgets()` and does a bunch of `memcmp()` with its buffer.
First of all, we have 2 global variables, `char *auth` and `int service`. Also, we have 3 local buffers (`s`, `v5` and `v6`) with respective sizes of 5, 2 and 129.
We can see that they are being changed in 2 different `if (!memcmp())`.
The first one is when we input `"auth "`. It will allocate 4 bytes to `auth`, then set `auth[0]` to 0.
The second one is when we input `"service"`. It will `strdup()` the content of `v6` (a random buffer on the stack) to `service`. This is interesting because we can overflow the first buffer `s` (through `fgets(s, 128, stdin)`) until we reach `v6`, thus allowing us to write whatever we want to service. Since `service` is an int, it will overflow to the next variable, which is `char *auth`.
To make this vulnerability useful, let's see the last `memcmp()`. 
This last `if (!memcmp())` is triggered with the input `"login"`. It then has an `if/else`, that will open a shell (what we want) in case `auth[32] != 0`.
Here comes the interesting part, remember we could overflow on `auth` through the `strdup()` on `service`.
We're going to overflow 33 bytes from the `fgets()` after `"service"` so it overwrites the 33th byte of `auth` (since `"service"` already overwrites `s` by 2 bytes), opening a shell.

Here's the full exploit: 
`(python -c 'print "auth \nservice" + "A" * 33 + "\n" + "login\n"'; cat) | ./level8`