#include <stdio.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char *argv[])
{
char pw[64];
char key[] = {"OK^GSYBEX^Y"};
printf("PassWord: ");
scanf("%64s", pw);
memfrob(key, strlen(key));
if (strcmp(pw, key)) {
puts("Access denied..");
return 0;
}
puts("Access granted..");
execl("/bin/sh", "sh", NULL);
return 0;
}
root@today:~# ssh [email protected]
[email protected]'s password: behemoth0
behemoth0@melinda:~$ cd /behemoth
behemoth0@melinda:/behemoth$ ./behemoth0
Password: eatmyshorts
Access granted..
$ whoami
behemoth1
$ cat /etc/behemoth_pass/behemoth1
aesebootiv
$ exit
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x80485a2 <main> push %ebp │
│0x80485a3 <main+1> mov %esp,%ebp │
│0x80485a5 <main+3> and $0xfffffff0,%esp │
│0x80485a8 <main+6> sub $0x70,%esp │
│0x80485ab <main+9> mov %gs:0x14,%eax │
│0x80485b1 <main+15> mov %eax,0x6c(%esp) │
│0x80485b5 <main+19> xor %eax,%eax │
│0x80485b7 <main+21> movl $0x475e4b4f,0x1f(%esp) │
│0x80485bf <main+29> movl $0x45425953,0x23(%esp) │
│0x80485c7 <main+37> movl $0x595e58,0x27(%esp) │
│0x80485cf <main+45> movl $0x8048720,0x10(%esp) │
│0x80485d7 <main+53> movl $0x8048738,0x14(%esp) │
│0x80485df <main+61> movl $0x804874d,0x18(%esp) │
│0x80485e7 <main+69> movl $0x8048761,(%esp) │
│0x80485ee <main+76> call 0x8048400 <printf@plt> │
│0x80485f3 <main+81> lea 0x2b(%esp),%eax │
│0x80485f7 <main+85> mov %eax,0x4(%esp) │
│0x80485fb <main+89> movl $0x804876c,(%esp) │
│0x8048602 <main+96> call 0x8048470 <__isoc99_scanf@plt> │
│0x8048607 <main+101> lea 0x1f(%esp),%eax │
│0x804860b <main+105> mov %eax,(%esp) │
│0x804860e <main+108> call 0x8048440 <strlen@plt> │
│0x8048613 <main+113> mov %eax,0x4(%esp) │
│0x8048617 <main+117> lea 0x1f(%esp),%eax │
│0x804861b <main+121> mov %eax,(%esp) │
│0x804861e <main+124> call 0x804857d <memfrob> │
│0x8048623 <main+129> lea 0x1f(%esp),%eax │
│0x8048627 <main+133> mov %eax,0x4(%esp) │
│0x804862b <main+137> lea 0x2b(%esp),%eax │
│0x804862f <main+141> mov %eax,(%esp) │
│0x8048632 <main+144> call 0x80483f0 <strcmp@plt> │
│0x8048637 <main+149> test %eax,%eax │
│0x8048639 <main+151> jne 0x8048665 <main+195> │
│0x804863b <main+153> movl $0x8048771,(%esp) │
│0x8048642 <main+160> call 0x8048420 <puts@plt> │
│0x8048647 <main+165> movl $0x0,0x8(%esp) │
│0x804864f <main+173> movl $0x8048782,0x4(%esp) │
│0x8048657 <main+181> movl $0x8048785,(%esp) │
│0x804865e <main+188> call 0x8048460 <execl@plt> │
│0x8048663 <main+193> jmp 0x8048671 <main+207> │
│0x8048665 <main+195> movl $0x804878d,(%esp) │
│0x804866c <main+202> call 0x8048420 <puts@plt> │
│0x8048671 <main+207> mov $0x0,%eax │
│0x8048676 <main+212> mov 0x6c(%esp),%edx │
│0x804867a <main+216> xor %gs:0x14,%edx │
│0x8048681 <main+223> je 0x8048688 <main+230> │
│0x8048683 <main+225> call 0x8048410 <__stack_chk_fail@plt> │
│0x8048688 <main+230> leave │
│0x8048689 <main+231> ret │
└─────────────────────────────────────────────────────────────────────────────────┘