Level 7

Multi-vitamin

Getting out of the restricted shell shouldn't take you more than five minutes. Then have a look at /rdx/multivitamin. Try to analyse the algorithm very carefully. There is a weakness that really speeds up your quest...
Multiplication is easy, and so is division...?
You might want to look at http://gmplib.org/ if you use c.

Code listing (level7.c)

 1 /*
 2  *      multivitamin.c 2006 by aton@packetdropped.org
 3  *
 4  *      rules: no patching.
 5  *      compile: gcc multivitamin.c -o multivitamin -lgmp
 6  *
 7  *      -> multiplication is simple, and so is division...?
 8  */
 9 
10 
11 #define _GNU_SOURCE
12 #include <unistd.h>
13 #include <string.h>
14 #include <stdio.h>
15 #include <gmp.h>
16 
17 #define ADDVALUE 27137
18 
19 int main(int argc, char *argv[])
20 {
21         mpz_t longjohn, mul, cmpval;
22         char userstr[512+1];
23         int n=0;
24 
25         mpz_init(longjohn);
26         mpz_set_ui(longjohn, 1);
27         mpz_init(mul);
28         mpz_init(cmpval);
29         mpz_set_str(cmpval, "insert-here-the-password-hash-from-your-home-directory-on-semtex-7", 10);
30 
31         if (argc<2)
32         {
33                 printf("%s <string>\n", argv[0]);
34                 return -1;
35         }
36 
37         strncpy(userstr, argv[1], 512);
38 
39         for (n=0;n<strlen(userstr);n++)
40         {
41                 mpz_set_ui(mul, (unsigned long)(userstr[n]+ADDVALUE));
42                 mpz_mul(longjohn, longjohn, mul);
43         }
44 
45         if (!(n=mpz_cmp(longjohn, cmpval)))
46         {
47                 setresuid(geteuid(), geteuid(), geteuid());
48                 execlp("/bin/bash", "bash", NULL);
49         }
50         else
51                 printf("err... booom!\n");
52 
53         return 0;
54 }