Differences
This shows you the differences between two versions of the page.
|
isc:labs:04 [2023/10/30 12:59] florin.stancu [02. The old userswitcheroo] |
isc:labs:04 [2024/10/30 12:07] (current) radu.mantu [[25p] 04. Linux ACLs] |
||
|---|---|---|---|
| Line 149: | Line 149: | ||
| ==== 00. Setup ==== | ==== 00. Setup ==== | ||
| - | All tasks will be solved inside a Docker container (available on Docker Hub): | + | All tasks will be solved inside a Docker container (available on GHCR): |
| - | <code bash> | + | <code> |
| - | docker pull ropubisc/acl-lab # to update image | + | docker pull ghcr.io/cs-pub-ro/isc-acl-lab:latest |
| - | docker run --rm --name acl-lab -it ropubisc/acl-lab # to run the container | + | docker run --rm --name acl-lab -it ghcr.io/cs-pub-ro/isc-acl-lab |
| - | </code> | + | </code> |
| If you wish to open multiple terminals inside the same container, find the container's name and use ''docker exec'': | If you wish to open multiple terminals inside the same container, find the container's name and use ''docker exec'': | ||
| Line 168: | Line 168: | ||
| </note> | </note> | ||
| - | ==== 01. Security through obscurity ==== | + | ==== [25p] 01. Security through obscurity ==== |
| * Open the container. Try to read the files in ''/etc/secret/''. There is a ''flag'' in there... can you read it? | * Open the container. Try to read the files in ''/etc/secret/''. There is a ''flag'' in there... can you read it? | ||
| - | * Go to ''/usr/local/isc/''. There is a **very hidden** file made up of **numbers**! Can you try to guess it? | + | * Go to ''/usr/local/isc/''. There is a hidden directory containing a **very hidden** file (its name is a <color #FFF>.</color>number in the ''100-10000'' range). Can you try to guess it? |
| - | * Finally, run ''giff-me-flag'' (hint: no execute bit -- read next task ;) + it expects a secret ''argv[1]''!... can you //reverse engineer// it?). | + | * //Hint: all files are <color #FFF>.</color>hidden!// |
| + | * //Hint: you may want to filter the output a bit.. ''stderr'' redirection, maybe?// | ||
| + | * Finally, run ''giff-me-flag'' | ||
| + | * //Hint 1: no +x :| try to solve some other tasks to discover more credentials (you are allowed to use any account here ;)) // | ||
| + | * //Hint 2: it expects a secret in ''argv[1]''!... can you "reverse engineer" its ''strings''?.// | ||
| * Total: **3 flags**! | * Total: **3 flags**! | ||
| Line 190: | Line 194: | ||
| </solution> | </solution> | ||
| - | ==== 02. The old userswitcheroo ==== | + | ==== [25p] 02. The old userswitcheroo ==== |
| * Inside the container, you have many existing users! | * Inside the container, you have many existing users! | ||
| - | * One has the password ''hunter2''. The others have further instructions (text files) inside their home directories! | + | * The starter account (''mihai'') has the password ''hunter2''. The others have further instructions (text files) inside their home directories! |
| - | * Main objective: read the flag inside ''/home/.not_for_your_eyes'' by using the good ol' su* commands! | + | * Main objective: read the flag inside ''/home/.not_for_your_eyes'' by using the good ol' **u**ser <-> **s**witcher//o//o commands! |
| - | * Total: **1 flag**! | + | * //Hint: explore all homes & read the (possibly hidden!) files in there, your next step **is always** suggested in there!// |
| + | * //Note: ''sudo'', by default, tries to execute a command on behalf of the ''root'' account (this is forbidden here). Read its man page to see how you can specify another user! also check out ''%%--%%list'' option to see your permissions ;) // | ||
| + | * //Hint: you will need to do some unusual "path traversals" on that last binary to catch the final flag.// | ||
| + | * Total: **1 flag** (most difficult)! | ||
| <solution -hidden> | <solution -hidden> | ||
| Line 212: | Line 219: | ||
| </solution> | </solution> | ||
| - | ==== 03. Specials ==== | + | ==== [25p] 03. Specials ==== |
| * Go back as being the ''hacker''! | * Go back as being the ''hacker''! | ||
| * Retrieve the flag from ''t4l3nt'''s home directory! | * Retrieve the flag from ''t4l3nt'''s home directory! | ||
| - | * //Hint: use your mad Python skillz :P// | + | * //Hint: You have t3h source code! // |
| + | * //Hint: Py code injection: try to simulate the resulting value of ''expr'' (on a notepad)!// | ||
| * Total: **1 flag**! | * Total: **1 flag**! | ||
| Line 227: | Line 235: | ||
| </solution> | </solution> | ||
| - | ==== 04. Linux ACLs ==== | + | ==== [25p] 04. Linux ACLs ==== |
| * Enter as ''student'' (inside the container, ofc!); guess the password! | * Enter as ''student'' (inside the container, ofc!); guess the password! | ||
| - | * Run ''copy-t3h-fl4gz'' -- it's not working properly.. fix the permissions (//no source core? you should have no problems with it :P//)! | + | * Run ''copy-t3h-fl4gz'' -- it's not working properly.. fix the permissions (//no source code? you should have no problems with it :P//)! |
| + | * //Hint: "reverse engineer" it, again!// | ||
| * Total: **2 flags**! | * Total: **2 flags**! | ||
| + | |||
| + | <note tip> | ||
| + | In absence of [[https://github.com/pwndbg/pwndbg|pwndbg]] use vanilla **gdb** with one of its built-in layouts: | ||
| + | <code> | ||
| + | (gdb) layout asm | ||
| + | </code> | ||
| + | </note> | ||
| <solution -hidden> | <solution -hidden> | ||
