"It's GDB time!
Nebula 13 Agenda: “There is a security check that prevents the program from continuing execution if the user invoking it, and it does not match a specific user id”
The only applicable from my perspective thing to that issue was GDB (“gdb /home/flag13/flag13”). After disassembling main function (“disas main”) I cut out some chunk (whole list are to huge) which is in charge of id comparison (“(getuid() != FAKEUID)” - “cmp eax,0x3e8”) and further flow control:
So the next line after comparing, makes jump to “<main+109>” if value of $eax register is equal to “0x3e8”, otherwise execution flow will ends with calling “exit” function (“0x0804852c <+104>”). Therefore, we plan to act as follows:
- Make breakpoint at comparing entry (“0x080484f4” virtual address)
- Change $eax value to “0x3e8”.
- Obtain token.
Let’s do this!
Resources:
