티스토리 뷰

System/FTZ

[FTZ] level1

MitNy 2017. 9. 6. 16:54

 id = level1 pw = level1


level1 문제의 파일들과 권한을 보면 hint 라는 파일이 있다.

hint가 있을 것 같다.



hint파일을 실행시켜 보면 level2 권한에 setuid가 걸린 파일을 찾는다. 라고 써있다.


find 명령어를 통해 찾아보자


[level1@ftz level1]$ find / -perm -4000

find: /lost+found: Permission denied

find: /boot/lost+found: Permission denied

find: /proc/1/fd: Permission denied

find: /proc/2/fd: Permission denied

find: /proc/3/fd: Permission denied

find: /proc/4/fd: Permission denied

find: /proc/9/fd: Permission denied

find: /proc/5/fd: Permission denied

find: /proc/6/fd: Permission denied

find: /proc/7/fd: Permission denied

find: /proc/8/fd: Permission denied

find: /proc/10/fd: Permission denied

find: /proc/11/fd: Permission denied

find: /proc/19/fd: Permission denied

find: /proc/77/fd: Permission denied

find: /proc/1165/fd: Permission denied

find: /proc/1474/fd: Permission denied

find: /proc/1530/fd: Permission denied

find: /proc/1534/fd: Permission denied

find: /proc/1552/fd: Permission denied

find: /proc/1571/fd: Permission denied

find: /proc/1638/fd: Permission denied

find: /proc/1675/fd: Permission denied

find: /proc/1709/fd: Permission denied

find: /proc/1718/fd: Permission denied

find: /proc/1728/fd: Permission denied

find: /proc/1737/fd: Permission denied

find: /proc/1746/fd: Permission denied

find: /proc/1788/fd: Permission denied

find: /proc/1789/fd: Permission denied

find: /proc/1798/fd: Permission denied

find: /proc/.1819/fd: Permission denied

find: /proc/.1820/fd: Permission denied

find: /proc/.1821/fd: Permission denied

find: /proc/.1822/fd: Permission denied

find: /proc/1828/fd: Permission denied

find: /proc/.1829/fd: Permission denied

find: /proc/.1830/fd: Permission denied

find: /proc/.1831/fd: Permission denied

find: /proc/.1832/fd: Permission denied

find: /proc/1877/fd: Permission denied

find: /proc/1878/fd: Permission denied

find: /proc/1879/fd: Permission denied

find: /proc/1880/fd: Permission denied

find: /proc/1881/fd: Permission denied

find: /proc/1882/fd: Permission denied

find: /proc/1883/fd: Permission denied

find: /proc/1884/fd: Permission denied

find: /proc/1979/fd: Permission denied

find: /proc/1981/fd: Permission denied

find: /var/lib/slocate: Permission denied

find: /var/lib/nfs/statd: Permission denied

find: /var/lib/dav: Permission denied

find: /var/lib/mysql/mysql: Permission denied

find: /var/lib/mysql/test: Permission denied

find: /var/lib/pgsql: Permission denied

find: /var/log/httpd: Permission denied

find: /var/log/squid: Permission denied

find: /var/log/samba: Permission denied

find: /var/cache/mod_ssl: Permission denied

find: /var/cache/alchemist/printconf.rpm: Permission denied

find: /var/cache/alchemist/printconf.local: Permission denied

find: /var/run/sudo: Permission denied

find: /var/spool/at: Permission denied

find: /var/spool/clientmqueue: Permission denied

find: /var/spool/mqueue: Permission denied

find: /var/spool/cron: Permission denied

find: /var/spool/squid: Permission denied

find: /var/empty/sshd: Permission denied

find: /var/tux: Permission denied

find: /tmp/cgn5EpxN: Permission denied

find: /etc/sysconfig/pgsql: Permission denied

find: /etc/default: Permission denied

find: /etc/httpd/conf/ssl.crl: Permission denied

find: /etc/httpd/conf/ssl.crt: Permission denied

find: /etc/httpd/conf/ssl.csr: Permission denied

find: /etc/httpd/conf/ssl.key: Permission denied

find: /etc/httpd/conf/ssl.prm: Permission denied

find: /root: Permission denied

/usr/bin/chage

/usr/bin/gpasswd

/usr/bin/chfn

/usr/bin/chsh

/usr/bin/newgrp

/usr/bin/passwd

/usr/bin/at

/usr/bin/rcp

/usr/bin/rlogin

/usr/bin/rsh

/usr/bin/sudo

/usr/bin/crontab

/usr/bin/editor

/usr/bin/level5

/usr/bin/bof

/usr/libexec/openssh/ssh-keysign

/usr/sbin/ping6

/usr/sbin/traceroute6

/usr/sbin/usernetctl

/usr/sbin/userhelper

/usr/sbin/userisdnctl

/usr/sbin/traceroute

/usr/sbin/suexec

find: /usr/share/ssl/CA: Permission denied

/bin/ping

/bin/mount

/bin/umount

/bin/su

/bin/ExecuteMe

/bin/autodig

/bin/level7

find: /home/clear: Permission denied

find: /home/level10/program: Permission denied

/home/level11/attackme

/home/level12/attackme

/home/level13/attackme

/home/level14/attackme

/home/level15/attackme

/home/level16/attackme

/home/level17/attackme

/home/level18/attackme

/home/level19/attackme

/home/level20/attackme

find: /home/level5/tmp: Permission denied

find: /home/trainer1: Permission denied

find: /home/trainer10: Permission denied

find: /home/trainer2: Permission denied

find: /home/trainer3: Permission denied

find: /home/trainer4: Permission denied

find: /home/trainer5: Permission denied

find: /home/trainer6: Permission denied

find: /home/trainer7: Permission denied

find: /home/trainer8: Permission denied

find: /home/trainer9: Permission denied

/sbin/pam_timestamp_check

/sbin/pwdb_chkpwd

/sbin/unix_chkpwd


너무 많은 파일들이 떠서 level2에 접근하기 위한 파일을 찾을 수가 없다.

그래서 좀 더 옵션을 줘서 찾아보자


[level1@ftz level1]$ find / -perm -4000 -user level2 2> /dev/null

/bin/ExecuteMe


/bin/ExecuteMe라는 파일이 떴으니 이 파일을 실행시켜 보자



bin으로 이동한 후 ./ExecuteMe로 파일을 실행시키면 된다.


setuid를 통해 level2 의 권한으로 원하는 명령어를 실행시켜 줄 수 있다. 

my-pass와 chmod는 제외되므로 my-pass로 pw를 알아내거나, chmod로 권한 변경을 할 순 없다.

하지만 이때 쉘 명령어를 입력하면 level2의 권한으로 쉘을 실행시키게 되고,

level2의 /bin/bash 또는 /bin/sh 에 접근해서 my-pass를 실행시키는 방법이 있다.








[level2@ftz level2]$ my-pass


Level2 Password is "hacker or cracker".



'System > FTZ' 카테고리의 다른 글

[FTZ] level6  (0) 2017.09.08
[FTZ] level5  (1) 2017.09.08
[FTZ] level4  (0) 2017.09.08
[FTZ] level3  (1) 2017.09.06
[FTZ] level2  (0) 2017.09.06
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
«   2024/03   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
글 보관함