We have to get a token to solve this level. But there is a security check getuid()==1000. To bypass this check, we make a copy of flag13 binary, this removes setuid bit. Then we create a shared object and use LD_PRELOAD to hook getuid() call. Below is the solution
0x080484ef <+43>: call 0x80483c0 <getuid@plt> 0x080484f4 <+48>: cmp eax,0x3e8 0x080484f9 <+53>: je 0x8048531 <main+109> level13@nebula:/home/flag13$ cp flag13 ../level13/ level13@nebula:/home/flag13$ cd - /home/level13 level13@nebula:~$ ls -ld * -rwxr-x--- 1 level13 level13 7321 2012-02-01 01:08 flag13 level13@nebula:~$ ./flag13 Security failure detected. UID 1014 started us, we expect 1000 The system administrators will be notified of this violation level13@nebula:~$ cat getuid.c #include<unistd.h> uid_t getuid(void) { return 1000; } level13@nebula:~$ gcc -fPIC -shared -o lib.so getuid.c level13@nebula:~$ ls flag13 getuid.c lib.so level13@nebula:~$ export LD_PRELOAD="/home/level13/lib.so" level13@nebula:~$ ./flag13 your token is b705702b-76a8-42b0-8844-3adabbe5ac58
No comments :
Post a Comment