# Level14 When we login as **level14** we do not get any file at all. After using the techniques used in the previous exercises, no results ware found. It's time to get the flag from the **getflag** binary directly. When we decompile the binary we get the following code: {% tabs %} {% tab title="getflag.c" %} ```c undefined4 main(void) { bool bVar1; FILE *__stream; long lVar2; undefined4 uVar3; char *__s; int iVar4; __uid_t _Var5; int iVar6; int in_GS_OFFSET; undefined local_114 [256]; int local_14; local_14 = *(int *)(in_GS_OFFSET + 0x14); bVar1 = false; lVar2 = ptrace(PTRACE_TRACEME,0,1,0); if (lVar2 < 0) { puts("You should not reverse this"); uVar3 = 1; } else { __s = getenv("LD_PRELOAD"); if (__s == (char *)0x0) { iVar4 = open("/etc/ld.so.preload",0); if (iVar4 < 1) { iVar4 = syscall_open("/proc/self/maps",0); if (iVar4 == -1) { fwrite("/proc/self/maps is unaccessible, probably a LD_PRELOAD attempt exit..\n",1,0x46, stderr); uVar3 = 1; } else { do { do { while( true ) { iVar6 = syscall_gets(local_114,0x100,iVar4); if (iVar6 == 0) goto LAB_08048ead; iVar6 = isLib(local_114,&DAT_08049063); if (iVar6 == 0) break; bVar1 = true; } } while (!bVar1); iVar6 = isLib(local_114,&DAT_08049068); if (iVar6 != 0) { fwrite("Check flag.Here is your token : ",1,0x20,stdout); _Var5 = getuid(); __stream = stdout; if (_Var5 == 0xbbe) { __s = (char *)ft_des("H8B8h_20B4J43><8>\\ED<;j@3"); fputs(__s,__stream); } else { if (_Var5 < 0xbbf) { if (_Var5 == 0xbba) { __s = (char *)ft_des("<>B16\\AD^7ci>l4B"); fputs(__s,__stream); } else { if (_Var5 < 0xbbb) { if (_Var5 == 3000) { __s = (char *)ft_des("I`fA>_88eEd:=`85h0D8HE>,D"); fputs(__s,__stream); } else { if (_Var5 < 0xbb9) { if (_Var5 == 0) { fwrite("You are root are you that dumb ?\n",1,0x21,stdout); } else { LAB_08048e06: fwrite("\nNope there is no token here for you sorry. Try again :)",1, 0x38,stdout); } } else { __s = (char *)ft_des("7`4Ci4=^d=J,?>i;6,7d416,7"); fputs(__s,__stream); } } } else { if (_Var5 == 0xbbc) { __s = (char *)ft_des("?4d@:,C>8C60G>8:h:Gb4?l,A"); fputs(__s,__stream); } else { if (_Var5 < 0xbbd) { __s = (char *)ft_des("B8b:6,3fj7:,;bh>D@>8i:6@D"); fputs(__s,__stream); } else { __s = (char *)ft_des("G8H.6,=4k5J0>B:>:4"); fputs(__s,__stream); } } } } } else { if (_Var5 == 0xbc2) { __s = (char *)ft_des("74H9D^3ed7k05445J0E4e;Da4"); fputs(__s,__stream); } else { if (_Var5 < 0xbc3) { if (_Var5 == 0xbc0) { __s = (char *)ft_des("bci`mC{)jxkn<\"uD~6%g7FK`7"); fputs(__s,__stream); } else { if (_Var5 < 0xbc1) { __s = (char *)ft_des("78H:J4<4<9i_I4k0J^5>B1j`9"); fputs(__s,__stream); } else { __s = (char *)ft_des("Dc6m~;}f8Cj#xFkel;#&ycfbK"); fputs(__s,__stream); } } } else { if (_Var5 == 0xbc4) { __s = (char *)ft_des("8_Dw\"4#?+3i]q&;p6 gtw88EC"); fputs(__s,__stream); } else { if (_Var5 < 0xbc4) { __s = (char *)ft_des("70hCi,E44Df[A4B/J@3f<=:`D"); fputs(__s,__stream); } else { if (_Var5 == 0xbc5) { __s = (char *)ft_des("boe]!ai0FB@.:|L6l@A?>qJ}I"); fputs(__s,__stream); } else { if (_Var5 != 0xbc6) goto LAB_08048e06; __s = (char *)ft_des("g : push %ebp 0x08048947 <+1>: mov %esp,%ebp 0x08048949 <+3>: push %ebx 0x0804894a <+4>: and $0xfffffff0,%esp 0x0804894d <+7>: sub $0x120,%esp 0x08048953 <+13>: mov %gs:0x14,%eax 0x08048959 <+19>: mov %eax,0x11c(%esp) 0x08048960 <+26>: xor %eax,%eax 0x08048962 <+28>: movl $0x0,0x10(%esp) 0x0804896a <+36>: movl $0x0,0xc(%esp) 0x08048972 <+44>: movl $0x1,0x8(%esp) 0x0804897a <+52>: movl $0x0,0x4(%esp) 0x08048982 <+60>: movl $0x0,(%esp) 0x08048989 <+67>: call 0x8048540 0x0804898e <+72>: test %eax,%eax 0x08048990 <+74>: jns 0x80489a8 0x08048992 <+76>: movl $0x8048fa8,(%esp) 0x08048999 <+83>: call 0x80484e0 0x0804899e <+88>: mov $0x1,%eax 0x080489a3 <+93>: jmp 0x8048eb2 0x080489a8 <+98>: movl $0x8048fc4,(%esp) 0x080489af <+105>: call 0x80484d0 0x080489b4 <+110>: test %eax,%eax 0x080489b6 <+112>: je 0x80489ea 0x080489b8 <+114>: mov 0x804b040,%eax 0x080489bd <+119>: mov %eax,%edx 0x080489bf <+121>: mov $0x8048fd0,%eax 0x080489c4 <+126>: mov %edx,0xc(%esp) 0x080489c8 <+130>: movl $0x25,0x8(%esp) 0x080489d0 <+138>: movl $0x1,0x4(%esp) 0x080489d8 <+146>: mov %eax,(%esp) 0x080489db <+149>: call 0x80484c0 0x080489e0 <+154>: mov $0x1,%eax 0x080489e5 <+159>: jmp 0x8048eb2 0x080489ea <+164>: movl $0x0,0x4(%esp) 0x080489f2 <+172>: movl $0x8048ff6,(%esp) 0x080489f9 <+179>: call 0x8048500 0x080489fe <+184>: test %eax,%eax 0x08048a00 <+186>: jle 0x8048a34 0x08048a02 <+188>: mov 0x804b040,%eax 0x08048a07 <+193>: mov %eax,%edx 0x08048a09 <+195>: mov $0x8048fd0,%eax 0x08048a0e <+200>: mov %edx,0xc(%esp) 0x08048a12 <+204>: movl $0x25,0x8(%esp) 0x08048a1a <+212>: movl $0x1,0x4(%esp) 0x08048a22 <+220>: mov %eax,(%esp) 0x08048a25 <+223>: call 0x80484c0 0x08048a2a <+228>: mov $0x1,%eax 0x08048a2f <+233>: jmp 0x8048eb2 0x08048a34 <+238>: movl $0x0,0x4(%esp) 0x08048a3c <+246>: movl $0x8049009,(%esp) 0x08048a43 <+253>: call 0x804871c 0x08048a48 <+258>: mov %eax,0x14(%esp) 0x08048a4c <+262>: cmpl $0xffffffff,0x14(%esp) 0x08048a51 <+267>: jne 0x8048e88 0x08048a57 <+273>: mov 0x804b040,%eax 0x08048a5c <+278>: mov %eax,%edx 0x08048a5e <+280>: mov $0x804901c,%eax 0x08048a63 <+285>: mov %edx,0xc(%esp) 0x08048a67 <+289>: movl $0x46,0x8(%esp) 0x08048a6f <+297>: movl $0x1,0x4(%esp) 0x08048a77 <+305>: mov %eax,(%esp) 0x08048a7a <+308>: call 0x80484c0 0x08048a7f <+313>: mov $0x1,%eax 0x08048a84 <+318>: jmp 0x8048eb2 0x08048a89 <+323>: movl $0x8049063,0x4(%esp) 0x08048a91 <+331>: lea 0x1c(%esp),%eax 0x08048a95 <+335>: mov %eax,(%esp) 0x08048a98 <+338>: call 0x8048843 0x08048a9d <+343>: test %eax,%eax 0x08048a9f <+345>: je 0x8048aae 0x08048aa1 <+347>: movl $0x1,0x10(%esp) 0x08048aa9 <+355>: jmp 0x8048e89 0x08048aae <+360>: cmpl $0x0,0x10(%esp) 0x08048ab3 <+365>: je 0x8048e89 0x08048ab9 <+371>: movl $0x8049068,0x4(%esp) 0x08048ac1 <+379>: lea 0x1c(%esp),%eax 0x08048ac5 <+383>: mov %eax,(%esp) 0x08048ac8 <+386>: call 0x8048843 0x08048acd <+391>: test %eax,%eax 0x08048acf <+393>: je 0x8048e46 0x08048ad5 <+399>: mov 0x804b060,%eax 0x08048ada <+404>: mov %eax,%edx 0x08048adc <+406>: mov $0x804906c,%eax 0x08048ae1 <+411>: mov %edx,0xc(%esp) 0x08048ae5 <+415>: movl $0x20,0x8(%esp) 0x08048aed <+423>: movl $0x1,0x4(%esp) 0x08048af5 <+431>: mov %eax,(%esp) 0x08048af8 <+434>: call 0x80484c0 0x08048afd <+439>: call 0x80484b0 0x08048b02 <+444>: mov %eax,0x18(%esp) 0x08048b06 <+448>: mov 0x18(%esp),%eax 0x08048b0a <+452>: cmp $0xbbe,%eax 0x08048b0f <+457>: je 0x8048ccb 0x08048b15 <+463>: cmp $0xbbe,%eax 0x08048b1a <+468>: ja 0x8048b68 0x08048b1c <+470>: cmp $0xbba,%eax 0x08048b21 <+475>: je 0x8048c3b 0x08048b27 <+481>: cmp $0xbba,%eax 0x08048b2c <+486>: ja 0x8048b4d 0x08048b2e <+488>: cmp $0xbb8,%eax 0x08048b33 <+493>: je 0x8048bf3 0x08048b39 <+499>: cmp $0xbb8,%eax 0x08048b3e <+504>: ja 0x8048c17 0x08048b44 <+510>: test %eax,%eax 0x08048b46 <+512>: je 0x8048bc6 0x08048b48 <+514>: jmp 0x8048e06 0x08048b4d <+519>: cmp $0xbbc,%eax 0x08048b52 <+524>: je 0x8048c83 0x08048b58 <+530>: cmp $0xbbc,%eax 0x08048b5d <+535>: ja 0x8048ca7 0x08048b63 <+541>: jmp 0x8048c5f 0x08048b68 <+546>: cmp $0xbc2,%eax 0x08048b6d <+551>: je 0x8048d5b 0x08048b73 <+557>: cmp $0xbc2,%eax 0x08048b78 <+562>: ja 0x8048b95 0x08048b7a <+564>: cmp $0xbc0,%eax 0x08048b7f <+569>: je 0x8048d13 0x08048b85 <+575>: cmp $0xbc0,%eax 0x08048b8a <+580>: ja 0x8048d37 0x08048b90 <+586>: jmp 0x8048cef 0x08048b95 <+591>: cmp $0xbc4,%eax 0x08048b9a <+596>: je 0x8048da3 0x08048ba0 <+602>: cmp $0xbc4,%eax 0x08048ba5 <+607>: jb 0x8048d7f 0x08048bab <+613>: cmp $0xbc5,%eax 0x08048bb0 <+618>: je 0x8048dc4 0x08048bb6 <+624>: cmp $0xbc6,%eax 0x08048bbb <+629>: je 0x8048de5 0x08048bc1 <+635>: jmp 0x8048e06 0x08048bc6 <+640>: mov 0x804b060,%eax 0x08048bcb <+645>: mov %eax,%edx 0x08048bcd <+647>: mov $0x8049090,%eax 0x08048bd2 <+652>: mov %edx,0xc(%esp) 0x08048bd6 <+656>: movl $0x21,0x8(%esp) 0x08048bde <+664>: movl $0x1,0x4(%esp) 0x08048be6 <+672>: mov %eax,(%esp) 0x08048be9 <+675>: call 0x80484c0 0x08048bee <+680>: jmp 0x8048e2f 0x08048bf3 <+685>: mov 0x804b060,%eax 0x08048bf8 <+690>: mov %eax,%ebx 0x08048bfa <+692>: movl $0x80490b2,(%esp) 0x08048c01 <+699>: call 0x8048604 0x08048c06 <+704>: mov %ebx,0x4(%esp) 0x08048c0a <+708>: mov %eax,(%esp) 0x08048c0d <+711>: call 0x8048530 0x08048c12 <+716>: jmp 0x8048e2f 0x08048c17 <+721>: mov 0x804b060,%eax 0x08048c1c <+726>: mov %eax,%ebx 0x08048c1e <+728>: movl $0x80490cc,(%esp) 0x08048c25 <+735>: call 0x8048604 0x08048c2a <+740>: mov %ebx,0x4(%esp) 0x08048c2e <+744>: mov %eax,(%esp) 0x08048c31 <+747>: call 0x8048530 0x08048c36 <+752>: jmp 0x8048e2f 0x08048c3b <+757>: mov 0x804b060,%eax 0x08048c40 <+762>: mov %eax,%ebx 0x08048c42 <+764>: movl $0x80490e6,(%esp) 0x08048c49 <+771>: call 0x8048604 0x08048c4e <+776>: mov %ebx,0x4(%esp) 0x08048c52 <+780>: mov %eax,(%esp) 0x08048c55 <+783>: call 0x8048530 0x08048c5a <+788>: jmp 0x8048e2f 0x08048c5f <+793>: mov 0x804b060,%eax 0x08048c64 <+798>: mov %eax,%ebx 0x08048c66 <+800>: movl $0x8049100,(%esp) 0x08048c6d <+807>: call 0x8048604 0x08048c72 <+812>: mov %ebx,0x4(%esp) 0x08048c76 <+816>: mov %eax,(%esp) 0x08048c79 <+819>: call 0x8048530 0x08048c7e <+824>: jmp 0x8048e2f 0x08048c83 <+829>: mov 0x804b060,%eax 0x08048c88 <+834>: mov %eax,%ebx 0x08048c8a <+836>: movl $0x804911a,(%esp) 0x08048c91 <+843>: call 0x8048604 0x08048c96 <+848>: mov %ebx,0x4(%esp) 0x08048c9a <+852>: mov %eax,(%esp) 0x08048c9d <+855>: call 0x8048530 0x08048ca2 <+860>: jmp 0x8048e2f 0x08048ca7 <+865>: mov 0x804b060,%eax 0x08048cac <+870>: mov %eax,%ebx 0x08048cae <+872>: movl $0x8049134,(%esp) 0x08048cb5 <+879>: call 0x8048604 0x08048cba <+884>: mov %ebx,0x4(%esp) 0x08048cbe <+888>: mov %eax,(%esp) 0x08048cc1 <+891>: call 0x8048530 0x08048cc6 <+896>: jmp 0x8048e2f 0x08048ccb <+901>: mov 0x804b060,%eax 0x08048cd0 <+906>: mov %eax,%ebx 0x08048cd2 <+908>: movl $0x804914e,(%esp) 0x08048cd9 <+915>: call 0x8048604 0x08048cde <+920>: mov %ebx,0x4(%esp) 0x08048ce2 <+924>: mov %eax,(%esp) 0x08048ce5 <+927>: call 0x8048530 0x08048cea <+932>: jmp 0x8048e2f 0x08048cef <+937>: mov 0x804b060,%eax 0x08048cf4 <+942>: mov %eax,%ebx 0x08048cf6 <+944>: movl $0x8049168,(%esp) 0x08048cfd <+951>: call 0x8048604 0x08048d02 <+956>: mov %ebx,0x4(%esp) 0x08048d06 <+960>: mov %eax,(%esp) 0x08048d09 <+963>: call 0x8048530 0x08048d0e <+968>: jmp 0x8048e2f 0x08048d13 <+973>: mov 0x804b060,%eax 0x08048d18 <+978>: mov %eax,%ebx 0x08048d1a <+980>: movl $0x8049182,(%esp) 0x08048d21 <+987>: call 0x8048604 0x08048d26 <+992>: mov %ebx,0x4(%esp) 0x08048d2a <+996>: mov %eax,(%esp) 0x08048d2d <+999>: call 0x8048530 0x08048d32 <+1004>: jmp 0x8048e2f 0x08048d37 <+1009>: mov 0x804b060,%eax 0x08048d3c <+1014>: mov %eax,%ebx 0x08048d3e <+1016>: movl $0x804919c,(%esp) 0x08048d45 <+1023>: call 0x8048604 0x08048d4a <+1028>: mov %ebx,0x4(%esp) 0x08048d4e <+1032>: mov %eax,(%esp) 0x08048d51 <+1035>: call 0x8048530 0x08048d56 <+1040>: jmp 0x8048e2f 0x08048d5b <+1045>: mov 0x804b060,%eax 0x08048d60 <+1050>: mov %eax,%ebx 0x08048d62 <+1052>: movl $0x80491b6,(%esp) 0x08048d69 <+1059>: call 0x8048604 0x08048d6e <+1064>: mov %ebx,0x4(%esp) 0x08048d72 <+1068>: mov %eax,(%esp) 0x08048d75 <+1071>: call 0x8048530 0x08048d7a <+1076>: jmp 0x8048e2f 0x08048d7f <+1081>: mov 0x804b060,%eax 0x08048d84 <+1086>: mov %eax,%ebx 0x08048d86 <+1088>: movl $0x80491d0,(%esp) 0x08048d8d <+1095>: call 0x8048604 0x08048d92 <+1100>: mov %ebx,0x4(%esp) 0x08048d96 <+1104>: mov %eax,(%esp) 0x08048d99 <+1107>: call 0x8048530 0x08048d9e <+1112>: jmp 0x8048e2f 0x08048da3 <+1117>: mov 0x804b060,%eax 0x08048da8 <+1122>: mov %eax,%ebx 0x08048daa <+1124>: movl $0x80491ea,(%esp) 0x08048db1 <+1131>: call 0x8048604 0x08048db6 <+1136>: mov %ebx,0x4(%esp) 0x08048dba <+1140>: mov %eax,(%esp) 0x08048dbd <+1143>: call 0x8048530 0x08048dc2 <+1148>: jmp 0x8048e2f 0x08048dc4 <+1150>: mov 0x804b060,%eax 0x08048dc9 <+1155>: mov %eax,%ebx 0x08048dcb <+1157>: movl $0x8049204,(%esp) 0x08048dd2 <+1164>: call 0x8048604 0x08048dd7 <+1169>: mov %ebx,0x4(%esp) 0x08048ddb <+1173>: mov %eax,(%esp) 0x08048dde <+1176>: call 0x8048530 0x08048de3 <+1181>: jmp 0x8048e2f 0x08048de5 <+1183>: mov 0x804b060,%eax 0x08048dea <+1188>: mov %eax,%ebx 0x08048dec <+1190>: movl $0x8049220,(%esp) 0x08048df3 <+1197>: call 0x8048604 0x08048df8 <+1202>: mov %ebx,0x4(%esp) 0x08048dfc <+1206>: mov %eax,(%esp) 0x08048dff <+1209>: call 0x8048530 0x08048e04 <+1214>: jmp 0x8048e2f 0x08048e06 <+1216>: mov 0x804b060,%eax 0x08048e0b <+1221>: mov %eax,%edx 0x08048e0d <+1223>: mov $0x8049248,%eax 0x08048e12 <+1228>: mov %edx,0xc(%esp) 0x08048e16 <+1232>: movl $0x38,0x8(%esp) 0x08048e1e <+1240>: movl $0x1,0x4(%esp) 0x08048e26 <+1248>: mov %eax,(%esp) 0x08048e29 <+1251>: call 0x80484c0 0x08048e2e <+1256>: nop 0x08048e2f <+1257>: mov 0x804b060,%eax 0x08048e34 <+1262>: mov %eax,0x4(%esp) 0x08048e38 <+1266>: movl $0xa,(%esp) 0x08048e3f <+1273>: call 0x8048520 0x08048e44 <+1278>: jmp 0x8048ead 0x08048e46 <+1280>: movl $0x8049281,0x4(%esp) 0x08048e4e <+1288>: lea 0x1c(%esp),%eax 0x08048e52 <+1292>: mov %eax,(%esp) 0x08048e55 <+1295>: call 0x80487be 0x08048e5a <+1300>: test %eax,%eax 0x08048e5c <+1302>: jne 0x8048e89 0x08048e5e <+1304>: mov 0x804b040,%eax 0x08048e63 <+1309>: mov %eax,%edx 0x08048e65 <+1311>: mov $0x8049294,%eax 0x08048e6a <+1316>: mov %edx,0xc(%esp) 0x08048e6e <+1320>: movl $0x30,0x8(%esp) 0x08048e76 <+1328>: movl $0x1,0x4(%esp) 0x08048e7e <+1336>: mov %eax,(%esp) 0x08048e81 <+1339>: call 0x80484c0 0x08048e86 <+1344>: jmp 0x8048ead 0x08048e88 <+1346>: nop 0x08048e89 <+1347>: mov 0x14(%esp),%eax 0x08048e8d <+1351>: mov %eax,0x8(%esp) 0x08048e91 <+1355>: movl $0x100,0x4(%esp) 0x08048e99 <+1363>: lea 0x1c(%esp),%eax 0x08048e9d <+1367>: mov %eax,(%esp) 0x08048ea0 <+1370>: call 0x804874c 0x08048ea5 <+1375>: test %eax,%eax 0x08048ea7 <+1377>: jne 0x8048a89 0x08048ead <+1383>: mov $0x0,%eax 0x08048eb2 <+1388>: mov 0x11c(%esp),%edx 0x08048eb9 <+1395>: xor %gs:0x14,%edx 0x08048ec0 <+1402>: je 0x8048ec7 0x08048ec2 <+1404>: call 0x80484a0 <__stack_chk_fail@plt> 0x08048ec7 <+1409>: mov -0x4(%ebp),%ebx 0x08048eca <+1412>: leave 0x08048ecb <+1413>: ret End of assembler dump. ``` {% endtab %} {% endtabs %} {% hint style="info" %} The program **getflag** is decompiled using [**Ghidra**](https://ghidra-sre.org/). {% endhint %} And in the decompiled code we can clearly see that just like the last exercise (**Level13**) we call a decoding function called `ft_des` and we call it depending on the UID of the user. And just like the last exercise (**Level13**) we can try the same techniques to get the flag. Lets * Disassemble the `main` function * Get the addes of where the last call of `ft_des` is (assuming the calls are in order of exercices) * Set a break point to the `main` function (at the very start) * Jump to the desired address. In the Disassembled code (in the other tab next to getflag.c code) we can see that the last time `ft_des` is called on address `0x08048df3` (line `259`)so we shoulf jump to the address that is a little bit above, to `0x08048de5` (line `256`) we jump there se the addresse of the string (that will be decoded) are set properly to the proper registers. So here is how we will get the flag Open GDB with the **getflag** function ```bash level14@SnowCrash:~$ gdb getflag -q ``` Set the break point to `main` and we run the program ```bash Breakpoint 1 at 0x804894a (gdb) run Starting program: /bin/getflag Breakpoint 1, 0x0804894a in main () ``` We jump to address `0x08048de5` ``` (gdb) jump *0x08048de5 Continuing at 0x8048de5. 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ *** stack smashing detected ***: /bin/getflag terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb7f2fd95] /lib/i386-linux-gnu/libc.so.6(+0x103d4a)[0xb7f2fd4a] /bin/getflag[0x8048ec7] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb7e454d3] /bin/getflag[0x8048571] ======= Memory map: ======== 08048000-0804a000 r-xp 00000000 07:00 12700 /bin/getflag 0804a000-0804b000 r--p 00001000 07:00 12700 /bin/getflag 0804b000-0804c000 rw-p 00002000 07:00 12700 /bin/getflag 0804c000-0806d000 rw-p 00000000 00:00 0 [heap] b7e07000-b7e23000 r-xp 00000000 07:00 14117 /lib/i386-linux-gnu/libgcc_s.so.1 b7e23000-b7e24000 r--p 0001b000 07:00 14117 /lib/i386-linux-gnu/libgcc_s.so.1 b7e24000-b7e25000 rw-p 0001c000 07:00 14117 /lib/i386-linux-gnu/libgcc_s.so.1 b7e2b000-b7e2c000 rw-p 00000000 00:00 0 b7e2c000-b7fcf000 r-xp 00000000 07:00 14123 /lib/i386-linux-gnu/libc-2.15.so b7fcf000-b7fd1000 r--p 001a3000 07:00 14123 /lib/i386-linux-gnu/libc-2.15.so b7fd1000-b7fd2000 rw-p 001a5000 07:00 14123 /lib/i386-linux-gnu/libc-2.15.so b7fd2000-b7fd5000 rw-p 00000000 00:00 0 b7fd9000-b7fdd000 rw-p 00000000 00:00 0 b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso] b7fde000-b7ffe000 r-xp 00000000 07:00 14081 /lib/i386-linux-gnu/ld-2.15.so b7ffe000-b7fff000 r--p 0001f000 07:00 14081 /lib/i386-linux-gnu/ld-2.15.so b7fff000-b8000000 rw-p 00020000 07:00 14081 /lib/i386-linux-gnu/ld-2.15.so bffdf000-c0000000 rw-p 00000000 00:00 0 [stack] Program received signal SIGABRT, Aborted. 0xb7fdd428 in __kernel_vsyscall () ``` And it shows us the flag. ### The flag to login to `flag14` account `7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ` ### Command summery ```bash ## Follow the gdb exemple... ## Log into the account flag14 level14@SnowCrash:~$ su flag14 Password: 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ Congratulation. Type getflag to get the key and send it to me the owner of this livecd :) ## Try to get the flag flag14@SnowCrash:~$ getflag Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ ```