Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.
We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.
Recap of previous level.
The recap provides the details as to how the previous challenge had been implemented, and it’s solution which is quite similar to mine.
The important thing to notice is that instead of hardcoding the password, Zero Cool had hardcoded the encrypted password(using XOR encryption), and before the comparison was made, he decrypted it. Thus we were able to examine it just before strcmp() was called.
In this level too, Zero Cool has stored the encrypted password. But instead of decrypting it and comparing it to our entered password, the program is encrypting our password and checking it agains his. We can figure that out using the same method to examine the registers just before the call to strcmp().
Also, it is pretty clear that Zero Cool has used XOR encryption(as in the previous level). So what’s the XOR key? The memory address of the XOR key has been provided in the disassmebly. Let’s examine it.
So we read about how the XOR cipher works and how to decipher it. On it’s wikipedia page it is mentioned that To decrypt the output, merely reapplying the XOR function with the key will remove the cipher.
We have the XOR encryption of the actual password. So all we have to do is use that as the password we enter, thus resulting in it being deciphered !
The XOR’ed password is )q6\036(2\036\065)p2\036)u\"*r3\036\'q--q6(/&\036,r
Since it has some characters which are not printable, we will use the python -c switch to send the input to the program.
It turns out we did not need the XOR key at all !
Now that we have the password, we run the binary using it.
And Voila! We now have level3 shell using which we can read the level3 password. I am not revealing the password here so that the readers try the challenge on their own.