Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.
We access level1 by ssh [email protected] with the password we read when we solved level0. Do read the story of this level.
Recap of previous level
The recap of the level0 provides a detailed write-up which is different than my method in the previous post. Do check it out. In fact, it’s a hint for level1 ;) .
We were right, the flag was indeed hardcoded.
We try the same technique that we used in level0, the strings command. But of course it doesn’t work. It seems Zero Cool has somehow managed to allow authentication without having to hardcode the password. Let’s get our hands a bit dirty by examining the disassmebly using gdb.
The following lines seem to be the ones doing the check against the password, as seen by the call to strcmp. This would be a good place to examine .
So we set a breakpoint at the address where the comparison is being made: 0x00000000004008e2 using set b *0x00000000004008e2 . Now we don’t need to understand the entire assembly. We can examine the values of registers and memory addresses before the call to strcmp() is made, because that’s where our password and the actual password will be stored as parameters.
So, the password we had entered had been stored in the rax register, and actual one in the esi register.
We now have the password to the binary. On running the binary with this password, we get:
And Voila! We now have level2 shell through which we can read the password to level2.
I am not revealing the password here so that the readers try the challenge on their own.