Leviathan1 - leviathan2

From JaxHax
Jump to: navigation, search

This challenge had a simple binary that checked a user supplied password against a hardcoded password. Ltrace revealed the password in the strcmp() call.

leviathan1@melinda:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14 10:32 .
drwxr-xr-x 167 root       root       4096 Mar 21 06:46 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7493 Nov 14 10:32 check
 
leviathan1@melinda:~$ ./check 
password: sdasd
Wrong password, Good Bye ...
 
leviathan1@melinda:~$ ltrace ./check 
__libc_start_main(0x804852d, 1, 0xffffd7b4, 0x80485f0 <unfinished ...>
printf("password: ")                             = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: sdasda
)     = 115
getchar(0x8048680, 47, 0x804a000, 0x8048642)     = 100
getchar(0x8048680, 47, 0x804a000, 0x8048642)     = 97
strcmp("sda", "sex")                             = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)             = 29
+++ exited (status 0) +++
 
leviathan1@melinda:~$ ./check 
password: sex
 
$ ls
check
 
$ whoami
leviathan2
 
$ ls /etc/leviathan_pass
leviathan0  leviathan2	leviathan4  leviathan6
leviathan1  leviathan3	leviathan5  leviathan7
 
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta