Level14 GDB - 42lan/snow-crash GitHub Wiki

Another solution using GDB by vsaltel

TLTR;

┌──$ [~/42/2021/snow-crash]
└─>  ssh 192.168.1.64 -p 4242 -l level14
[email protected]'s password: 2A31L79asukciNyi8uppkEuSx
level14@SnowCrash:~$ vi /tmp/commands.gdb
break main
run
break *0x0804898e
continue
set $eax=0
until
until
break *0x080489b4
continue
until
until
break *0x080489fe
continue
until
until
break *0x08048a4c
continue
until
until
break *0x08048ea5
continue
break *0x8048a89
continue
break *0x08048a9d
continue
break *0x08048aae
continue
set *((void**)($esp+0x10))=0xFF
break *0x08048acd
continue
set $eax=1
break *0x08048b0a
continue
set $eax=3014
continue
quit
level14@SnowCrash:~$ gdb -x /tmp/commands.gdb /bin/getflag | grep token
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ

┌──$ [~/42/2021/snow-crash]
└─>  ssh 192.168.1.64 -p 4242 -l level14
[email protected]'s password: 2A31L79asukciNyi8uppkEuSx

Run getflag under gdb.

level14@SnowCrash:~$ gdb /bin/getflag
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /bin/getflag...(no debugging symbols found)...done.

Breaks on the first instruction, main(), after the function prologue¹, run the program and disassemble main function.

(gdb) break main
Breakpoint 1 at 0x804894a
(gdb) run
Starting program: /bin/getflag

Breakpoint 1, 0x0804894a in main ()
(gdb) disassemble main
Dump of assembler code for function main:
   0x08048946 <+0>:	push   %ebp
   0x08048947 <+1>:	mov    %esp,%ebp
   0x08048949 <+3>:	push   %ebx
=> 0x0804894a <+4>:	and    $0xfffffff0,%esp
   0x0804894d <+7>:	sub    $0x120,%esp
   0x08048953 <+13>:	mov    %gs:0x14,%eax
   0x08048959 <+19>:	mov    %eax,0x11c(%esp)
   0x08048960 <+26>:	xor    %eax,%eax
   0x08048962 <+28>:	movl   $0x0,0x10(%esp)
   0x0804896a <+36>:	movl   $0x0,0xc(%esp)
   0x08048972 <+44>:	movl   $0x1,0x8(%esp)
   0x0804897a <+52>:	movl   $0x0,0x4(%esp)
   0x08048982 <+60>:	movl   $0x0,(%esp)
   0x08048989 <+67>:	call   0x8048540 <ptrace@plt>
   0x0804898e <+72>:	test   %eax,%eax
   0x08048990 <+74>:	jns    0x80489a8 <main+98>

At the 74 line there is a JNS to line 98. Before this condition is evaluated, the value of eax should be modified.
So, break on test instruction and set the value of eax to non-negative value.

(gdb) break *0x0804898e
Breakpoint 2 at 0x804898e
(gdb) continue
Continuing.

Breakpoint 2, 0x0804898e in main ()
(gdb) set $eax=0
(gdb) until
0x08048990 in main ()
(gdb) until
0x080489a8 in main ()

On line 112, there is a JE to 164. eax should be 0.

(gdb) disassemble
[...]
=> 0x080489a8 <+98>:	movl   $0x8048fc4,(%esp)
   0x080489af <+105>:	call   0x80484d0 <getenv@plt>
   0x080489b4 <+110>:	test   %eax,%eax
   0x080489b6 <+112>:	je     0x80489ea <main+164>
[...]

Break on line 110 to check value of eax.

(gdb) break *0x080489b4
Breakpoint 3 at 0x80489b4
(gdb) continue
Continuing.

Breakpoint 3, 0x080489b4 in main ()

Check value of eax.

(gdb) print $eax
$1 = 0

As it is already set to 0, continue until jump on line 164.

(gdb) until
0x080489b6 in main ()
(gdb) until
0x080489ea in main ()

On line 186 there is a JLE to line 238. Break on line 184 and check that eax is less than 0.
Then continue flow until jump to line 238.

(gdb) disassemble
[...]
=> 0x080489ea <+164>:	movl   $0x0,0x4(%esp)
   0x080489f2 <+172>:	movl   $0x8048ff6,(%esp)
   0x080489f9 <+179>:	call   0x8048500 <open@plt>
   0x080489fe <+184>:	test   %eax,%eax
   0x08048a00 <+186>:	jle    0x8048a34 <main+238>
[...]
(gdb) break *0x080489fe
Breakpoint 4 at 0x80489fe
(gdb) continue
Continuing.

Breakpoint 4, 0x080489fe in main ()
(gdb) print $eax
$3 = -1
(gdb) break *0x8048a34
0x08048a00 in main ()
(gdb) continue
Continuing.

Breakpoint 5, 0x08048a34 in main ()

On line 267, there is a JNE to line 1346. Break on line 262 and check if result of CMPL is non equal to 0.

(gdb) disassemble
[...]
=> 0x08048a34 <+238>:	movl   $0x0,0x4(%esp)
   0x08048a3c <+246>:	movl   $0x8049009,(%esp)
   0x08048a43 <+253>:	call   0x804871c <syscall_open>
   0x08048a48 <+258>:	mov    %eax,0x14(%esp)
   0x08048a4c <+262>:	cmpl   $0xffffffff,0x14(%esp)
   0x08048a51 <+267>:	jne    0x8048e88 <main+1346>
[...]
(gdb) break *0x08048a4c
Breakpoint 6 at 0x8048a4c
(gdb) continue
Continuing.

(gdb) break *0x08048ea5
Breakpoint 6 at 0x8048ea5
(gdb) continue
Continuing.

Breakpoint 6, 0x08048ea5 in main ()
(gdb) break *0x8048a89
Breakpoint 7 at 0x8048a89
(gdb) continue
Continuing.

Breakpoint 7, 0x08048a89 in main ()
(gdb) break *0x08048a9d
Breakpoint 8 at 0x8048a9d
(gdb) continue
Continuing.

Breakpoint 8, 0x08048a9d in main ()
(gdb) break *0x08048aae
Breakpoint 9 at 0x8048aae
(gdb) continue
Continuing.

Breakpoint 9, 0x08048aae in main ()
(gdb) print 0x10 + $esp     # Get the address to where set the value
$1 = (void *) 0xbffff630
(gdb) set *0xbffff630=0xff  # Set the value on 0x10 + $esp
(gdb) break *0x08048acd
Breakpoint 10 at 0x8048acd
(gdb) continue
Continuing.

Breakpoint 10, 0x08048acd in main ()
(gdb) set $eax=1
(gdb) break *0x08048b0a
Breakpoint 11 at 0x8048b0a
(gdb) continue
Continuing.

Breakpoint 11, 0x08048b0a in main ()
(gdb) set $eax=3014
(gdb) continue
Continuing.
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
[Inferior 1 (process 3417) exited normally]

Level14 GDB - 42lan/snow-crash GitHub Wiki

TLTR;

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️