As mentioned on the General Page you will be completing this assignment from within a virtual environment provided to you. For each question include both your answer as well as the process by which you determined this answer. I.e. the exact commands you ran, and the output those commands provided. Also include any code you wrote, or scripts you edited.

Consult the manual pages for the commands mentioned in the questions to learn more (e.g. man find to read the manual page for the find command). If you receive errors about permission being denied when using chmod, chown, chgrp, find or setfacl you may prefix the command with sudo to run it as root. E.g. sudo chown aUser aDirectory

You have been granted sudo rights only for these commands!

If you are not familiar with basic UNIX/Linux commands and operating from the bash shell you may wish to read some of the UNIX tutorial for Beginners. Your textbook also provides high-level details on many of the subjects in this assignment. When all else fails, please contact the TA.

1. 1 Mark What is your user id (UID)? How did you determine this?
2. 1 Mark Note! This question will not be marked as some users are seeing a cannot find name for group message. My apologies.
   What is your primary group name, and the corresponding group id (GID)?
3. 0.5 Marks What is the filesystem path of the Linux group file?
4. 1 Mark What are the permissions of the Linux group file? Give the permissions as both a 'rwx' string and the numeric octal representation. You will need to use ls command as well as the stat command.
5. 0.5 Marks What is the GID of the root group?
6. 0.5 Marks What is the GID of the shadow group?
7. 4 Marks Write a bash function to convert a GID to a group name using the Linux group file. Submit both the function definition and 5 invocations.
   Use the following skeleton as a starting point:
   
   

   gidSearch() { ...; }
   

   
   Replace ... with the commands you require to find the group name for the ID. In your commands you can use the $1 token to represent the GID passed to the function as an argument. I.e. a function defined: gidSearch() { echo $1; } when run as gidSearch 100 would output 100
   A correct solution will produce output similar to these example invocations:
   
   

   comp4108@node00:$ gidSearch 100
   users
   
   comp4108@node00:$ gidSearch 45
   sasl
   

   Hint 1:
   Consider reading a quick tutorial on bash functions.
   Hint 2:
   You will likely want to use a combination of cat, grep, and cut piped together. Read the man page for each. There are many possible solutions!
8. 2 Marks (total) Give the list of ALL directories, and sub-directories in /A1/Haystack that have the following properties (also include the resulting list):
   
   1. 0.5 Marks Are owned by the user comp4108
   2. 0.5 Marks Have group ownership root
   3. 0.5 Marks Are owned by the user sshd
   4. 0.5 Marks Have permissions equal to 777
   
   
   Hint:
   Use the find command!
9. 1 Mark Write a command to change all the directories with permissions 777 in /A1/Haystack to have permissions 750 instead.
   
   
   Hint:
   Combine your answer to Question 8, Part D with find's -exec argument and the chmod command. You may need to prefix your find command with sudo to run it with root permissions (since you are changing permissions on directories you don't own)
10. 2 Marks (total) In your home directory create the following directory structure using mkdir:
    
    

       top
       |--- middle
       |    |-- bottom
       |
       |--- middle_two
       |    |-- bottom_two
       |        |-- end_of_line
       |
       |--- middle_three
    

    
    
    
    1. 0.5 Marks Change the permissions of bottom and bottom_two to 664
    2. 0.5 Marks Create an empty file foo.txt in middle_three with execute permission for user and group
    3. 0.5 Marks Change the ownership of top to root using the sudo and chown command
    4. 0.5 Marks Change the group of top to www-data using sudo and the chgrp command.
    
    
    Hint:
    You can save time creating the directory structure using mkdir's -p flag.
    You can quickly verify your directory structure using tree top.
11. 2 Marks (total)
    
    1. 1 MarkFind all the binary files in /usr/bin with the setuid bit set.
    2. 1 MarkUsing one of the binaries you found as an example, describe why it has the setuid bit enabled, and what the setuid bit accomplishes.
    Hint:
    Again, use the find command for part a.

For Part B you will need to use getfacl, setfacl, chmod, usermod and find to manipulate the access control lists for a directory structure. Use sudo as required if you encounter permission denied errors. Consult man pages for commands to complete each question.

In /A1/Gotham you will find a directory tree as follows:

Gotham
|
|-- Arkham
|
|-- GothamPD
|
'-- WayneManor
    |
    |-- Batcave
    |
    '-- MasterBedroom

1. 0.5 Marks Give the ACL for the top level Gotham directory.
2. 1 Mark Use chmod to add rx permissions to ALL directories and sub-directories in Gotham for the other category.
   
   
   Hint:
   Use the recursive flagof chmod.
3. 1 Mark Use setfacl to add read and write permissions to Gotham, Arkham and GothamPD for the user jgordon
4. 1 Marks Use setfacl to add read, write, and execute permissions toWayneManor, Batcave and MasterBedroom for the user bwayne.
5. 1 Marks Use setfacl to remove the ACL entries on Arkham for the users skyle and ocobblepot.
6. 2 Marks Give the ACL for all subdirectories of Gotham.
   
   
   Hint:
   Use find's -exec argument and the getfacl command.

In this part of the assignment you will learn to exploit a classic time of check versus time of use (ToCToU) vulnerability in order to gain root access on your VM. You should prepare for this part of the assignment by reading the general description of this class of vulnerability from your textbook (Chapter 3, Section 3.4.6).

1. In /A1/Racing/Slow you will find a vulnerable application called vuln_slow. In order to ease you into exploiting a ToCToU race condition this example vulnerable application has been written to accept two arguments: a delay in seconds and a message to write to a debug file. In order to ease the exploitation process, vuln_slow checks the permissions on its debug file, sleeps for the provided number of seconds, and then writes to the debug file. A real vulnerable program would not let you determine how long it sleeps between time of check and time of use! This is to allow you to exploit the binary with high success using manually entered commands.
   
   In the /A1/Racing/Slow directory you will also find a file named root_file that is owned by root and has no write permissions for any other users. Your objective is to exploit vuln_slow into writing a message you provide into root_file.
   
   In order to do this you will need to:
   
   1. Use the strace command to learn the location of the debug file that vuln_slow writes the message you provide it.
   2. Invoke vuln_slow with a test message and a large delay, 30 to 60 seconds is recommended.
   3. While vuln_slow is sleeping, you must delete the log file it checked, and replace it with a symbolic link to root_file using the ln command.
   
   Provided you've followed all three steps successfully, and timed the commands right inside the sleep window, you should find your message appended to the end of root_file. Remember: Timing is everything! Use a larger sleep time and be prepared to enter the correct commands quickly, and without error.
   
   5 MarksDescribe the exploitation process in detail, including commands invoked and a log of successfully adding a message to root_file. Include an explanation of why the attack works (hint: this should include a reference to setuid).


2. Now that you've successfully exploited a toy race condition vulnerability it's time to step up the challenge. In /A1/Racing/Fast you will find the same vulnerable program (this time named vuln_fast) modified to no longer accept a sleep time argument. This program uses the same debug file location you found in Part A, Step 1 (you can verify this again using strace if you want).
   
   Since the vulnerability in this program does not occur after a configurable sleep you will only be able to exploit it in a probabilistic fashion by automated means. In order to aid you in this task you have been provided with two skeleton bash scripts to modify: vuln.sh and exploit.sh.
   
   The first script, vuln.sh, removes the debug file (to clean up from any old exploit attempts) and runs the vulnerable program in a tight loop with a high nice value (to increase your chances of exploitation, see man nice to understand why).
   
   The second script, exploit.sh, removes the debug file, and generates a symbolic link to a specified target in its place. This also happens in a tight loop such that exploit.sh and vuln.sh when run at the same time are competing to access the debug file (or symlink).
   
   Your objective for this part is to gain access to the root user by exploiting the vuln_fast program to add your username to the root user's .rhosts file to allow passwordless login using the rsh command. In order to do this you will need to:
   
   1. Edit the exploit.sh script (using nano, or another text editor) to provide it the location of the debug file
   2. Edit the exploit.sh script to give it the payload string you want written to the target file (see Hint!).
   3. Edit the vuln.sh script to provide it the location of the debug file
   4. Edit the vuln.sh script to give it the target file for your attack (See Hint!).
   5. Run the vuln.sh script in one terminal
   6. Run the exploit.sh script in another terminal
   7. Wait ~a minute and terminate both scripts by pressing Ctrl+C in the respective terminals
   8. Check if your exploit was successful by running rsh -l root localhost whoami. If it was successful you should not be asked for a password and will receive the reply root to the whoami command. Remember, if it did not work you may have to repeat steps 5 onward due to the probabilistic nature of race conditions.

8 Marks Describe the exploitation process in detail, including commands invoked and a log of you successfully gaining root privilege on the box. Include an explanation of why the attack works (hint: this explanation should reference setuid and rhosts).


Hint:
The server has been configured to allow the (very insecure) rsh and rlogin commands. The rsh command allows you to run a shell command as a specified user on a remote (or local) machine. It first checks the specified user's .rhosts file for a list of hosts and users that can execute commands without a password!

Hmmm... Sounds juicy. If only there was a way to get localhost (since you're exploiting the local machine) and your username added to the root user's .rhosts file...
You can learn more about the location and format of this file on the Ubuntu Manuals page.