Differences
This shows you the differences between two versions of the page.
|
isc:labs:04 [2024/03/22 15:54] florin.stancu removed |
isc:labs:04 [2024/10/30 12:07] (current) radu.mantu [[25p] 04. Linux ACLs] |
||
|---|---|---|---|
| Line 149: | Line 149: | ||
| ==== 00. Setup ==== | ==== 00. Setup ==== | ||
| - | All tasks will be solved inside a Docker container (available on Docker Hub): | + | All tasks will be solved inside a Docker container (available on GHCR): |
| - | <code bash> | + | <code> |
| - | docker pull ropubisc/acl-lab # to update image | + | docker pull ghcr.io/cs-pub-ro/isc-acl-lab:latest |
| - | docker run --rm --name acl-lab -it ropubisc/acl-lab # to run the container | + | docker run --rm --name acl-lab -it ghcr.io/cs-pub-ro/isc-acl-lab |
| - | </code> | + | </code> |
| If you wish to open multiple terminals inside the same container, find the container's name and use ''docker exec'': | If you wish to open multiple terminals inside the same container, find the container's name and use ''docker exec'': | ||
| Line 171: | Line 171: | ||
| * Open the container. Try to read the files in ''/etc/secret/''. There is a ''flag'' in there... can you read it? | * Open the container. Try to read the files in ''/etc/secret/''. There is a ''flag'' in there... can you read it? | ||
| - | * Go to ''/usr/local/isc/''. There is a **very hidden** file made up of **numbers**! Can you try to guess it? | + | * Go to ''/usr/local/isc/''. There is a hidden directory containing a **very hidden** file (its name is a <color #FFF>.</color>number in the ''100-10000'' range). Can you try to guess it? |
| + | * //Hint: all files are <color #FFF>.</color>hidden!// | ||
| * //Hint: you may want to filter the output a bit.. ''stderr'' redirection, maybe?// | * //Hint: you may want to filter the output a bit.. ''stderr'' redirection, maybe?// | ||
| * Finally, run ''giff-me-flag'' | * Finally, run ''giff-me-flag'' | ||
| - | * //Hint 1: no execute bit -- read the other tasks, you are allowed to use any existing accounts ;) // | + | * //Hint 1: no +x :| try to solve some other tasks to discover more credentials (you are allowed to use any account here ;)) // |
| * //Hint 2: it expects a secret in ''argv[1]''!... can you "reverse engineer" its ''strings''?.// | * //Hint 2: it expects a secret in ''argv[1]''!... can you "reverse engineer" its ''strings''?.// | ||
| * Total: **3 flags**! | * Total: **3 flags**! | ||
| Line 196: | Line 197: | ||
| * Inside the container, you have many existing users! | * Inside the container, you have many existing users! | ||
| - | * One has the password ''hunter2''. The others have further instructions (text files) inside their home directories! | + | * The starter account (''mihai'') has the password ''hunter2''. The others have further instructions (text files) inside their home directories! |
| - | * Main objective: read the flag inside ''/home/.not_for_your_eyes'' by using the good ol' su* commands! | + | * Main objective: read the flag inside ''/home/.not_for_your_eyes'' by using the good ol' **u**ser <-> **s**witcher//o//o commands! |
| - | * //Hint: yeeep, just listen to the ''.txt''s and search through ''sudo'''s manual pages, you can't become root no matter how hard you try!// | + | * //Hint: explore all homes & read the (possibly hidden!) files in there, your next step **is always** suggested in there!// |
| - | * //Hint: you may need to do some unusual "path traversals"// | + | * //Note: ''sudo'', by default, tries to execute a command on behalf of the ''root'' account (this is forbidden here). Read its man page to see how you can specify another user! also check out ''%%--%%list'' option to see your permissions ;) // |
| - | * Total: **1 flag**! | + | * //Hint: you will need to do some unusual "path traversals" on that last binary to catch the final flag.// |
| + | * Total: **1 flag** (most difficult)! | ||
| <solution -hidden> | <solution -hidden> | ||
| Line 221: | Line 223: | ||
| * Go back as being the ''hacker''! | * Go back as being the ''hacker''! | ||
| * Retrieve the flag from ''t4l3nt'''s home directory! | * Retrieve the flag from ''t4l3nt'''s home directory! | ||
| - | * //Hint: use your mad Python skillz :P// | + | * //Hint: You have t3h source code! // |
| - | * //Hint: code injection! try to simulate the resulting value of ''expr'' (on a notepad)!// | + | * //Hint: Py code injection: try to simulate the resulting value of ''expr'' (on a notepad)!// |
| * Total: **1 flag**! | * Total: **1 flag**! | ||
| Line 236: | Line 238: | ||
| * Enter as ''student'' (inside the container, ofc!); guess the password! | * Enter as ''student'' (inside the container, ofc!); guess the password! | ||
| - | * Run ''copy-t3h-fl4gz'' -- it's not working properly.. fix the permissions (//no source core? you should have no problems with it :P//)! | + | * Run ''copy-t3h-fl4gz'' -- it's not working properly.. fix the permissions (//no source code? you should have no problems with it :P//)! |
| * //Hint: "reverse engineer" it, again!// | * //Hint: "reverse engineer" it, again!// | ||
| * Total: **2 flags**! | * Total: **2 flags**! | ||
| + | |||
| + | <note tip> | ||
| + | In absence of [[https://github.com/pwndbg/pwndbg|pwndbg]] use vanilla **gdb** with one of its built-in layouts: | ||
| + | <code> | ||
| + | (gdb) layout asm | ||
| + | </code> | ||
| + | </note> | ||
| <solution -hidden> | <solution -hidden> | ||
| Line 254: | Line 263: | ||
| </code> | </code> | ||
| </solution> | </solution> | ||
| - | |||
