Nebula level13

About
There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id.
To do this level, log in as the level13 account with the password level13 . Files for this level can be found in /home/flag13.

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <sys/types.h>
 5#include <string.h>
 6
 7#define FAKEUID 1000
 8
 9int main(int argc, char **argv, char **envp)
10{
11  int c;
12  char token[256];
13
14  if(getuid() != FAKEUID) {
15    printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID);
16    printf("The system administrators will be notified of this violation\n");
17    exit(EXIT_FAILURE);
18  }
19
20  // snip, sorry :)
21
22  printf("your token is %s\n", token);
23  
24}

Side Note: If there is more elegant way to solve this I’d be happy to hear about it.

First things first — initial reading. That being said we instantly notice that the author used a string for key. This string is embedded into binary. Need I say more?

level13@nebula:~$ strings /home/flag13/flag13
(...)
Security failure detected. UID %d started us, we expect %d
The system administrators will be notified of this violation
8mjomjh8wml;bwnh8jwbbnnwi;>;88?o;9ob
your token is %s
;*2$"(

OK, so "8mjomjh8wml;bwnh8jwbbnnwi;>;88?o;9ob" looks promising. Let’s try that:

level13@nebula:~$ su flag13
Password:
su: Authentication failure

Hm, well it would be too easy however this also tells us something — namely we know that the string is not plain.

Now we have two options — we can either search for the obfuscation method or we can hot-patch if statement (assembly jump instruction).

Details for both these methods I will leave as a homework for the reader.

Method#1:

level13@nebula:~$ ./xor
b705702b-76a8-42b0-8844-3adabbe5ac58
level13@nebula:~$ su flag13
Password:
sh-4.2$ /bin/getflag
You have successfully executed getflag on a target account

Method#2:

level13@nebula:~$ gdb -q /home/flag13/flag13
Reading symbols from /home/flag13/flag13...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80484c9
(gdb) r
Starting program: /home/flag13/flag13

Breakpoint 1, 0x080484c9 in main ()
(gdb) set *(0x080484f9)=0xc0e83675       //this is modify je(74) to jne(75)
(gdb) c
Continuing.
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
[Inferior 1 (process 1865) exited with code 063]
(gdb) quit

Method#3

level13@nebula:~$ gdb -q /home/flag13/flag13

(gdb) disassemble main


    ........

   0x080484ed <+41>: xor    %eax,%eax
   0x080484ef <+43>: call   0x80483c0 <getuid@plt>
   0x080484f4 <+48>: cmp    $0x3e8,%eax
   0x080484f9 <+53>: je     0x8048531 <main+109>


    ........

(gdb) b *0x080484f4
Breakpoint 1 at 0x80484f4
(gdb) r
Starting program: /home/flag13/flag13 
Breakpoint 1, 0x080484f4 in main ()
(gdb) p $eax
$1 = 1014
(gdb) set $eax = 1000
(gdb) c
Continuing.
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
[Inferior 1 (process 11478) exited with code 063]
(gdb) 





 

For hot-patching this and this will be useful.