About
There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id.
To do this level, log in as the level13 account with the password level13 . Files for this level can be found in /home/flag13.
1#include <stdlib.h>
2#include <unistd.h>
3#include <stdio.h>
4#include <sys/types.h>
5#include <string.h>
6
7#define FAKEUID 1000
8
9int main(int argc, char **argv, char **envp)
10{
11 int c;
12 char token[256];
13
14 if(getuid() != FAKEUID) {
15 printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID);
16 printf("The system administrators will be notified of this violation\n");
17 exit(EXIT_FAILURE);
18 }
19
20 // snip, sorry :)
21
22 printf("your token is %s\n", token);
23
24}
Side Note: If there is more elegant way to solve this I’d be happy to hear about it.
First things first — initial reading. That being said we instantly notice that the author used a string for key. This string is embedded into binary. Need I say more?
level13@nebula:~$ strings /home/flag13/flag13
(...)
Security failure detected. UID %d started us, we expect %d
The system administrators will be notified of this violation
8mjomjh8wml;bwnh8jwbbnnwi;>;88?o;9ob
your token is %s
;*2$"(
OK, so "8mjomjh8wml;bwnh8jwbbnnwi;>;88?o;9ob"
looks promising. Let’s try that:
level13@nebula:~$ su flag13
Password:
su: Authentication failure
Hm, well it would be too easy however this also tells us something — namely we know that the string is not plain.
Now we have two options — we can either search for the obfuscation method or we can hot-patch if
statement (assembly jump instruction).
Details for both these methods I will leave as a homework for the reader.
Method#1:
level13@nebula:~$ ./xor
b705702b-76a8-42b0-8844-3adabbe5ac58
level13@nebula:~$ su flag13
Password:
sh-4.2$ /bin/getflag
You have successfully executed getflag on a target account
Method#2:
level13@nebula:~$ gdb -q /home/flag13/flag13
Reading symbols from /home/flag13/flag13...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80484c9
(gdb) r
Starting program: /home/flag13/flag13
Breakpoint 1, 0x080484c9 in main ()
(gdb) set *(0x080484f9)=0xc0e83675 //this is modify je(74) to jne(75)
(gdb) c
Continuing.
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
[Inferior 1 (process 1865) exited with code 063]
(gdb) quit
Method#3
level13@nebula:~$ gdb -q /home/flag13/flag13
(gdb) disassemble main
........
0x080484ed <+41>: xor %eax,%eax
0x080484ef <+43>: call 0x80483c0 <getuid@plt>
0x080484f4 <+48>: cmp $0x3e8,%eax
0x080484f9 <+53>: je 0x8048531 <main+109>
........
(gdb) b *0x080484f4
Breakpoint 1 at 0x80484f4
(gdb) r
Starting program: /home/flag13/flag13
Breakpoint 1, 0x080484f4 in main ()
(gdb) p $eax
$1 = 1014
(gdb) set $eax = 1000
(gdb) c
Continuing.
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
[Inferior 1 (process 11478) exited with code 063]
(gdb)