Friday, June 12, 2015

Nebula Exploit Exercise Level 00 Walkthrough

Intro

So this is more of a reminder post to myself to track my progress through this thing, but I thought I might as well do a post seeing as there are already about 6 other solutions out there and the authors don't seem to mind walkthroughs too much.

That being said, this is level 00. If your getting stuck on this, you should seriously try harder before you look at the solution. If you want to check your work however and think you have the solution, feel free to read on :)

The Problem

For Nebula's level 00 exercise, we are tasked with finding a setuid program that will run as the flag00 user. We are also given the hint that reading the manual page for the find command may help us find where this file is located.

So my first approach to this was to look up the manual page for the find command. However the manual page for the find command contains many different options and switches. Lets try grep out anything mentioning setuid or something along those lines shall we?

Solving the Problem

First we log in with the username level00 and the password level00. Following this we issue the following command:
man find | grep -i suid
      \( -perm -4000 -fprintf /root/suid.txt %#m %u %p\n \) , \
       into /root/suid.txt and large files into /root/big.txt. 
We see that we can could run find / -perm -4000 to find all of the files with the setuid bit set from the root directory downwards. But why is this the case? If we look up setuid within Wikipedia we get the following information:
The setuid and setgid bits are normally set with the command chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid. "chmod 6711 file" will set both the setuid and setgid bits (2+4=6) (Wikipedia, 2015, June 12 2015, https://en.wikipedia.org/wiki/Setuid)
Thus from this we can see that within the UNIX privilege management system, the first number (the 6 in chmod 6711) denotes if the file has setuid or setgid permissions or not. Thus by searching for files via find / -perm -4000 we are effectively searching for all of the files which have the setuid bit set. However this could return quite a few files, so lets pipe the output to a file and then cat the result.
level00@nebula:~$ find / -perm -4000 > /tmp/results.txt
level00@nebula:~$ cat /tmp/results.txt
/bin/.../flag00
/bin/fusermount
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/sbin/mount.ecryptfs_private
/usr/bin/at
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
Ah, there we go :) We see that there is a file /bin/.../flag00 which seems to hold the suid flag that we need to complete this level. Lets check:
level00@nebula:~$ ls -alh /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7.2K 2011-11-20 21:22 /bin/.../flag00
That looks like the one :) And if we execute it and then run getflag, we will see we have completed the challenge:
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account