Welcome back to another post, another level. Today we’re going to be solving level2 of the Blowfish wargame from Smash The Stack. As usual, the final password for level3 will be stripped out and replaced with Y’s. Also, I assume you already have access to level2 on Blowfish. Now let’s get started.
As the end of level1 stated, level2 is accessed via ssh on port 2222 for blowfish.smashthestack.org, so let’s log in. Upon login, a quick directory listing shows a README, so let’s check that for direction.
sh-3.2$ ls
public_html README
sh-3.2$ more READMEThere is a backdoor to the next level hidden somewhere on this system, find it, and get the pass for level3 from /pass/level3
– http://smashthestack.org/viewtopic.php?id=436
hint: `man find`
Alright, it looks like we’re looking for a hidden backdoor, and maybe this is the big point of the level. What we need to look for is a program that runs as user level3, even when we execute it, and let’s us execute it because it has group for level2. To do this, we will use the linux “find” command. Our command and results are as follows:
sh-3.2$ find / -group level2 -user level3 2>/dev/null
/var/tmp/level4.c.swp
/var/tmp/level3.swp
/var/tmp/core.9788
/var/tmp/level3.swo
/var/tmp/.svz
/var/tmp/hossam.swp
/var/tmp/testme
/var/tmp/.svy
/var/tmp/apple
/var/tmp/jnk.txt.swp
/var/tmp/fdsa
/usr/bin/false
Now, judging by the banner we got when logging in, we can assume all those files in /var/tmp aren’t for the game, they’re just left over from previous users. So let’s look at /usr/bin/false.
sh-3.2$ ls -la /usr/bin/false
-r-sr-x— 1 level3 level2 607288 2007-12-02 17:13 /usr/bin/false
Looking at the permissions, we can see the “s” is set for setuid, which enables the program to run with the permissions of the owner of the program, rather than those of the user who ran the program. Additionally we can see from the group permissions columns, group has permission to execute the program. This is just what we were looking for: a program owned by level3, SUID to run as level3, and set with group level2 with group execution permissions! So let’s run it and see what happens:
sh-3.2$ /usr/bin/false
Stand-alone shell (version 3.7)
> whoami
level3
> more /pass/level3
YYYYYYYYYYYYY
There we have it, done with level2! Point of the level was obviously searching, using the find command to find files which can be executed by you and used to gain higher privileges, through legitimate or illegitimate execute. Finding programs such as this is often the first step in looking for vulnerabilities as one of the main goals in exploiting a vulnerability is often escalation of privileges.
That wraps it up here for Blowfish Level2. Check back often for more postings and wargame analysis.