2.3 KiB
2.3 KiB
Dude is like SUPER into art+music hmmmmmmmm Also most likely a she queen girly (cause like http://groups.yahoo.com/group/girlgroup/)
<!-- potentially her? -->
<DT><A HREF="mailto:lynch@unt.edu" ADD_DATE="1145267944" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Claudia
Lynch</A>
<!-- nevermind even easier (searched for "password" hoping she bookmarked something)-->
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>
leviathan0: leviathan0
leviathan1: 3QJ3TgzHDq
NOTE: ~/check has the SUID bit set
The following script will find the password ("sex").
Run echo sex | ./check and then cat /etc/leviathan_pass/leviathan2 :)
{ echo "password" | ltrace ./check 2>&1; } | grep strcmp
leviathan2: NsN1HwFoyN
NOTE: ~/printfile has the SUID bit set
The obvious idea is: (tragic ending...)
>>> ./printfile /etc/leviathan_pass/leviathan3
#You cant have that file...
If we run something like `ltrace ./printfile /etc/os-release` (aka on a file we ARE permitted to)
then we'll see the following
access("/etc/os-release", 4) = 0
snprintf("/bin/cat /etc/os-release", 511, "/bin/cat %s", "/etc/os-release") = 24
system("/bin/cat /etc/os-release"
Yippie!! They're running `/bin/cat` so we can't fool it with an alias, but maybe
we exploit the "/bin/cat %s" format string! We'd just need to keep it pleased
when it runs `access()`
Let's use gdb to skip this part:
access("/home/leviathan3/.ssh/id_rsa", 4) = -1
puts("You cant have that file...")
First we find `call <access@plt>` at `<main+117>`, plus there's:
0x08049253 <+125>: test %eax,%eax
0x08049255 <+127>: je 0x804926e <main+152>
Checking `man access(3)` *RETURN VALUE* section we see `access()` returns 0
on success ("the floor here is made out of floor") so let's set a breakpoint
on `b *(main+117)` then `jump *(main+152)` and pray nothing breaks.