Exploit Exercises - nebula level13
The program expects a UID 1000.
Let's debug it in gdb. Put a breakpoint at main() so we can analyze the program flow first.
The program will compare the UID of the user who is running flag13 (1014) with the UID it expects (1000). This is done by CMP call at main+48 - address 0x80484f4.
Put a breakpoint at CMP & continue till the breakpoint is hit.
At this point, we find that UID value (1014) is stored in $eax register. We can change the value to UID 1000, so when CMP call is executed next, UIDs will match, and we will get the token.
Log in as flag13 using the token value and getflag.