티스토리 뷰
id = level1 pw = level1
level1 문제의 파일들과 권한을 보면 hint 라는 파일이 있다.
hint가 있을 것 같다.
hint파일을 실행시켜 보면 level2 권한에 setuid가 걸린 파일을 찾는다. 라고 써있다.
find 명령어를 통해 찾아보자
[level1@ftz level1]$ find / -perm -4000
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/10/fd: Permission denied
find: /proc/11/fd: Permission denied
find: /proc/19/fd: Permission denied
find: /proc/77/fd: Permission denied
find: /proc/1165/fd: Permission denied
find: /proc/1474/fd: Permission denied
find: /proc/1530/fd: Permission denied
find: /proc/1534/fd: Permission denied
find: /proc/1552/fd: Permission denied
find: /proc/1571/fd: Permission denied
find: /proc/1638/fd: Permission denied
find: /proc/1675/fd: Permission denied
find: /proc/1709/fd: Permission denied
find: /proc/1718/fd: Permission denied
find: /proc/1728/fd: Permission denied
find: /proc/1737/fd: Permission denied
find: /proc/1746/fd: Permission denied
find: /proc/1788/fd: Permission denied
find: /proc/1789/fd: Permission denied
find: /proc/1798/fd: Permission denied
find: /proc/.1819/fd: Permission denied
find: /proc/.1820/fd: Permission denied
find: /proc/.1821/fd: Permission denied
find: /proc/.1822/fd: Permission denied
find: /proc/1828/fd: Permission denied
find: /proc/.1829/fd: Permission denied
find: /proc/.1830/fd: Permission denied
find: /proc/.1831/fd: Permission denied
find: /proc/.1832/fd: Permission denied
find: /proc/1877/fd: Permission denied
find: /proc/1878/fd: Permission denied
find: /proc/1879/fd: Permission denied
find: /proc/1880/fd: Permission denied
find: /proc/1881/fd: Permission denied
find: /proc/1882/fd: Permission denied
find: /proc/1883/fd: Permission denied
find: /proc/1884/fd: Permission denied
find: /proc/1979/fd: Permission denied
find: /proc/1981/fd: Permission denied
find: /var/lib/slocate: Permission denied
find: /var/lib/nfs/statd: Permission denied
find: /var/lib/dav: Permission denied
find: /var/lib/mysql/mysql: Permission denied
find: /var/lib/mysql/test: Permission denied
find: /var/lib/pgsql: Permission denied
find: /var/log/httpd: Permission denied
find: /var/log/squid: Permission denied
find: /var/log/samba: Permission denied
find: /var/cache/mod_ssl: Permission denied
find: /var/cache/alchemist/printconf.rpm: Permission denied
find: /var/cache/alchemist/printconf.local: Permission denied
find: /var/run/sudo: Permission denied
find: /var/spool/at: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/mqueue: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/squid: Permission denied
find: /var/empty/sshd: Permission denied
find: /var/tux: Permission denied
find: /tmp/cgn5EpxN: Permission denied
find: /etc/sysconfig/pgsql: Permission denied
find: /etc/default: Permission denied
find: /etc/httpd/conf/ssl.crl: Permission denied
find: /etc/httpd/conf/ssl.crt: Permission denied
find: /etc/httpd/conf/ssl.csr: Permission denied
find: /etc/httpd/conf/ssl.key: Permission denied
find: /etc/httpd/conf/ssl.prm: Permission denied
find: /root: Permission denied
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/at
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/editor
/usr/bin/level5
/usr/bin/bof
/usr/libexec/openssh/ssh-keysign
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/traceroute
/usr/sbin/suexec
find: /usr/share/ssl/CA: Permission denied
/bin/ping
/bin/mount
/bin/umount
/bin/su
/bin/ExecuteMe
/bin/autodig
/bin/level7
find: /home/clear: Permission denied
find: /home/level10/program: Permission denied
/home/level11/attackme
/home/level12/attackme
/home/level13/attackme
/home/level14/attackme
/home/level15/attackme
/home/level16/attackme
/home/level17/attackme
/home/level18/attackme
/home/level19/attackme
/home/level20/attackme
find: /home/level5/tmp: Permission denied
find: /home/trainer1: Permission denied
find: /home/trainer10: Permission denied
find: /home/trainer2: Permission denied
find: /home/trainer3: Permission denied
find: /home/trainer4: Permission denied
find: /home/trainer5: Permission denied
find: /home/trainer6: Permission denied
find: /home/trainer7: Permission denied
find: /home/trainer8: Permission denied
find: /home/trainer9: Permission denied
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
너무 많은 파일들이 떠서 level2에 접근하기 위한 파일을 찾을 수가 없다.
그래서 좀 더 옵션을 줘서 찾아보자
[level1@ftz level1]$ find / -perm -4000 -user level2 2> /dev/null
/bin/ExecuteMe
/bin/ExecuteMe라는 파일이 떴으니 이 파일을 실행시켜 보자
bin으로 이동한 후 ./ExecuteMe로 파일을 실행시키면 된다.
setuid를 통해 level2 의 권한으로 원하는 명령어를 실행시켜 줄 수 있다.
my-pass와 chmod는 제외되므로 my-pass로 pw를 알아내거나, chmod로 권한 변경을 할 순 없다.
하지만 이때 쉘 명령어를 입력하면 level2의 권한으로 쉘을 실행시키게 되고,
level2의 /bin/bash 또는 /bin/sh 에 접근해서 my-pass를 실행시키는 방법이 있다.
[level2@ftz level2]$ my-pass
Level2 Password is "hacker or cracker".
'System > FTZ' 카테고리의 다른 글
| [FTZ] level6 (0) | 2017.09.08 |
|---|---|
| [FTZ] level5 (1) | 2017.09.08 |
| [FTZ] level4 (0) | 2017.09.08 |
| [FTZ] level3 (1) | 2017.09.06 |
| [FTZ] level2 (0) | 2017.09.06 |
- Total
- Today
- Yesterday
- 자바
- ftz
- my-pass
- java
- ubuntu
- wargame
- wargame.kr
- pwnable
- BOF
- cobolt
- Python
- attackme
- pwnable.kr
- 명령어
- 웹해킹
- MySQL
- WebHacking
- 0xdeadbeef
- lob
- Los
- 1번
- lord of sqlinjection
- webhacking.kr
- C
- 워게임
- 우분투
- c언어
- 설치
- Lord of SQL Injection
- 파이썬
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |