What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2014-01-23

OverTheWire - Bandit - Level 19 to Level 20

Description:

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute is without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
Helpful Reading Material
setuid on Wikipedia
Solution:
  1. [Comment] Using SSH to connect the server
  2. sp@simple-plan:~|=> ssh bandit19@bandit.labs.overthewire.org
    ...
    bandit19@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
  3. [Comment] Using ls command to list directory contents
  4. bandit19@melinda:~$ ls
    bandit20-do
  5. [Comment] Using ll = ls -l command to list directory contents in detail
  6. bandit19@melinda:~$ ll
    total 28
    drwxr-xr-x   2 root     root     4096 Jun  6  2013 ./
    drwxr-xr-x 160 root     root     4096 Oct 17 09:23 ../
    -rw-r--r--   1 root     root      220 Apr  3  2012 .bash_logout
    -rw-r--r--   1 root     root     3486 Apr  3  2012 .bashrc
    -rw-r--r--   1 root     root      675 Apr  3  2012 .profile
    -rwsr-x---   1 bandit20 bandit19 7237 Jun  6  2013 bandit20-do*
  7. [Comment] Checking the binary file which has setuid permission bit set
  8. bandit19@melinda:~$ ./bandit20-do --help
    Usage: env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]
    Set each NAME to VALUE in the environment and run COMMAND.

    -i, --ignore-environment start with an empty environment
    -0, --null end each output line with 0 byte rather than newline
    -u, --unset=NAME remove variable from the environment
    --help display this help and exit
    --version output version information and exit

    A mere - implies -i. If no COMMAND, print the resulting environment.

    Report env bugs to bug-coreutils@gnu.org
    GNU coreutils home page:
    General help using GNU software:
    Report env translation bugs to
    For complete documentation, run: info coreutils 'env invocation'
  9. [Comment] env - run a program in a modified environment
  10. [Comment] Now, we use the binary with permission to execute cat command to fetch out the password for next level
  11. bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
    GbKksEFF4yrVs6il55v6gwY5aVje5f0j
  12. [Comment] Using exit command to disconnect connection to server
  13. bandit19@melinda:~$ exit
    logout
    Connection to bandit.labs.overthewire.org closed.
  14. [Comment] It's done! Saving the password for next level.
Reference:
sshhttp://linuxcommand.org/man_pages/ssh1.html
lshttp://linuxcommand.org/man_pages/ls1.html
cathttp://linuxcommand.org/man_pages/cat1.html
exithttp://linuxcommand.org/man_pages/exit1.html
cdhttp://linuxcommand.org/lc3_man_pages/cdh.html
findhttp://linuxcommand.org/man_pages/find1.html
grephttp://linuxcommand.org/lc3_man_pages/grep1.html
sorthttp://linuxcommand.org/lc3_man_pages/sort1.html
uniqhttp://linuxcommand.org/man_pages/uniq1.html
stringshttp://linuxcommand.org/man_pages/strings1.html
base64http://linux.die.net/man/1/base64
trhttp://linuxcommand.org/man_pages/tr1.html
aliashttp://linuxcommand.org/man_pages/alias1.html
mkdirhttp://linuxcommand.org/man_pages/mkdir1.html
cphttp://linuxcommand.org/man_pages/cp1.html
xxdhttp://linuxcommand.org/man_pages/xxd1.html
filehttp://linuxcommand.org/man_pages/file1.html
mvhttp://linuxcommand.org/man_pages/mv1.html
gziphttp://linuxcommand.org/man_pages/gzip1.html
bzip2http://linuxcommand.org/man_pages/bzip21.html
tarhttp://linuxcommand.org/man_pages/tar1.html
echohttp://linuxcommand.org/man_pages/echo1.html
nchttp://linuxcommand.org/man_pages/nc1.html
opensslhttp://linuxcommand.org/man_pages/openssl1.html
diffhttp://linuxcommand.org/man_pages/diff1.html
envhttp://linuxcommand.org/man_pages/env1.html

No comments:

Post a Comment