Level 03
Publ .
Mins 2 (243 words).
Edit .
As in previous levels, at our disposal is a binary file that runs with elevated permissions.
After testing the file, the same tooling is used for analysis:
1 - readelf
readelf --all check | less
Inspected the output with the same guidelines used on the previous level [1] [2]. Nothing looks to be out of place.
2 - strace
The lines that migth help you solve this level are the last ones:
$ strace -o /tmp/folder/strace ./level3
Enter the password> asdfgqwertasdfgqwert
bzzzzzzzzap. WRONG
$ cat /tmp/folder3/strace
# ...snip
write(1, "Enter the password> ", 20) = 20
read(0, "asdfgqwertasdfgqwert\n", 1024) = 21
write(1, "bzzzzzzzzap. WRONG\n", 19) = 19
exit_group(0) = ?
+++ exited with 0 +++
The program uses the system call write() to write on file descriptor 1
(stdout), the string asking for user input. Then the syscall read() reads
up to 1024 bytes from file descriptor 0 (stdin),
3 - ltrace
$ ltrace -o /tmp/folder/ltrace ./level3
Enter the password> 2345
bzzzzzzzzap. WRONG
$ cat /tmp/folder/ltrace
__libc_start_main(0x80492bf, 1, 0xffffd5f4, 0 <unfinished ...>
strcmp("h0no33", "kakaka") = -1
printf("Enter the password> ") = 20
fgets("2345\n", 256, 0xf7fab620) = 0xffffd3cc
strcmp("2345\n", "snlprintf\n") = -1
puts("bzzzzzzzzap. WRONG") = 19
+++ exited (status 0) +++
As in level 01, the key lies in the strcmp() call. It displays in plain text
the password that when used, unlocks a shell with elevated permissions.
$ ltrace -o /tmp/folder3/ltrace ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami
leviathan4
$