blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 13

Problem

I still try to identify the exact problem/intention of this level. On the one hand there is some check that can be bypassed, on the other hand there is a token hard-coded inside the binary…

  1. Having a hard-coded token inside the binary… Hide and Hope?
    Extracting that token is not that difficult. This is what I’ll present here.
  2. Using the uid to identify a user is a bad idea. Use proper authentication methods provided by the os which are intended for authentication.

Exploit

Assuming, that the token is hidden inside the file, we can use gdb to extract it. Run the binary in gdb, continue till the code compares the uid against the value 1000. Change the register-value and continue.

1
2
3
4
5
6
7
8
9
gdb /home/flag13/flag13
b main
r
disass main
b *0x080484f4
info registers
c
set $eax=1000
c

the flag is shown on the console.

Lesson / How to fix

  1. Do not store tokens inside the sourcecode!

This is a possible way to implement a backdoor, but… They will be found by others, no matter how hard one tries to hide them. This is very bad practice!


other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19