Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.
We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.
Recap of previous level.
The recap confirms that the program was indeed encrypting our entered password and comparing it with the hardcoded encrypted password.
The solution given in the recap is different from mine.
That solution decrypts the encrypted password using a function they wrote on their own and the XOR key. Do read it too.
But clearly my solution was more elegant as it used the function which had been provided already, and it did not require us knowing the XOR key. This concept of using what has already been provided and not executing your own code plays out on a much wider scale in modern binary exploitation involving ROP(Return Oriented Programming). Hopefully later levels of gracker will have some ROP challenges too.
On reading the story of this level we find out that the challenge will have to do something with buffer overflows. Some good resources to read up on buffer overflow are:
In this level the source code has been provided along with the binary.
On understanding the source code, we find out that we will have to change the calue of admin_enabled to anything other than zero. We can do that by overflowing the our buffer input. The space reserved for buffer is 64 bytes. Some bytes are also added by the compiler sometimes. So to be on the safe side, we use a larger length value as input which will overwrite the value 0 stored in the admin_enabled variable.
And Voila! We have level4 shell which we can use to read the level4 password. I am not revealing the password here so that the readers try the challenge on their own.