ssh leviathan3@leviathan.labs.overthewire.org -p 2223
Password: Ahdiemoo1j
leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0 <unfinished …>
strcmp(«h0no33», «kakaka») = -1
printf(«Enter the password> «) = 20
fgets(Enter the password> kakaka
«kakaka\n», 256, 0xf7fc55a0) = 0xffffd590
strcmp(«kakaka\n», «snlprintf\n») = -1
puts(«bzzzzzzzzap. WRONG»bzzzzzzzzap. WRONG
)
Observamos que en una segunda ejecución del comando strcmp compara la string que hemos introducido con “snlprintf”.
Probamos con snlprintf:
leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0 <unfinished …>
strcmp(«h0no33», «kakaka») = -1
printf(«Enter the password> «) = 20
fgets(Enter the password> snlprintf
«snlprintf\n», 256, 0xf7fc55a0) = 0xffffd590
strcmp(«snlprintf\n», «snlprintf\n») = 0
puts(«[You’ve got shell]!»[You’ve got shell]!
) = 20
geteuid() = 12003
geteuid() = 12003
setreuid(12003, 12003) = 0
system(«/bin/sh»$
VOILA!, obtenemos shell :
leviathan3@leviathan:~$ ./level3
Enter the password> snlprintf
[You’ve got shell]!
$ whoami
leviathan4
$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m