[STS]Level 2 - Blowfish - iExploit Challenges

chroniccommand

So here is level 2 of my STS blowfish tutorials.

Part 1
So now you must SSH to the given box(level2@blowfish.smashthestack.org -p 2222). To do this, simply open up your terminal and type this command:

ssh level2@blowfish&#46;smashthestack&#46;org -p 2222

This will SSH to level2@blowfish.smashthestack.org on port 2222, which is where we much SSH to gain access to the given box. Now when you login with the password from level 1, you get a banner like this:


$ ssh level2@blowfish&#46;smashthestack&#46;org -p 2222

1&#46; Thou shalt NOT root or otherwise harm the box&#46;
     2&#46; Thou shalt NOT access any other network from this box&#46;
     3&#46; Thou shalt NOT use any other directory besides /tmp or /code for code&#46; 
     4&#46; Thou shalt give the root pass to l3thal if you manage to change it&#46;

     Passwords are in /pass&#46;
     There is a README in each users home directory&#46;
     /tmp && /var/tmp will be flushed daily by cron&#46;
     Use /code plz for umm, code ;D
     IF YOU LEAVE FILES IN /levels/tmp U SUCK &#46;&#46;plz remove them kthnx! ;D
     The password for the last level will get you into
     Tux, the more advanced wargame&#46; Join #blowfish on 
     irc&#46;smashthestack&#46;org with any questions&#46; 

     Admins - l3thal && cr 

     Forum&#58; http&#58;//smashthestack&#46;org/viewforum&#46;php?id=10

Last login&#58; Thu Jan 28 21&#58;41&#58;34 2010 from 190&#46;191&#46;160&#46;196

 There is a backdoor to the next level hidden somewhere on this system,
 find it, and get the pass for level3 from /pass/level3

- http&#58;//smashthestack&#46;org/viewtopic&#46;php?id=436

 hint&#58; `man find`

So this is the message you get when you first login. If you read it, you see there is a backdoor hidden in the system to gain access to read from "/pass/level3". For the record, all passwords are stored in a file at "/pass/level*", where the asterisk is the next level you must read from.
TIP
If you visit the blowfish.smashthestack.org page you can see the level pages people have been to and tagged there selves in. If you want to do this simply cd to the public_html directory and type this command to the index.html:

echo \"Chroniccommand waz h3r3 bitch3z!1!\" &gt;&gt; index&#46;html

This will print Chroniccommand waz h3r3 bitch3z!1! to index.html, adding your tag to the page.

Now if you read the bottom part of the banner message, you see a hint, `man find`. Type this and see what comes up. It should be a manual to the "find" command. Read it and learn about the command as you need it to find the backdoor in the system. So if we are looking for a backdoor, it must have root priviliges(suid root). So we use the find command to look for executable with the suid flag on(4000). To do this try this command:

find / -executable -perm -4000

This will find all executables with the suid flag on. You should get this:


/bin/su
/bin/ping6
/bin/mount
/bin/umount
/usr/bin/false
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown

If you look at the list, you should see something there that should not have the suid flag on. Once you find it, execute it and you should get a stand-alone shell! It should look like this:


Stand-alone shell (version 3&#46;7)
&gt; id
uid=1004(level2) gid=1004(level2) euid=1005(level3) groups=1004(level2)

It has the version of the shell, a ">" where you type commands and as you can see here and I types the "id" command(You could also use whoami) and it pops up with that output. Great, we have privileges to read from the next password file! Use the "cat" command to read "/pass/level3" and you've got it. Now to SSH to the next box and get ready for level 3!

--Chroniccommand

Xin

Great tutorial thanks again!

Howdy, Stranger!

Top Posters

Who's Online (0)